HN Theater @HNTheaterMonth

I think this is your question, if not, my apologies https://youtu.be/oFrTqQw0_3c?t=1594

Here's a link from Brain Warner (the author) talking about that:

https://www.youtube.com/watch?v=oFrTqQw0_3c&t=1775s

Hope it helps, it's a good question.

Have you taken a look at magic-wormhole[1]? I've started using it recently and it's insanely easy to use.

It does have a centralised signalling server for key exchange between peers, but it does attempt to do peer-to-peer data transfer (only falling back to a TURN-style relay if both clients are behind NATs and aren't on the same local network). An explanation of the cryptography and design was given at PyCon 2016[2]. It also has built-in optional Tor support (though I'm not sure if it attempts to use an onion service for data transfer).

[1]: https://github.com/warner/magic-wormhole [2]: https://youtu.be/oFrTqQw0_3c

⬐ big_chungus

Magic wormhole is good, and I've used it before, but it's never as fast as it could be. Something like piping to netcat is always faster. I know it's possible (albeit with a lot of work) to do this over HTTP, but google drive is probably the only site that can mostly saturate a connection. Can any one link more info on how exactly they achieve this? The only trick I know of is a better TCP congestion control algorithm.

⬐ MacroChip

I did not know magic wormhole existed. I made a simple nodejs implementation of a very similar app. It used WebRTC so maybe it could be faster. Let me know if you want to try it out!

⬐ big_chungus

I'd love to give it a spin; do you have a repo link? Also out of curiosity, how does it compare in terms of crypto?

⬐ oefrha

I’m a happy user of magic-wormhole myself. It doesn’t solve the problem of sending files to phones, though.

⬐ cyphar

Maybe someone should write a magic-wormhole mobile client. It wouldn't need a complicated UI at all, and you could (try) to use Kivy[1] to avoid having to rewrite all of the Python bits. I might even try to do it as a weekend project, actually (though I suck at mobile development -- anyone else would probably be a better choice ;]).

[1]: https://kivy.org/

⬐ lucb1e

This is one of many reasons why I have a terminal on my phone, I can just apt install magic-wormhole and use it like on any other system.

(The technical reader will note that a terminal does not give you apt, but mentioning that I have Debian running on the phone is more confusing, as it sounds like I replaced Android (which I did not) or maybe that it costs a lot of battery (the tools are idle when not in use, unlike many apps unfortunately...).)

⬐ oefrha

Sure, I can use wormhole on iSH on my iPhone/iPad if there are no alternatives. But there are alternatives, so I’ll definitely stay the hell away from it given the terrible ergonomics.

⬐ zaroth

I think this project demonstrates quite handily that the problem scope of a seemingly simple task can be quite large. ~1,500 commits in that repo.

PAKE takes care of that. Watch the parents nice talk: https://youtu.be/oFrTqQw0_3c

⬐ rakoo

Yes, that's what I'm saying: GP's point is that if you have a secure channel you might as well send the encryption key, but in order to do that you have to be careful about generating it correctly, whereas PAKE give you the possibility to exchange something far simpler.

According to parents nice talk[1] you can add a verify switch that lets you compare the signature of the actual key. So a public authenticated channel is enough.

[1] https://youtu.be/oFrTqQw0_3c

⬐ kingofhdds

I'm not sure we are on the same page here. Having control over a channel you use to pass your code, I can receive your secret file, I just need to be quicker than a legitimate recipient. How this '--verify' flag will help you then?

⬐ lixtra

The assumption is that Alice recognizes the voice of Bob. If Eve manages to evasdrop on the call and sits in the middle or beats Bob to connect to the wormhole server then Alice will still see that the fingerprint that Bob dictates over the phone does not match the fingerprint of the key that her computer proposes to use for the file transfer. Alice will therefore abort the transmission.

With deep learning the voice may be not good enough nowadays. Still, you only need an authenticated - possibly public - channel, similar to pgp key exchange, where you can read the fingerprint over the phone.

I could not find an example on the gibhub page, but here is the timecode from a video that shows it in action: https://youtu.be/oFrTqQw0_3c?t=129 Also: https://magic-wormhole.readthedocs.io/en/latest/welcome.html...

Looks neat.