Originally published at: Wormhole: file sending site with end-to-end encryption | Boing Boing
…
This is pretty cool, although it still leaves the issue of how to securely get the URL with the key to recipient. Hey, maybe you could put it in a text file and send it via Wormhole…
It’s worms all the way down… the hole?
That’s a solvable problem. Just send the link via signal or some other encrypted app.
Firefox send shut down because it was being used for phishing and sending malware (which is a shame because it was such a great service). How will wormhole prevent bad users?
Was rabbit-hole taken?
I know that I’ve gone down too many rat-holes in my days. And then there are the mink-holes: just like a rat-hole but it feels so much better going down one.
I was only being partly serious. yes you can rely on other encrypted services…or you could e-mail it!
If a link is used to spread malware, that would guarantee the key is public at that point. They would be able to inspect the contents, remove it, and block the abuser. Since the site doesn’t require an account, they’d have to make do with IP blocking. Seems like a lot of work for a free service to perform except perhaps in the most egregious cases.
Honest question, how do sites like this actually operate offering a completely free service? I hate being skeptical, but how do they benefit from this? I just find it hard to believe someone would spend a bunch of money paying for the resources to make this happen without getting anything out of it for themselves. Am I wrong?
One of the creators of Wormhole here
We’re planning to introduce a Pro plan for larger file limits and explore an enterprise version for organizations that have high security requirements (law firms, etc.) that can’t use existing cloud storage providers.
The current free version costs us less than $10/day, thanks to using Backblaze for storage and only keeping files for 24 hours. We also use peer-to-peer transfer when possible. A fully peer-to-peer transfer is preferred, since it improves speed and privacy – as well as cost.
(The server copy helps to ensure files continue to be available even after the sender closes their browser. All files are end-to-end encrypted before they are uploaded or sent peer-to-peer.)
Edit: Beat to the punch by one of the authors.
There are lots of big open source projects out there that offer free services of one sort or another. They are funded in a variety of ways (donations, foundations, volunteers, etc)
In this case looking at their roadmap shows the likely method:
Under Q2: Wormhole Pro – Customize expiration time, download count, larger files
That looks like a “free for basic features”, “pay for premium features” service.
Ah, that makes sense. Thanks for the explanation. I definitely dig the concept. I wish you guys much success with it!
Thanks for the explanation. That’s really exciting. Any word on how you will limit bad actors (what caused FF Send to be shut down)?
One odd thing about the Firefox Send shutdown is that the security community repeatedly asked Mozilla to add a “Report abuse” button to help take down known malware links. Instead Mozilla shut down the whole service, which was a bit extreme. So I think abuse was, at least in part, a convenient cover story for the planned shutdowns/layoffs/refocusing that took place at Mozilla at the end of 2020.
We think it’s encouraging that other products that offer end-to-end encryption like Signal and WhatsApp have managed to handle abuse, malware, and other threats.
Right. It seems like with a little bit of thought and effort, you could mitigate bad behaviour. Putting the shutdown in context with Mozilla’s narrowing of scope, it makes sense what they did.
The 24 hour expiration is a key element of this approach. It will effectively prevent this from being used for forum postings and makes it much harder to build indexes ala piratebay. It gears this toward people who know each other who can coordinate these transfers rather than strangers pulling files off the web.
I certainly don’t want to rain on Wormhole’s parade, but I’ve already been using a service called Toffeeshare that seems to offer all the same benefits, with no file size limit. Were you aware of this, and does Wormhole offer anything that Toffeeshare lacks? Not that I’m trying to discourage you- it’s always good to have alternatives and I’m going to give Wormhole a try next time I need to transfer a large file.
FilePizza is what I’ve been using for a while.
Where are my files sent?
Your files never touch our server. Instead, they are sent directly from the uploader’s browser to the downloader’s browser using WebTorrent and WebRTC.
Are my files encrypted?
Yes, all WebRTC communications are automatically encrypted using public-key cryptography.
From what I see its a difference of p2p optional vs p2p only. Wormhole hosts the files (if <5 GB) for 24 hours. Toffeeshare (and FilePizza) are p2p only. I can imagine use cases where the sharer doesn’t have a steady internet connection that the remote hosting would be really useful.
Has anyone outside your company vetted your encryption and security practices?