[HN Gopher] Magic Wormhole: Get things from one computer to anot...
___________________________________________________________________
Magic Wormhole: Get things from one computer to another, safely
Author : jstanley
Score : 168 points
Date : 2021-05-24 08:37 UTC (14 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| anotherhue wrote:
| Magic Wormhole is one of my absolute favourite tools.
|
| see also https://wormhole.app/
| gidam wrote:
| to avoid confusion Ferros should have chosen a different and
| better name, considering that magic-warmhole is an older
| project doing more or less the same thing (with different and
| better technology and it's real free software)
| CobrastanJorji wrote:
| That seems like a wonderful service, but if it allows up to 100
| downloads over 24 hours, I kind of worry that it's gonna get
| massively abused for nefarious purposes. It's not quite
| "publicly writable S3 bucket" abusable, but it's close.
| atonse wrote:
| Is this open source? How do we know it's doing as advertised?
| [deleted]
| lotharrr wrote:
| For (my) magic-wormhole, yep, entirely, source is on the
| github link above.
|
| It uses a pair of helper servers (that I run), for which the
| source is also on github. But the protocol (implemented in
| the client, not the server) is carefully designed to be
| resistant against server misbehavior.
|
| So you can either study the client and convince yourself the
| protocol is indeed secure, or rely upon my claims that my
| code is working as advertised. But you don't need to rely
| upon my claims that my servers are not snooping or
| interfering: that's protected by the protocol.
| noahmasur wrote:
| They're actually different projects.
|
| This is what I could find for wormhole.app source:
| https://github.com/SocketDev/wormhole-crypto
| lotharrr wrote:
| (author of magic-wormhole here)
|
| aww, thanks :)
|
| BTW for anyone reading, https://wormhole.app/ is awesome and
| serves a very similar purpose, but uses entirely different
| technology (no PAKE) and has a different security model.
|
| In my (https://magic-wormhole.io) world, we've kicked around
| ways to make a good browser-based client (and I've tried to
| prepare the protocols to work well there), but I haven't had
| time to pursue any of them. The tasks include 1: port
| everything to JS (or take the core of the Rust port and compile
| it to WASM, then write an IO layer in JS), 2: glue it to the
| browser's file/blob upload/download APIs, 3: settle on a
| trusted-application security model.
|
| To make it work in a vanilla browser with no setup phase,
| you're pretty much limited to relying upon the webserver from
| which you get the page, which is the model wormhole.app
| provides. Other options include using an addon (which shifts
| the reliance set slightly), or running some sort of Electron
| thing (making it not really a browser app) that you get from
| some distribution channel (debian, homebrew, etc) which shifts
| the reliance set in a better direction.. at least you're
| probably getting the same application as everybody else using
| that distribution, vs a webserver that could conceivably serve
| up a different version each time.
| throwaway67114 wrote:
| Edit: sorry made some blunder. You are Brian, just saw on
| your profile.
| lotharrr wrote:
| Edit: no worries, I just added it there a minute ago,
| didn't realize I'd left that box blank.
|
| I'm Brian Warner.
| ccmcarey wrote:
| FYI looks like magic-wormhole.io doesn't listen on 443, only
| on port 80 (which redicts to github).
| tptacek wrote:
| For what it's worth, and I know you're not looking for this
| fight, but I think it's important:
|
| There is a world of difference between what Magic Wormhole
| can promise and what Wormhole.app can promise. Magic Wormhole
| relies entirely on clientside cryptography; once you have it
| installed, you can trust that it's doing what it says on the
| tin. Which means you can reasonably use it operationally.
|
| "Wormhole.app" --- which has a frustrating name, given the
| distinction --- demands that you trust the server, since the
| server can on every transaction defeat the cryptography
| you're using.
|
| If someone owns up a Magic Wormhole relay server, there's not
| much they can plausibly do to intercept the files you send.
| But if someone owns up Wormhole.app, they can, I believe,
| quietly pick up and store people's files.
|
| Incidentally, apropos none of this: I've been using the
| Golang https://github.com/psanford/wormhole-william port on
| some of my machines for a year now, interoperating with the
| standard Python Magic Wormhole, and it works great.
|
| Magic Wormhole is an achievement. I wrote a blog post about
| modern cryptographic tools, and what I have to say about
| Magic Wormhole is that everyone I've introduced to it
| immediately starts wormholing all sorts of stuff; it's kind
| of addictive. Thanks for designing it!
| mynameisash wrote:
| I _really_ want to see the Rust version get more mature and
| see this made into a browser plugin. I keep mulling over
| trying to help out with the project, at least on the Rust
| side (since I know nothing about WASM).
| psanford wrote:
| There are some folks who have a fork of Wormhole William that
| runs in the browser (via wasm) and uses a websocket based
| relay (keeping the rest of the Magic Wormhole protocol the
| same): https://github.com/psanford/wormhole-william/pull/49
| [deleted]
| ghostly_s wrote:
| Didn't Mozilla have a project similar to this a few years back
| that was discontinued?
| HanayamaTriplet wrote:
| I believe you're thinking of Firefox Send:
| https://support.mozilla.org/en-US/kb/what-happened-firefox-s...
| Fiahil wrote:
| As always, the most difficult problem is not sending files
| between computers, but between smartphones, tablets and
| computers.
|
| I'm still looking for a solution I could use to share pictures
| and PDF files from Android phones to iPads and Laptops using the
| "share" modal and completely self-hosted...
| shepherdjerred wrote:
| I use Resilio Sync for this purpose. It uses a peer-to-peer
| model, it's free, and it works well enough. If you want it
| available 24/7 without relying on peers being online then you
| can install the application on a cheap Kimsufi VPS.
|
| https://www.resilio.com/individuals/
| alcover wrote:
| I use yopp for this. It's just a very crude local server with a
| file picker.
|
| https://github.com/josephernest/Yopp
| tptacek wrote:
| _There 's no security, so everyone who has the URL can
| download your last file (well, not if you downloaded it,
| because then it will be automatically deleted on server).
| Why? Because sometimes you just want a quick solution for
| non-sensitive/personal data, rather than a super secure
| solution that would take 2 minutes (go to Gmail on phone,
| enter login, enter password, upload file, go to Gmail on
| computer, enter login, enter password, download the
| file...)*_
| Fiahil wrote:
| As many others: not working with the share modal.
|
| > This tool requires a total number of 7 actions to get the
| work done
|
| What the hell?!
| smusamashah wrote:
| On Android, you can install croc in Termux and send files to
| any other platform with croc installed.
| Fiahil wrote:
| Yes, sure, but it's not working with the share modal. It's
| not what I'm looking for.
| somethingwitty1 wrote:
| Maybe overkill for you use-case, but something such as
| NextCloud could be used: https://nextcloud.com/
|
| I use this for cross-family backup and sharing. My main use-
| case is getting my photos from my phone to my desktop.
| StavrosK wrote:
| NextCloud is great if you need Dropbox-like functionality.
| For straight-up syncing of a single directory, or multiple
| single directories, SyncThing is fantastic.
| Fiahil wrote:
| Syncthing doesn't have an iOS app, and nextcloud is not
| what I'm looking for.
| orthecreedence wrote:
| I use Matrix/Element for this (via encrypted channels
| obviously) all the time.
| SilverRed wrote:
| For small files this is probably fine but you are keeping
| those files stored on the matrix server forever which costs
| them a fair bit.
| Fiahil wrote:
| I haven't tried this one, but, like the ftp solution, I think
| the ux would be clunky
| [deleted]
| velosol wrote:
| I've used Total Commander's Send to Wifi [1] before and found
| it workable for that use case (where both are on the same WiFi
| network; presumably you could use a hotspot for a place without
| WiFi at all).
|
| [1]: https://www.ghisler.com/androidplugins/wifi/
| lucgommans wrote:
| I made https://dro.pm for this. You get a link like dro.pm/h
| which is short enough to even share over the phone or tell
| someone at a conference to open. Not like chat apps where you
| have to be connected to the other person first (even if that is
| yourself, need to navigate to that chat) and no need to install
| any software. It's made to be fast on any connection (e.g. by
| allocating the link before you even entered any data), and due
| to being ephemeral it's also less prone to being used for
| phishing like other link shorteners are.
|
| It auto-detects when you enter a link, otherwise treats text
| inputs as a pastebin, you can ctrl+v an image, and it has file
| uploads up to a few gigabytes. Code is on github
| (https://github.com/lgommans/dro.pm/) though I still have to
| change the license to be more permissive (I've decided that I
| won't pursue this as a commercial thing, just open a ticket if
| you want me to change the license sooner than whenever I work
| on this next). Viewing uploaded files instead of downloading is
| also possible for image/audio/video mime-types by adding
| /preview to any link.
|
| You can also use it from the command line if you're on a
| keyboard+terminal-only machine, e.g. just `wget -L
| dro.pm/h.txt` to download the uploaded file (the links accept
| an arbitrary .extension) or for uploading from the command line
| there is a bash one-liner contained in the page source itself,
| see: `curl https://dro.pm | head`
|
| Made a mistake and uploaded something private or want to edit
| the link? Just click delete on the website, or on the command
| line you can use the token that you get when creating a new
| link.
| shkkmo wrote:
| That isn't self hosted and it appears that all the data you
| send will be exposed to dro.pm
| lucgommans wrote:
| Should I package it as a .deb, or what makes something
| self-hosted? The code is already on github:
| https://github.com/lgommans/dro.pm/ (link was buried in the
| text - I had a hard time prioritizing what people would
| want to read first, since that depends on your use-case).
|
| I guess magic wormhole is the wrong context to be making
| this argument in since everyone's primed for peer to peer
| now, but in general, yeah when using dro.pm it will need to
| put your data on dro.pm, similar to how pastebin stores
| your data when you use pastebin. It otherwise (and that's
| why I made this design decision) couldn't work after you
| close the tab, making it much less suitable for most of the
| intended use-cases. If you want peer to peer file transfer,
| you could have a look at https://file.pizza (not made by
| me)
| shkkmo wrote:
| You license is non-standard and does not appear to permit
| self hosting.
|
| This appears to me much more like blantant self promotion
| rather than attempt to participate in the discussion.
| Your tool has none of the requested features (self hosted
| file transfer using the native share dialog.)
| lucgommans wrote:
| Again, I already wrote:
|
| > though I still have to change the license to be more
| permissive (I've decided that I won't pursue this as a
| commercial thing, just open a ticket if you want me to
| change the license sooner than whenever I work on this
| next).
|
| Guess that'll have to be now then. Getting this sort of
| crap is what makes me wonder why I bother putting this
| work out there in the first place.
| Fiahil wrote:
| This starts to become a little bit repetitive, so I'll keep
| it short: no share modal, no Android/iOS, not self-hosted
| lucgommans wrote:
| It starts to become a little repetitive, so I'll cite from
| what I replied to the sibling comment:
|
| > Should I package it as a .deb, or what makes something
| self-hosted? The code is already on github:
| https://github.com/lgommans/dro.pm/ (link was buried in the
| text - I had a hard time prioritizing what people would
| want to read first, since that depends on your use-case).
|
| As for no mobile app: how much faster is it going to get
| than opening the browser that's already on everyone's
| homescreen and typing a 7-8 character link? Or if you self-
| host it, you can host it on your own TLD like https://me/
|
| And there is a share modal for Android, actually.
| jandrese wrote:
| There is no technical reason sending files should be difficult,
| the problem is entirely political. A file transfer service that
| works too well immediately becomes a hotbed of porn, warez,
| rips, etc... Then it gets sued and/or shut down by the
| authorities. So all file services have to suck in specific ways
| to discourage abuse. The trick is to find the one that sucks in
| ways that aren't as much of an issue for your use case.
| Fiahil wrote:
| My fundamental requirement is for it to be self hosted.
| Therefore the porn and warez are absolutely not an issue.
| PaulDavisThe1st wrote:
| There's a fairly significant difference between 1:N file
| transfer (1 person "sends", N "recieve") and 1:1 file
| transfer. What you say seems like a good summary of the
| issues for 1:N, but not particularly relevant for 1:1
| offtop5 wrote:
| Any reason FTP doesn't work ? I imagine you could run an FTP
| server on a Raspberry Pi
| jandrese wrote:
| Being completely plaintext makes it unacceptable for many use
| cases in the modern world. It's also a touch more complicated
| than it needs to be for the standard use case. Binary vs.
| ASCII transfer mode (and ASCII is the default most of the
| time even though it only very rarely makes sense). Plus the
| whole passive vs. active mode thing. Too many footguns and no
| security rule it out.
| lucgommans wrote:
| If you're running FTP as plaintext you're indeed doing it
| wrong, I'm not sure that that must be what GP meant. Not as
| if we explicitly mention (START)TLS for every other
| protocol that supports it.
| SilverRed wrote:
| You can't have secure FTP without a certificate and you
| can't have a certificate without DNS/domain names unless
| you want to manually add certificates around which is bad
| UX again.
|
| The ideal situation would be some universal airdrop which
| will never happen. The next easiest solution is to use
| cloud storage and send a link to the other person.
| Fiahil wrote:
| Ftp could work, but the ux is very bad
| offtop5 wrote:
| Then you could just implement your own client. There are
| already dozens of not hundreds of FTP clients for any
| device you could imagine, if you don't like the ux take an
| open source one and clean it up a bit.
| INTPenis wrote:
| I host my own Firefox Send instance for this purpose.
|
| https://gitlab.com/timvisee/send (a fork of the original code)
| Fiahil wrote:
| Too bad, it's missing an iOS client :(
| psanford wrote:
| I have a Magic Wormhole client for Android that I wrote for the
| occasional sensitive file transfer to and from my phone[0]. I
| was planning on adding iOS support as well, but Apple's general
| hostility toward open source apps discouraged me enough to not
| want to work on that.
|
| [0]: https://github.com/psanford/wormhole-william-mobile
| amelius wrote:
| The best thing to work on if you hate Apple is probably an
| iOS emulator.
| psanford wrote:
| What? I don't hate Apple.
| cmurf wrote:
| I recently spent 15 minutes trying to figure out how to get
| Android to connect via smb, couldn't figure it out. It's such a
| stupid PITA it's almost by design and "yeah just use the
| cloud".
| squarefoot wrote:
| Android, just like iOS, was designed with the idea of turning
| the user into a customer for products and services, therefore
| many things that we take for granted on desktop PCs, often
| even free, under those mobile OSes are either non existing or
| proprietary, filled with adware etc. By becoming mainstream
| they pretty much destroyed decades of efforts in bringing
| free and open source and standards to the masses.
| charlesdaniels wrote:
| Agreed. Especially on iOS, there isn't really a convenient way
| to do this. I'd love something that uses an ssh key pair to
| accept files from the "share" dialog and have them end up in
| ~/Desktop. I tried hacking something with Shortcuts, but
| couldn't get it working.
| cturtle wrote:
| Linux Mint's "Warpinator" [0] is a newer project and has worked
| well for my needs. Very easy to send files to and from my
| android phone to Linux.
|
| [0]: https://github.com/linuxmint/warpinator
| Fiahil wrote:
| And how would I use : a) the share modal b) an iPad?
| obloid wrote:
| I've been using KDE connect recently and it's great for moving
| files between my phone and laptop. Another fun feature is
| sharing a url from the phone to the laptop and it opens the
| browser to the page. I don't know of any similar software but
| being able to do the same thing between iOS and android would
| be great.
| TheAdamAndChe wrote:
| I second this. File transfers between my phone and computer
| are seamless and quick. I can even use it to find my phone
| when I use it. It is rare to find open source software that
| Just Works, and KDE Connect is one of these rare gems that
| does so.
| j-james wrote:
| I second KDE Connect. Despite the name, it's not limited to
| KDE by any means - there's implementations for Windows,
| MacOS, and even GNOME Shell. It's very straightforward to set
| up and has a bunch of other features besides file transfer,
| like using your phone as a touchpad, sending SMS messages
| from the desktop, or pinging either device.
| Fiahil wrote:
| Would have been a strong contender if it had an iOS client
| sidpatil wrote:
| I use Snapdrop (https://snapdrop.net/) to transfer files
| between my iPhone and my Linux laptop. It offers a self-hosting
| option, and there are apps for Android and iOS available
| (though I've only used the Web interface).
| Fiahil wrote:
| I used snapdrop as well, but it's not working with the share
| modal on phones. This means it's not what I am looking for!
|
| The primary use case is for me to share PDF scans made with
| my iPad/phone with my laptop. The second use case is for
| sharing screenshots of my laptop with others on my favorite
| messenger.
| 12ian34 wrote:
| maybe Syncthing (for Android, ideally syncthing-fork via
| F-Droid) will work for you. Share modal, cross platform, works
| with or without a centralised server.
| oldfart2 wrote:
| Have you heard of the command scp? It comes standard on most
| distros.
| andrewnicolalde wrote:
| That requires opening a port if you intend to perform a
| transfer over the internet :)
| [deleted]
| Noumenon72 wrote:
| Is this suitable for transferring files I own off a work computer
| without getting in trouble? My notes files have gotten too
| numerous for the amount my work will let me email as one zip
| file.
| throwaway67114 wrote:
| Doesn't zip software such as 7zip support splitting of
| compressed files into as many pieces as you like and then
| rejoin them when you want?
| hnnnnnnng wrote:
| How many of these webrtc peer to peer file sharing sites are we
| going to have? I swear there are hundreds at this point. None of
| them offer anything different than each other. Sure, it's a great
| project for a frontend dev to throw together on a weekend. But
| that's about it
| dennis-tra wrote:
| Magic wormhole isn't strictly peer to peer nor uses WebRTC as
| the traffic is routed through a relay server. This was my
| motivation to build one of these hundreds file sharing tools
| [0]. My aim was to build a truly decentralised file sharing CLI
| as basically a drop-in replacement for croc/magic-wormhole - so
| it seems relevant to mention it here. It's based on libp2p and
| comes with its own trade offs.
|
| lotharrr (the author of magic-wormhole) gave kind and valuable
| feedback when I posted it on HN [1].
|
| [0] https://github.com/dennis-tra/pcp
|
| [1] https://news.ycombinator.com/item?id=26127923
| brink wrote:
| There are a lot of them because they're fun to write. NES
| emulators are another example.
| tgsovlerkhgsel wrote:
| Did you read the link?
|
| This is a cli application. I am not aware of them also offering
| a web site, although that would certainly be a great addition.
| byproxy wrote:
| See also: https://github.com/schollz/croc
| pmccarren wrote:
| I'm a huge fan of croc! Even just for the sake of a single
| binary, but there's so much more to love about it.
| tptacek wrote:
| Note upthread about the security track record, though.
| IanCal wrote:
| I'm a little confused about the security model - with a default
| middle server and a 1/65536 chance of guessing the password,
| isn't it fairly likely it could be guessed? Or just a clash of
| passwords (birthday paradox)?
|
| I think I'm probably missing something.
| alecst wrote:
| Here's a link from Brain Warner (the author) talking about
| that:
|
| https://www.youtube.com/watch?v=oFrTqQw0_3c&t=1775s
|
| Hope it helps, it's a good question.
| tptacek wrote:
| In addition to what everyone else here points out, you can also
| set an arbitrarily long code, to make that probability as low
| as you want; you're looking for the `-c` option.
| ptomato wrote:
| You only get one shot at guessing it per transmission attempt.
| gojomo wrote:
| Indeed, and as the docs (https://magic-
| wormhole.readthedocs.io/en/latest/welcome.html...) explain,
| you'd likely notice an active attack, and the paranoid can
| choose any arbitrarily-longer code:
|
| > PAKE effectively trades off interaction against offline
| attacks. The only way for a network attacker to learn the
| shared key is to perform a man-in-the-middle attack during
| the initial connection attempt, and to correctly guess the
| code being used by both sides. Their chance of doing this is
| inversely proportional to the entropy of the wormhole code.
| The default is to use a 16-bit code (use -code-length= to
| change this), so for each use of the tool, an attacker gets a
| 1-in-65536 chance of success. As such, users can expect to
| see many error messages before the attacker has a reasonable
| chance of success.
|
| (It does strike me, however, that if a 'mailbox server'
| becomes heavily used, with many pending-but-incompleted
| wormholes, then an attacker making random guesses might
| manage to receive _someone 's_ random file, instead of the
| real intended-recipient. Perhaps the sending-side should
| optionally require an interactive sender-ack, after showing
| for confirmation a receiver-generated unique secret? In any
| case: using a longer code, and/or using a private mailbox,
| could each help eradicate such risks.)
| psanford wrote:
| You also don't have to use words from the default
| dictionary. You can specify your own code.
| callahad wrote:
| > _Perhaps the sending-side should optionally require an
| interactive sender-ack_
|
| Check out the `--verify` flag for `wormhole send` and
| `wormhole receive`
| jsnell wrote:
| Previous discussion, including two frontpage submissions this
| year:
|
| https://news.ycombinator.com/item?id=9953767
|
| https://news.ycombinator.com/item?id=14649727
|
| https://news.ycombinator.com/item?id=24702975
|
| https://news.ycombinator.com/item?id=27237536
| dang wrote:
| Thanks! Here's a formatted list. (I think we'll probably just
| make HN's software automatically render links to past threads
| this way--I can't think of any downsides.)
|
| _Magic-Wormhole: Get Things from One Computer to Another,
| Safely_ - https://news.ycombinator.com/item?id=27237536 - May
| 2021 (4 comments)
|
| _Magic-Wormhole: Get Things from One Computer to Another,
| Safely_ - https://news.ycombinator.com/item?id=24702975 - Oct
| 2020 (9 comments)
|
| _Ask HN: What is your favorite method of sending large files?_
| - https://news.ycombinator.com/item?id=24351111 - Sept 2020
| (354 comments)
|
| _Ask HN: A more convinient Magic Wormhole alternative?_ -
| https://news.ycombinator.com/item?id=21352217 - Oct 2019 (3
| comments)
|
| _Magic-Wormhole - Get things from one computer to another,
| safely_ - https://news.ycombinator.com/item?id=14649727 - June
| 2017 (179 comments)
|
| _Get things from one computer to another, safely_ -
| https://news.ycombinator.com/item?id=9953767 - July 2015 (15
| comments)
| alexjplant wrote:
| This was a solved problem 25 years ago... pcAnywhere could do
| this between any two Windows machines [1] provided you had the
| requisite cable. It was a yellow 25-pin DSub (i.e. parallel port)
| cable. Yellow is one of the fastest colors right up there with
| Ferrari Red and I do seem to remember getting speeds that were
| quite a bit faster than our 56k modem was capable of :P
|
| [1]
| https://socket3.wordpress.com/2017/04/07/pcanywhere32-3-thin...
| mahathu wrote:
| I use a Telegram (web) chat with myself for sharing files across
| devices occasionally and it works exceptionally well.
| sorenjan wrote:
| You can also use python and any kind of http download tool
| (browser, curl). Works well within a local network, or if you
| have control over your firewall. python -m
| http.server 8000
| jstanley wrote:
| There are 2 obvious problems with this approach that Magic
| Wormhole fixes:
|
| 1. you can't start downloading on the other side until the
| upload is complete - for large transfers this is a significant
| delay
|
| 2. the Telegram operators can read your files
| suifbwish wrote:
| Telegram is end to end encrypted
| ycombinete wrote:
| Not by default
| SilverRed wrote:
| And only on mobile so the web client can never be
| encrypted.
| throwaway67114 wrote:
| The only thing end to end encrypted in Telegram is 1 on 1
| mobile chats and calls, and you have to explicitly enable
| it.
| pmccarren wrote:
| I'm a huge fan of croc[0]. Very similar to Magic Wormhole, but a
| bit more flexible and written in go.
|
| Straight from the README:
|
| > croc is a tool that allows any two computers to simply and
| securely transfer files and folders. AFAIK, croc is the only CLI
| file-transfer tool that does all of the following:
|
| - allows any two computers to transfer data (using a relay)
|
| - provides end-to-end encryption (using PAKE)
|
| - enables easy cross-platform transfers (Windows, Linux, Mac)
|
| - allows multiple file transfers
|
| - allows resuming transfers that are interrupted
|
| - local server or port-forwarding not needed
|
| - ipv6-first with ipv4 fallback
|
| - can use proxy, like tor
|
| refs:
|
| [0]https://github.com/schollz/croc
| WhatIsDukkha wrote:
| Sadly croc lacks "wormhole ssh invite" which is about 90% of my
| use of wormhole.
| CobrastanJorji wrote:
| That sounds super useful, but I don't see it mentioned in the
| documentation anywhere. I found it in the source code,
| though. Looks like it allows a remote user to add credentials
| to an authorized_keys file?
| WhatIsDukkha wrote:
| From the docs -
|
| """ wormhole ssh --help Usage: wormhole ssh [OPTIONS]
| COMMAND [ARGS]... Facilitate
| sending/receiving SSH public keys
|
| Options: --help Show this message and exit.
|
| Commands: accept Send your SSH public-key In response to a
| 'wormhole ssh invite'... invite Add a public-key to a
| ~/.ssh/authorized_keys file """
| psanford wrote:
| Croc has a history of major security vulnerabilities.
| throwaway67114 wrote:
| croc probably shouldn't be used if you want security:
|
| [1] https://news.ycombinator.com/item?id=27054885
|
| [2] https://twitter.com/Sc00bzT/status/1396199915638992896
|
| Magic Wormhole has a good implementation in Go, which is
| compatible with the original Python implementation (croc is not
| compatible with magic wormhole). It has windows binary and
| binaries for most of the popular OS.
|
| https://github.com/psanford/wormhole-william
|
| Binaries: https://github.com/psanford/wormhole-william/releases
|
| There's GUI: https://github.com/Jacalz/wormhole-gui
|
| Android app too: https://github.com/psanford/wormhole-william-
| mobile
|
| Support for resuming transfers is planned I think.
| tobias2014 wrote:
| In a sense it is good when people actually check opensource
| software for security vulnerabilities, and these get fixed,
| no? There would only be reason of concern if a project shows
| overall continued sloppiness, but I'm not aware of that for
| croc. Correct me if I'm wrong.
| ptomato wrote:
| See also the (compatible, same middle server by default) golang
| port, https://github.com/psanford/wormhole-william, complete with
| static binaries for mac/win/linux. I've found this helpful when
| I've needed to send files to somebody who would have problems
| getting a whole pythonpile of dependencies installed.
___________________________________________________________________
(page generated 2021-05-24 23:01 UTC)