
WebRTC file sharing broker using Elixir Phoenix - zabi_rauf
http://zohaib.me/p2p-webrtc-file-sharing-app-broker-using-phoenix/
======
finnn
They says "secure" but it's trusting the website to not deliver malicious JS.
Also trusting the numerous third party domains that javascript is included
from (and if you block them the entire thing breaks).

~~~
mike-cardwell
Yeah. It's "secure" as long as none of Filecha, Cloudfare, Google, Facebook,
jQuery or Akamai get hacked, compromised or coerced.

There's no reason he can't host all of these javascript resources on the same
domain, substantially reducing the attack surface area.

I know people like to use CDNs and third party hosted analytics software, but
can we at least come to the compromise that if you're going to say your app is
"secure" or "private", that you at least attempt to host what you can on your
own domain...

[edit] I'm probably being unfair. He makes the code available so you can host
it yourself. I'm sure most people who install it will leave the CDNs in place
though.

~~~
jasonjayr
What would it take to get the w3/html5 folks simply add a src-
hash="$algo:$value" to any tag that can load remote resources?

Seems like a low-impact way to significantly boot the usefulness + security of
CDN's. If the source page (requested over https, and presumedly not MITM'ed
already) declares "I want to load that resource over there, and I expect it to
hash to this value", then we get all the benefits of caching + trust that it
has not been tampered.

~~~
martindale
This exists, subresource integrity:
[http://www.w3.org/TR/SRI/](http://www.w3.org/TR/SRI/)

------
yefim
Reminds me of [http://file.pizza/](http://file.pizza/)

Seems like P2P apps are the new Hello World programs of WebRTC applications.

~~~
mmcclure
P2P apps are certainly the go to Hello World application for WebRTC, but that
makes sense considering that it's a P2P API.

Not trying to be a troll, I just see these comments ("X is the new Hello
World!" where X is anything from messaging to algorithmic trading) all the
time now. At least this use case makes sense for the tools, I suppose.

------
astazangasta
Could you deploy an automatic mirror like this, so you can turn your clients
into a temporary CDN while they have your page loaded?

~~~
userbinator
I think it's not really advisable to do that, for privacy reasons:

[https://news.ycombinator.com/item?id=9112717](https://news.ycombinator.com/item?id=9112717)

[https://news.ycombinator.com/item?id=9893561](https://news.ycombinator.com/item?id=9893561)

Also your CDN'ing clients could serve different content, giving some of your
visitors a random surprise...

~~~
SXX
You can easily avoid "surprise" by hashing content, but malicious clients
still will be able to delay content load.

------
whadar
Sounds a lot like [https://sharefest.me/](https://sharefest.me/) :)

~~~
mtgx
Sharefest has been in Alpha for years. Why is that still the case? Is it not
under development anymore?

~~~
return0
All webRTC apps are like that. I suppose it's because the standard is
considered unstable?

