1. 36

  2. 7

    I’ve been using this on occasion for a while and it truly does feel like magic after every other file transfer method I’ve suffered.

    1. 6

      There is a rust version being worked on as well (from the original author): https://github.com/warner/magic-wormhole.rs

      1. 5

        Just to see if I understand the setup:

        If I pester the default public Rendezvous Server with random 16 bit keys I might receive files from people who are sending (but where the receiver isn’t started yet)? Sure, the sender will get to see my IP address, and you can use bigger key sizes or use a private server.

        1. 3

          Yes, it’s even stated in the doc https://magic-wormhole.readthedocs.io/en/latest/attacks.html#dos-attack-on-the-rendezvous-server

          In particular, grumpy people could disrupt service for everyone by writing a program that just keeps connecting to the rendezvous server, pretending to be real clients, and claiming messages meant for legitimate users.


          The core problem is that, because things are so easy for the legitimate participants, they’re really easy for the attacker too. Short wormhole codes are the easiest to use, but they make it for a trivially predictable channel-id target.

          1. 3

            Yes, but critically you wouldn’t be able to decrypt the file, because the PAKE only gives you one chance at guessing the code for a specific peer, so you can only disrupt the transfer.

            1. 3

              I think that if you guess one of the currently active default 65k channels, you get the data.

              Your only factors of authentication are time frame and 16bits of randomness.

              1. 2

                Ah I misinterpreted. Yes, ignoring the channel ID, you can keep making guesses, and on average you’ll disrupt 32k transfers before taking one over.

                It doesn’t change anything to try all 64k combinations, you can just keep trying “foo-bar”, and wait for it to be correct, because you only get one shot at breaking each random transfer.

          2. 4

            What’s the advantage over scp?

            1. 4

              Largely that it’s very quick and simple to use for personal file-sharing, or any other situation where you might not have (or need) an SSH server available.

              I recently used it to send VPN credentials to a new member of our team who couldn’t make it into the office, for example: everything sent securely from my Linux desktop to his Mac in the space of a phone call.

            2. 3

              Once you start using it, you won’t want to use anything else.

              1. 2

                I see this is marked as a show. Does that mean you wrote magic wormhole?

                If so, could you talk a little bit about what it was like to design and deploy the system? Not how it works, but more along the lines of how it came into being, when/why you decided to do it, and how you got the resources to deploy it.

                1. 2

                  No. The description never said that it needed to be (that’s what the author bit is for). Did I misunderstand the tag?

                  1. 11

                    IIUC “author” typically means “I wrote this [article/blog/prose]” whereas “show” means “I created this [usually software]”. It’s generally understood that applying the “show” tag means you’re the creator.

                2. 0

                  Interesting to see that the largest desktop OS is entirely unmentioned.

                  1. 1

                    Not true:

                    On Windows, python2 may work better than python3. On older systems, $ pip install –upgrade pip may be necessary to get a version that can compile all the dependencies. Most of the dependencies are published as binary wheels, but in case your system is unable to find these, it will have to compile them, for which Microsoft Visual C++ 9.0 may be required. Get it from http://aka.ms/vcpython27 .

                    1. 3

                      Thanks, I missed that section!

                      Still, the ideal vehicle for Windows would be a simple .Net application with embedded python and simple hooks to add/save files to the filesystem. It should be easy enough to develop such an application.

                      1. 3

                        There is a compatible go version, I believe, which supposedly works on windows.

                        EDIT: https://github.com/psanford/wormhole-william

                        firefox send (and cli ffsend) is also kind of similar, if interested in alternatives.