51 comments

[ 2.0 ms ] story [ 68.7 ms ] thread
A simple encrypted channel for file transfer. A great way to send a file to a stranger who is near you but shares nothing with you, e.g. at a conference.

/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */

There are Rust and Haskell implementations too (not quite as feature-full as the Python code yet, though) as well.

In principal WebRTC communication could be added to magic-wormhole, but that work has not been done yet. There is WebSocket support in the relay (including "cross-protocol" so one client can be WebSocket and the other TCP). This is only deployed on the Winden.app servers (tcp://relay.mw.leastauthority.com:4001 and wss://relay.mw.leastauthority.com for the relay).

You'd need to use the Winden.app relay server if you want https://winden.app users to reach your Python CLI (e.g. via "wormhole --relay-url wss://mailbox.mw.leastauthority.com/v1 send" for example)

(comment deleted)
AFAIK, Web Wormhole is the only one of those tools that can be used both as a command-line tool and from a browser. It looks like the site is down at the moment though. https://github.com/saljam/webwormhole https://webwormhole.io/
There exists winden.app which is a magic wormhole webapp. They use their own mailbox and relay so you need to use the right options in the wormhole CLI.
I’m glad to see that there are mobile apps and web applications that work on/use Magic Wormhole for peer to peer file transfers. The mobile app and web applications seem to be limited (number of files is one at a time, size of file allowed, etc.) due to limitations on mobile platforms and due to choices by the developer/server host.
I use this all the time when trying to get files between devices that need multiple hops to get to. Way easier then remembering what scp or rsync combo I need to jump through a host
I use magic wormhole when I first install a computer to send an SSH key. At that point, I have ssh. Also if you use a mesh VPN, your devices are already connected and there are several ways to transfer files.

I like to use it more. What is your use case for this?

BTW, I haven’t found a good iOS app.

FYI, there's a subcommand just for this use case: `wormhole ssh invite` / `accept`, which will read the SSH pubkey on one end and append it to authorized_keys on the other.
I prefer https://localsend.org/ nowadays. Nice cross-platform GUI, "just works". Requires being on the same lan, but discovery of other devices is automatic and there are no alphanumeric codes that have to be shared. It's a good QoL improvement to have "airdrop" between Android and Linux
Thank you for this link. Looks awesome.
This project made me learn about and attempt to implement the SPAKE2 protocol and HKDF as an exercise. It's quite fascinating. It lets you upgrade a short password to a long key, but requires trusting a server to rate limit attempts on brute-forcing that short password. It seems difficult to find a practical use case for it tho. Because it's only relevant when it is impractical to send a long key. But if you think for a second, lets say you are transferring from a desktop to a phone, you can show a QR code and scan in with your phones camera, thus achieving a secure handshake bypassing the need for SPAKE2 all together. Maybe it would defeat the simplicity of the tool, but if it also provided a long string of words for the key, a user could optionally send all the words instead of just the first few and get themselves a secure key without needing to trust the server.
> requires trusting a server to rate limit attempts on brute-forcing that short password

This isn't true. Particularly, if an attacker attempts to connect with the wrong password, this will be seen by the client, which then aborts the connection. So an attacker can only try one password. You can test this yourself:

    A: $ wormhole send foobar
    A: Wormhole code is 1-whimsical-klaxon

    B: $ wormhole receive 1-klaxon-whimsical # wrong password
    B: ERROR:  Key confirmation failed. Either you or your correspondent
    B: typed the code wrong, or a would-be man-in-the-middle attacker guessed
    B: incorrectly. Try sending the file again.
    B: <exit>

    A: ERROR:  Key confirmation failed. Either you or your correspondent
    A: typed the code wrong, or a would-be man-in-the-middle attacker guessed
    A: incorrectly. Try sending the file again.
    A: <exit>
So if you receive this error (potentially repeatedly), you learn that there is an attacker trying to guess passwords. You can then choose to increase code length or simply stop using that channel.

The CLI also has an option to further mitigate MITM attacks with the `--verify` flag -- this shows to both clients a hash of the transcript, which can be verbally verified before proceeding with the transfer. This allows detecting an attack even if the attacker gets the password right on the first try (which has probability 1/65536).

I use it all the time. this tool is so great
croc[1] has worked better for me. It supports resuming transfers, which is a must. It is very wormhole like and written in Go.

[1] https://github.com/schollz/croc

Note that it's less clear how secure croc is. Magic Wormhole would be the reference there, I think. I have seen issues on the croc repository regarding security, not sure what the state is today.

Granted croc supports resuming transfers, which magic wormhole doesn't.

I've used croc extensively and had no issues.
100% endorse croc, you can use croc in any GPU renting service (e.g Runpod).
I’ve used this and localsend, both are great, but has anyone finally solved the problem of making one of these things that can use a GUI (for phones and tablets) and also a CLI (for when I’m SSHed into my home computer and need to send a video to get processed by something)?
If you don't mind unencryption or are okay with encrypting/decrypting things yourself via standard tools (don't worry you could probably create a shell alias to do that for you in ssh)

Then I genuinely recommend piping-server https://github.com/nwtgck/piping-server

Personally I don't really mind the unencryption as I mean I just use it to pass videos or any software and I don't really think that there are any security concerns but its also really easy to encrypt / decrypt as well so I genuinely recommend it

It can actually work out of the browser and in the ssh server by using curl / maybe even wget but no guarantees. Both standard tools.

https://piping-ui.org/ There is this website which has a better ui

And you can self host the server as well and these ui's are just static pages which you can view the source code of

https://github.com/nwtgck/piping-server

No CLI yet but mobile & desktop support (yes, including Linux), LAN & online: https://payload.app/

Focused on speed, so good for video. (If your transfers don’t saturate the network I treat that as a failure and a bug to be fixed - please report if speed is ever lacking)

Disclaimer: I’m the creator.

>Copying files through encrypted email requires bootstrapping a GPG key as well as an email address.

Do people realize that GPG supports symmetric encryption?

Don't want to crash my friend's server, but he made a Mac app with this: https://www.viawormhole.xyz/
Any screenshots or further reading? "Download this zip with no description" is tough to recommend.
I use this very specifically for setting up new machines. It's one of those where I don't use it much, but when I do it has saved me a whole lot of time, and it's worked well every time.
I did use it some time ago, but I remember the user experience being somewhat confusing, since there are multiple similarly named tools around, which don't seem to be interoperable. Still, a cool concept.
Recently learnt about tailscale funnel, and I love it, I would use for everything.

tailscale funnel --set-path <secret> <DIRECTORY>

(The path is needed because there are lots of bots who scan tailscale hostnames).

This works if the sender is tech savvy (and a tailscale user) but not in the other direction.

Great tool.

Very minor web page issue report: please add a replay to the video. Thanks.

Folks at Coder authored a p2p file transfer tool using Tailscale (no account needed, the setup is entirely ephemeral, and the code apparently runs a Headscale control server in-memory): https://github.com/coder/wush

Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?