
OnionShare: securely and anonymously share a file of any size - sygma
https://onionshare.org/
======
lucb1e
Cool project. It shows the power of Tor hidden services here: you can have
peer to peer communication regardless of either side's network topology. It
just needs to connect to the Tor network and you're good to go. (And yes, Tor
can connect through "fascist" firewalls, as the configuration itself puts
it[1].)

If you think about it, it's dead simple to make: run the tor binaries, run a
netcat binary that listens on a certain port, and configure tor (two lines of
config) to run a hidden service connecting to that netcat port. Then read the
generated hostname file for the .onion address and display it to the user.
Reverse thing on the other side.

    
    
        nc -l 1111 < super_secret.rar
        echo 'HiddenServicePort 1112 127.0.0.1:1111' >> /etc/tor/torrc
        echo 'HiddenServiceDir /var/lib/tor/hidden_service/' >> /etc/tor/torrc
        service tor restart
        cat /var/lib/tor/hidden_service/hostname # share w/ friend
    

I don't mean to say that OnionShare is not useful, OnionShare to the above
script is what Firefox is to Lynx (to take an example). I just mean to say
that it's interesting how easily this can be done with just five commands.

[1] [https://www.torproject.org/docs/tor-
manual.html.en#FascistFi...](https://www.torproject.org/docs/tor-
manual.html.en#FascistFirewall)

~~~
thegeomaster
Without HTTP, it'll be a little clumsy. The downloader won't be able to pause
and resume the download, and won't know what is the progress of the download
(unless you tell her the exact file size beforehand, which might be tricky
sometimes, especially in automated circumstances). You will also need to
resort to this for sharing the metadata such as the MIME type of the file.

I think using HTTP for this is more robust, even if it requires you to
download and spin up OnionShare.

Btw, the fascist firewall evasion is great. In my dorm, the only allowed ports
were 80 and 443, and I was able to connect to Tor effortlessly.

~~~
stingraycharles
As a friendly reminder to other Tor entry node operators: this firewall
evasion only works if you have your tor node running on port 80/443\. Please
consider doing so.

------
dublinben
Posted and criticized a month ago:

[https://news.ycombinator.com/item?id=7958598](https://news.ycombinator.com/item?id=7958598)

[https://news.ycombinator.com/item?id=7780488](https://news.ycombinator.com/item?id=7780488)

Please don't anyone who needs security and anonymity rely on this program. It
has far too many inherent weaknesses.

~~~
chii
the first link seems to be wrong.

~~~
dublinben
Psh, you're right. This is a time when HN's cryptic URLs really show their
drawbacks.

------
dan_bk
RetroShare [0] does this, too, and covers many other communication needs
(mailing, chatting, forum, etc.) while being p2p/decentralized/public-key-
encrypted/open source.

[0] [http://retroshare.sourceforge.net/](http://retroshare.sourceforge.net/)

~~~
runn1ng
Retroshare has quite different use case.

Also, it has terrible GUI and just too many features.

~~~
junto
I think the word 'terrible' is an understatement.

------
ecma
Who decided it was a good idea to publish the signing key on the same domain
as the software and not link to any other trustworthy source?

~~~
handsomeransoms
It's also on the keyservers:
[http://pgp.mit.edu/pks/lookup?search=0xEBA34B1C&op=index](http://pgp.mit.edu/pks/lookup?search=0xEBA34B1C&op=index)

------
mk00
Isn't the Man in the Middle attack warning useless considering the attacker
they describe could easily remove it or modify the PGP key they provide?

~~~
handsomeransoms
It is not useless if you have some other way to verify the key, such as the
Web of Trust.

------
alextingle
I still don't understand why Greenwald didn't get his friend to courier a
giant one time pad on a handful of memory sticks. Then he could just swap
unbreakably encrypted files using Mega or Dropbox or whatever to his heart's
content.

------
EGreg
This is cool... but you should check out
[http://maidsafe.net](http://maidsafe.net)

------
shawnz
Would it be worthwhile to combine this with a service like tor2web, even if it
means there won't be end-to-end encryption? I could think of quite a few
situations where the anonymity of the downloader is not nearly as important as
that of the uploader.

~~~
revelation
You are already free to use tor2web. However, if the downloader is exposed,
that still puts the uploader at great risk because the link needs to be shared
over a (likely less-secure) sidechannel.

------
Cowicide
FYI, crashes without fully opening on Mac 10.6.8 Snow Leopard.

~~~
lectrick
I hate to be that guy, but Snow Leopard is 3 full OS versions ago. That is
like complaining that something doesn't run on Windows 2000.

~~~
vectorpush
OS version numbers are a pretty arbitrary metric. A more accurate comparison
is complaining about software that doesn't run on Windows 7, considering Snow
Leopard and Windows 7 were released the same year.

~~~
akerl_
Except that Apple has put out 3 major updates since then, and 2 of them are
free. Version numbers are a valid metric, even Debian doesn't support 3
versions back. For Apple systems, it's pretty clear that folks more than a
version back are signing up for rough waters, which I suspect is a large
reason that they dropped the price tag from OS upgrades in the first place.

~~~
vectorpush
_2 of them are free_

Fair enough, but the comparison of 15 year old Windows 2000 to five year old
Snow Leopard is misleading.

~~~
igl
He made it pretty clear that it's not misleading in terms of compability
updates. Apple already dropped support for it. May a comparison with Win XP
sooth your fanboy heart? :3

~~~
vectorpush
_fanboy heart?_

Throwing that term around on this forum says more about yourself than anyone
else, beyond that, I think most reasonable individuals recognize that desktop
operating system technology progresses at relatively similar paces, there is
nothing special about Apple's software or hardware that should require it to
become obsolete within five years of purchase.

 _Win XP_

Released 14 years ago. If you can't understand why comparing the usability of
operating system software written a decade apart is fallacious, then I have to
say that you're a bit ignorant on the topic.

------
RachelF
Great idea. The main problem with TOR is the lack of nodes, so transferring
any file will be very slow.

~~~
hnha
Tor is not very slow, it is just not very fast (and has high latency). you can
easily get download speeds of 1-2mbit/s.

