And its lesser known component, the mailbox server used for signaling to connect the two computers. If you’ve ever installed and used magic wormhole, you’ve likely used the default public mailbox server unless you configured and set up your own.
A simple encrypted channel for file transfer. A great way to send a file to a stranger who is near you but shares nothing with you, e.g. at a conference.
/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */
There are Rust and Haskell implementations too (not quite as feature-full as the Python code yet, though) as well.
In principal WebRTC communication could be added to magic-wormhole, but that work has not been done yet. There is WebSocket support in the relay (including "cross-protocol" so one client can be WebSocket and the other TCP). This is only deployed on the Winden.app servers (tcp://relay.mw.leastauthority.com:4001 and wss://relay.mw.leastauthority.com for the relay).
You'd need to use the Winden.app relay server if you want https://winden.app users to reach your Python CLI (e.g. via "wormhole --relay-url wss://mailbox.mw.leastauthority.com/v1 send" for example)
There exists winden.app which is a magic wormhole webapp. They use their own mailbox and relay so you need to use the right options in the wormhole CLI.
I’m glad to see that there are mobile apps and web applications that work on/use Magic Wormhole for peer to peer file transfers. The mobile app and web applications seem to be limited (number of files is one at a time, size of file allowed, etc.) due to limitations on mobile platforms and due to choices by the developer/server host.
I use this all the time when trying to get files between devices that need multiple hops to get to. Way easier then remembering what scp or rsync combo I need to jump through a host
I use magic wormhole when I first install a computer to send an SSH key. At that point, I have ssh. Also if you use a mesh VPN, your devices are already connected and there are several ways to transfer files.
I like to use it more. What is your use case for this?
FYI, there's a subcommand just for this use case: `wormhole ssh invite` / `accept`, which will read the SSH pubkey on one end and append it to authorized_keys on the other.
I prefer https://localsend.org/ nowadays. Nice cross-platform GUI, "just works". Requires being on the same lan, but discovery of other devices is automatic and there are no alphanumeric codes that have to be shared. It's a good QoL improvement to have "airdrop" between Android and Linux
This project made me learn about and attempt to implement the SPAKE2 protocol and HKDF as an exercise.
It's quite fascinating. It lets you upgrade a short password to a long key, but requires trusting a server to rate limit attempts on brute-forcing that short password. It seems difficult to find a practical use case for it tho. Because it's only relevant when it is impractical to send a long key. But if you think for a second, lets say you are transferring from a desktop to a phone, you can show a QR code and scan in with your phones camera, thus achieving a secure handshake bypassing the need for SPAKE2 all together. Maybe it would defeat the simplicity of the tool, but if it also provided a long string of words for the key, a user could optionally send all the words instead of just the first few and get themselves a secure key without needing to trust the server.
> requires trusting a server to rate limit attempts on brute-forcing that short password
This isn't true. Particularly, if an attacker attempts to connect with the wrong password, this will be seen by the client, which then aborts the connection. So an attacker can only try one password. You can test this yourself:
A: $ wormhole send foobar
A: Wormhole code is 1-whimsical-klaxon
B: $ wormhole receive 1-klaxon-whimsical # wrong password
B: ERROR: Key confirmation failed. Either you or your correspondent
B: typed the code wrong, or a would-be man-in-the-middle attacker guessed
B: incorrectly. Try sending the file again.
B: <exit>
A: ERROR: Key confirmation failed. Either you or your correspondent
A: typed the code wrong, or a would-be man-in-the-middle attacker guessed
A: incorrectly. Try sending the file again.
A: <exit>
So if you receive this error (potentially repeatedly), you learn that there is an attacker trying to guess passwords. You can then choose to increase code length or simply stop using that channel.
The CLI also has an option to further mitigate MITM attacks with the `--verify` flag -- this shows to both clients a hash of the transcript, which can be verbally verified before proceeding with the transfer. This allows detecting an attack even if the attacker gets the password right on the first try (which has probability 1/65536).
Note that it's less clear how secure croc is. Magic Wormhole would be the reference there, I think. I have seen issues on the croc repository regarding security, not sure what the state is today.
Granted croc supports resuming transfers, which magic wormhole doesn't.
I’ve used this and localsend, both are great, but has anyone finally solved the problem of making one of these things that can use a GUI (for phones and tablets) and also a CLI (for when I’m SSHed into my home computer and need to send a video to get processed by something)?
If you don't mind unencryption or are okay with encrypting/decrypting things yourself via standard tools (don't worry you could probably create a shell alias to do that for you in ssh)
Personally I don't really mind the unencryption as I mean I just use it to pass videos or any software and I don't really think that there are any security concerns but its also really easy to encrypt / decrypt as well so I genuinely recommend it
It can actually work out of the browser and in the ssh server by using curl / maybe even wget but no guarantees. Both standard tools.
No CLI yet but mobile & desktop support (yes, including Linux), LAN & online: https://payload.app/
Focused on speed, so good for video. (If your transfers don’t saturate the network I treat that as a failure and a bug to be fixed - please report if speed is ever lacking)
I use this very specifically for setting up new machines. It's one of those where I don't use it much, but when I do it has saved me a whole lot of time, and it's worked well every time.
I did use it some time ago, but I remember the user experience being somewhat confusing, since there are multiple similarly named tools around, which don't seem to be interoperable. Still, a cool concept.
My friend and former colleague has built a bunch of stuff over magic-wormhole like fowl[0], shwim[1] and so on. There is a lot of nice work on "dilated" wormhole.
Folks at Coder authored a p2p file transfer tool using Tailscale (no account needed, the setup is entirely ephemeral, and the code apparently runs a Headscale control server in-memory): https://github.com/coder/wush
Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?
51 comments
[ 2.0 ms ] story [ 68.7 ms ] threadhttps://github.com/magic-wormhole/magic-wormhole-mailbox-ser...
/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */
In principal WebRTC communication could be added to magic-wormhole, but that work has not been done yet. There is WebSocket support in the relay (including "cross-protocol" so one client can be WebSocket and the other TCP). This is only deployed on the Winden.app servers (tcp://relay.mw.leastauthority.com:4001 and wss://relay.mw.leastauthority.com for the relay).
You'd need to use the Winden.app relay server if you want https://winden.app users to reach your Python CLI (e.g. via "wormhole --relay-url wss://mailbox.mw.leastauthority.com/v1 send" for example)
I like to use it more. What is your use case for this?
BTW, I haven’t found a good iOS app.
This isn't true. Particularly, if an attacker attempts to connect with the wrong password, this will be seen by the client, which then aborts the connection. So an attacker can only try one password. You can test this yourself:
So if you receive this error (potentially repeatedly), you learn that there is an attacker trying to guess passwords. You can then choose to increase code length or simply stop using that channel.The CLI also has an option to further mitigate MITM attacks with the `--verify` flag -- this shows to both clients a hash of the transcript, which can be verbally verified before proceeding with the transfer. This allows detecting an attack even if the attacker gets the password right on the first try (which has probability 1/65536).
[1] https://github.com/schollz/croc
Granted croc supports resuming transfers, which magic wormhole doesn't.
Then I genuinely recommend piping-server https://github.com/nwtgck/piping-server
Personally I don't really mind the unencryption as I mean I just use it to pass videos or any software and I don't really think that there are any security concerns but its also really easy to encrypt / decrypt as well so I genuinely recommend it
It can actually work out of the browser and in the ssh server by using curl / maybe even wget but no guarantees. Both standard tools.
https://piping-ui.org/ There is this website which has a better ui
And you can self host the server as well and these ui's are just static pages which you can view the source code of
https://github.com/nwtgck/piping-server
Focused on speed, so good for video. (If your transfers don’t saturate the network I treat that as a failure and a bug to be fixed - please report if speed is ever lacking)
Disclaimer: I’m the creator.
Do people realize that GPG supports symmetric encryption?
tailscale funnel --set-path <secret> <DIRECTORY>
(The path is needed because there are lots of bots who scan tailscale hostnames).
This works if the sender is tech savvy (and a tailscale user) but not in the other direction.
[0] <https://github.com/meejah/fowl>
[1] <https://github.com/meejah/shwim>
Very minor web page issue report: please add a replay to the video. Thanks.
Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?