
An easy way to share files P2P, and how it works - shacharz
http://torrentfreak.com/the-easiest-way-in-the-world-to-share-files-p2p-and-how-it-works-130706/
======
StavrosK
I submitted a feature request for encryption over this (it's probably
vulnerable to MITM attacks as-is, as you never verify the recipient). My
request was:

* Generate the URL like sharefest.me/roomid#randomstring

* Sharefest encrypts the file contents before and after transmission with randomstring as key using the SJCL.

* Send the URL/key out of band, over a secure channel.

* Voila, end-to-end crypto.

I don't know if anything became of it, though.

EDIT: Oh, here it is:
[https://github.com/Peer5/ShareFest/issues/24](https://github.com/Peer5/ShareFest/issues/24)

~~~
kimlelly
The other thing is, as with almost all _web-based_ solutions, you're being
tracked by various scripts in the background (Google API/JS, etc.). So, if
you're paranoid, you're better off with a client solution.

~~~
StavrosK
Sure, but a client solution doesn't have the ease-of-use of this for the other
party. I use Ghostery, incidentally, but your general point is that security
on a live webpage is impossible, which I agree with. That's why I proposed
that the app be made into a downloadable package as well.

~~~
whadar
Why downloadable package is necessarily more secure than a live webpage over
TLS (HTTPS)? Given that you can verify that Sharefest is Sharefest (using the
certificate in the future), I don't see the big difference. I do think that a
live webpage can be updated with security fixes more easily.

Being a live webpage also give us, as the developers, much less headaches in
terms of protocol compatibility -- We maintain just one "version" of Sharefest
client at the same time.

~~~
StavrosK
Because a downloadable package can't be replaced by something else the next
time you use it, while Sharefest can, and nation-states can easily serve you
whatever they want, even over SSL.

~~~
whadar
But nation-states can do that for downloadable packages as well, perhaps even
the verifiers for those packages...

~~~
whadar
They can spoof the package and its key. If the root of trust (CA) is tempered
as you suggest and the chain of trust is broken, I don't see how you can
really secure it.

------
wslh
Excellent, I was making a list of this kind of service but having the source
code available is a must. And this is exactly what we need against NSA...

If someone is interested I share a list of similar approaches:

[https://www.getshareapp.com/v2](https://www.getshareapp.com/v2) (from
BitTorrent, requires a plugin):

[http://www.jetbytes.com/](http://www.jetbytes.com/)

[http://www.filesovermiles.com/](http://www.filesovermiles.com/)

[http://host03.pipebytes.com/](http://host03.pipebytes.com/)

~~~
kimlelly
Supposing you're ok with using a client (open-source):
[http://retroshare.sourceforge.net](http://retroshare.sourceforge.net) is
exploding.

(It's not just file sharing, though: it aims to address your entire encrypted
p2p communication needs.)

~~~
phreeza
There should be a HN keysharing thread. FWIW, here is mine:

    
    
      -----BEGIN PGP PUBLIC KEY BLOCK-----
       Version: OpenPGP:SDK v0.9
      
      xsBNBFHUtg4BCACvWPNRhEGm/n3o+1tr1ye71SWwiCYDdC8cTn7t38Gmo/E/HG4q
      hgOJvRp8kAStwryzggAwRrE8rfEsJEP6YaGw+vTQVQffwKw6C4MlGx3TJ5OgklLl
      93eAw0hfTVNZCcQ42g/wzEjigAcmb+Kd15M8wCKKNX0VR96SJjJMS+z7Fv0UGKSo
      MJnqS+6HLyR6SrgbIsRrGOziHDIz03ycH2T3Ckc66zmwvzi6uwcQFpVoqmtQZIiE
      nFzNJHLrtr+SlXQLw4rJgNixsUgiCBzm7nM2548ygk3OEOVFQA2HfSvrG8PlhdKo
      KtJBimYkov6eEgyDFrwBwUaqLUeSxHaH563JABEBAAHNJHBocmVlemEgKEdlbmVy
      YXRlZCBieSBSZXRyb1NoYXJlKSA8PsLAXwQTAQIAEwUCUdS2DgkQ7F/6kYGHq0IC
      GQEAAMNmB/9SOQFld2G8roNu+VOX5L0h0u6Hl4IsOpdxRkMofO0LFzH7n7+6EkBS
      sXOdBvcLo3UL2cJxCf3bI/u2MJrrRbIdls2id2g4egAtnupXtLVu6q6S1vRg40PB
      2ab4iJKe4Siz5QedsZd6HGfaV46fEWl6Tfu/sbIVH+5vHqc9A/CYUW8HjGQRFm0Z
      Q4P1jwHkMTt/o6fUWWmja6/2Wz3j4v8HtkAuvusVqlPXmdDDNpyOt9L3stTQF1XQ
      XskJaegiNhp8j7MlMEb9TGNFRaim1G/w8EwCauO8j+fjHJxvXmmqCzL/pG1cxKik
      WYWfKn3+Q5MUfPpGltj0HdOkEw/yuu35
      =37ck
      -----END PGP PUBLIC KEY BLOCK-----
      --SSLID--a71db6edde2788ece31c3437098be374;--LOCATION--mba;
      --LOCAL--192.168.0.4:33395;--EXT--92.229.126.245:44003;

~~~
jsilence
Why not simply paste the key into the about field of the personal properties
page?

~~~
PavlovsCat
Done! Not that I am really using it (yet?), but I'd love to play with it,
especially the forum feature (reminds me of usenet clients, which I never
really got to use because that was before my time) - so feel free to "add me"
if you're a "casual" yourself, or even if you're super serious about it, but
don't mind playful old me.

~~~
phreeza
I added you. Add me too and we can start an HN channel.

~~~
PavlovsCat
Cheers!

------
Xanza
This might be cool in theory, but no way in HELL it's the 'easiest way in the
world.' As of right now, only chrome can transfer files to chrome, and firefox
to firefox.

As of now, the easiest, best, fastest, and most secure way to transfer files
is by using BTSync.
([http://labs.bittorrent.com/experiments/sync.html](http://labs.bittorrent.com/experiments/sync.html))

Create a shared folder, give out the secret or read only key, done.

~~~
StavrosK
You forgot "Install BTSync", which is strictly more work than visiting a
webpage.

~~~
amirmc
... and "vaguely understand keys/secrets" which is an additional cognitive
burden.

------
jodiug
Recently, I started building a website which does pretty much exactly this.
When I had it up and running after a few days (the WebRTC API is relatively
simple), I found sharefest and have been using that since.

It's a great way to get files from one place to the other. The (encrypted)
data does not go via a server, making this potentially the fastest, most
scalable and safest type of file transfer available in a browser. One of the
extra perks is that sharing files on a local network becomes really really
fast. It's miles ahead

Props to the devs for making this! :)

~~~
shacharz
Thanks!

------
mtgx
Waiting for the day RIAA will "demand" that browser vendors, such as Google,
Microsoft and Apple especially, stop implementing _protocols_ that "make it
easy" to pirate files. And the companies might actually listen. So far Google
has fulfilled their every request and then some (hello ContentID, mass DMCA
automation tool for _links_ , and SEO punishments!), so it wouldn't surprise
me if they did this, too.

~~~
imissmyjuno
I would hope at least Mozilla would not comply with such a request..

------
AndrewDucker
Why can FF and Chrome not share? Is there a major difference in their
implementations?

~~~
shacharz
They currently can't interoperate, but it's on their todo's I want to believe
Chrome 31 and FF 26 will interoperate

------
deweerdt
Sharefest was covered at Google I/O's WebRTC pres:
[https://www.youtube.com/watch?feature=player_detailpage&v=p2...](https://www.youtube.com/watch?feature=player_detailpage&v=p2HzZkd2A40#t=930s)

~~~
shacharz
Yup, thanks it's on the bottom of the webpage.

------
chourobin
I've been using [http://dropandload.com/](http://dropandload.com/) which does
something similar. It's cool that this is open source.

~~~
shacharz
I don't think this is p2p, it's server streaming.

------
MrJagil
Would it be possible to create a sharefest tracker? I.e. A piratebay with no
magnet link or torrent file needed. Just a simple download button.

~~~
shacharz
Hmm, isn't that sharefest.me already? you just put the link for a file and
bam...you're in a p2p network e.g:
[http://www.sharefest.me/d09118ed](http://www.sharefest.me/d09118ed)

------
tommi
Won't work for me. I want to send a file, know when it's done and close my
computer. With Dropbox and others I know when it's sent from my perspective.
With P2P the whole system becomes unstable. And for all of my file sharing, it
is unacceptable. Too much uncertainty.

~~~
shacharz
if you're only sending to one recipient we have that feature in (you get file
downloaded green message on the top) if you have multi recipient that's a more
complex ui problem that we're thinking of... Thanks for the feedback

~~~
tommi
Thanks for the reply! If I have to think that will I also CC somebody/team/any
group before sending it out, then it becomes too complex for me. It's not then
the easiest by far since I already have a working solution!

Maybe I'm just not in the target group.

~~~
shacharz
Well I agree that dropbox is easy, but it's also limited. Space for example.
Also, if you're sending to a group of co-workers you don't have to upload the
entire thing to the cloud. it'll transfer blazingly fast inside the LAN.

~~~
djim
storage space and bandwidth are not really limiting factors on today's
internet. i have over 100gig of online storage and 25mbps internet, for
example. (corrected 1gig to 100gig).

~~~
shacharz
1 gig is nothing (for many people needs). anyway I don't see sharefest as a
replacement, but rather another tool.

~~~
tommi
2 (up to 18) gigs from Dropbox free. Google Drive 15 gig free. For team of 15,
Dropbox offers $2000/year for unlimited storage.

Like djim said, storage space and bandwidth are non-issues.

May I suggest trying to get Sharefest popular within a niche? You may have to
adapt to that particular niche, but I think it'll help you a lot.

------
shacharz
If anyone has bitdefender installed, it may block websockets from
communicating with the server. If you don't receive a url when adding a file,
check your websockets status here:
[http://websocketstest.com/](http://websocketstest.com/)

------
PavlovsCat
How about a checkbox for keeping the file in local storage, so when you
restart the browser, you can share that file without having to download first?
Or is that done already anyway?

------
shacharz
I've received a feedback that people want a copy to clipboard button, I'm
against it just because there's no way to do it today without flash. what do
you guys think?

~~~
NelsonMinar
Can you defer loading the Flash until the user clicks the "copy" button? Or
just load one of the tiny Flash shims that are invisible, discussion at
[http://stackoverflow.com/questions/400212/how-to-copy-to-
the...](http://stackoverflow.com/questions/400212/how-to-copy-to-the-
clipboard-in-javascript)

------
shacharz
Some1 has shared this firefox swarm:
[http://www.sharefest.me/97dc9020](http://www.sharefest.me/97dc9020)

~~~
whadar
Nice. Here's one for Chrome
[http://www.sharefest.me/53e62808](http://www.sharefest.me/53e62808)

------
shacharz
Of course we're looking for any feedback that you guys can give for us to
improve.

~~~
padenot
There are a bunch of js error in Firefox Nightly, you might want to update you
code :-).

~~~
shacharz
Oh thanks! Our latest tests ran only on FF 22.

------
isxek
The FAQ link goes to the Github bugtracker. Can we have a proper FAQ page,
please?

~~~
whadar
Yes, sorry about that. We surely need one... Check out the live chat in the
meantime
[http://webchat.freenode.net/?channels=sharefest](http://webchat.freenode.net/?channels=sharefest)

------
adventureartist
This. Is. Amazing.

~~~
shacharz
Thanks!

------
katzboaz
Nice! Didn't know about it before.

------
andarianlb
works like magic, how did they not think of it till now?

~~~
shacharz
Hey thanks, It's lately enabled thanks to WebRTC data channel
[http://www.wertc.org](http://www.wertc.org)

~~~
JosephHatfield
[http://www.webrtc.org](http://www.webrtc.org)

------
djim
I'll keep using Google Drive.

~~~
shacharz
Sharefest and google drive are made for different purposes. Sharefest is a
file sharing/transfer platform. When Drive is, well as its name infers...a
drive.

~~~
djim
Sharing files is a major feature of Google Drive.

~~~
whadar
Yes, but it's much more limited by the inherent use of server storage. They,
for instance, give 15GB
([https://support.google.com/drive/answer/2736257?hl=en](https://support.google.com/drive/answer/2736257?hl=en))
for ALL your files. So you end up thinking, should I share via Drive and waste
10% of my space for this one time sharing.

Plus all the security/privacy issues...

