

Show HN: Pure JavaScript P2P file sharing in the browser - ShirsenduK
http://whatareyoudownloading.com/

======
synctext
False and misleading title.

_serverless_ file sharing says title, yet the technology "requires a HTTP
server". "Its completely anonymous as no data is ever stored on the server".
Incorrect, only mild protection against sniffing and spoofing is provided.

The underlying code documentations speaks of "This makes it perfect for
anonymity":
[https://github.com/ShirsenduK/WhatAreYouDownloading/tree/mas...](https://github.com/ShirsenduK/WhatAreYouDownloading/tree/master/public/javascripts/webp2p)
No PKI is linked or included. Proxy service or Sender/receiver unlinkability
is not provided. The used WebRTC technology limits UDP/TCP listen sockets.
Browser constraints mean WebRTC offers a severely limited experience. For
instance, the state of the art in UDP NAT traversal using the neighbor-invite
method (beyond STUN/TURN) is not possible.

Rant Disclaimer: As an academic working on a real deployed zero-server P2P
technology for 7 years, this sort of claims are a bit upsetting. Zero-server
file sharing systems, with a proven effective spam/pollution prevention
mechanism have been proven to be extremely difficult to build. (e.g. no-spam
version of Kazaa,Gnutella) See, [https://torrentfreak.com/tribler-makes-
bittorrent-impossible...](https://torrentfreak.com/tribler-makes-bittorrent-
impossible-to-shut-down-120208/) Tribler research group created an upcoming
IETF Internet Standard on sharing/streaming which features integrated
NAT/firewall puncturing (IETF PPSP work). Compliant IETF PPSP implementations
are capable of doing HD-quality streaming, both on-demand and live streaming:
[https://datatracker.ietf.org/doc/draft-ietf-ppsp-peer-
protoc...](https://datatracker.ietf.org/doc/draft-ietf-ppsp-peer-protocol/)

~~~
ShirsenduK
Sorry for the misleading title. By serverless I meant direct browser to
browser file transfer with no server in between. Files are transferred
directly. We need the HTTP Server to host the static webpage which facilitates
the bridge. After all, its a browser based solution you need a page to visit.
:). Services file dropbox can be used to host the static files and everyone
can setup their own file transfer service. With services like WebDHT coming up
each of these shares can communicate.

Just read about Tribler, it sounds really interesting. All the best with it.

This, Tribler and countless other solutions will make the internet what it was
meant to be, a decentralized, fault-tolorent network for information exchange.
Thanks!

~~~
synctext
Indeed interesting demo of browser-to-browser downloading, very light. Anybody
can start a Napster-style service: it only needs a webserver+JavaScript (or
trust a tamper-free copy). WebDHT is fascinating, is it leeching of a KAD
overlay or can they also fully serve all incoming requests? (due to listen
socket limit)

WebRTC defines a FTP-like 1-to-1 transfer. Would Bittorrent-like swarming be
possible in WebP2P?

~~~
ShirsenduK
Thats something clients will have to implement. Thats is, the JavaScript needs
to split files into chunks and download from peers.

------
janerik
<p>This does not work optimally on this site because the following
issues:</p><ul><li><b>It uses HTML tags in javascript alert
boxes</b></li></ul>

<http://tmp.fnordig.de/scr/aacc737f52.png>

~~~
ShirsenduK
This currently works only on the latest browsers; like Chrome 24 on the
desktop. Its still not 100% stable. Stability and support for other platforms
will soon arrive through browsers updates and polyfills.

~~~
phalgun_g
I am using Chrome 24 on the desktop. Not working.

~~~
simfoo
Not working on Chrome 25 either

~~~
aaaaaaaaaaaaaax
no working with chrome 26 ...

~~~
piranna
Chrome v26 has native DataChannels, but I didn't have time to update my
polyfill and also it gave me problem the last time I tried it, so I'm waiting
until it gets out of Canary.

Yes: I developed DataChannel-polyfill, the first working implementation of the
DataChannels specification, too... :-)

------
piranna
It's based on code from my ShareIt! project
(<http://github.com/piranna/ShareIt>) and both are interoperable thanks to my
WebP2P protocol :-)

~~~
nextparadigms
Can the WebP2P protocol be used for Bittorent, too, like instead of that
Torque thing they have?

~~~
Geee
Someone else made a browser-based BitTorrent-client,
<http://hcliff.github.com/ampere/>

Which, apparently, is based on this code by piranna.

~~~
piranna
WHAT?!?!?!?!! It's the first news I have about that, I don't know to be happy
about it or angry about nobody told me... :-P

~~~
Geee
I just spotted it on Clojure subreddit few days back:
[http://www.reddit.com/r/Clojure/comments/16r9ym/my_clojuresc...](http://www.reddit.com/r/Clojure/comments/16r9ym/my_clojurescript_project_a_browser_based/)

------
pre
Isn't the browser supposed to stop pages from making connections to machines
other than the server they were downloaded from?

Has that requirement been dropped? Or does this do something strange to get
around it?

~~~
ShirsenduK
Welcome to the world of impossibilities with WebRTC.
<http://en.wikipedia.org/wiki/WebRTC>

~~~
pre
Hummm. I've found that same-origin policy annoying on occasion but always
assumed it was there for good reason and that it was important my browser
couldn't just open sockets to any old machine.

Was I wrong? Was that not important? Did I go though all that pain for
nothing?

Does this WebRTC thing have an on/off switch?

~~~
ShirsenduK
WebRTC is for Real-time communication between browsers. Same-origin policy
applies to communication between browser and the server.

<http://www.w3.org/TR/webrtc/>.

There are ways to turn it off on your browser, but why would you? :). The tech
is yours to be used.

~~~
anonymouz
> The tech is yours to be used.

Well, the tech is for every website to be used, as a visitor to the site that
may or may not benefit me. I think that was the reason for the same-origin
policy and is, probably the source of concern of the OP.

Personally, I use NoScript and RequestPolicy to deal with it. After all, just
because JavaScript exists does not mean I want any random website to execute
arbitrary code on my machine (especially not with WebRTC).

~~~
ShirsenduK
The user decides what he intends to share. His files, his webcam, his
printers, etc.

~~~
PommeDeTerre
Experience has shown that many users just grant such access when prompted,
without thinking about it.

Prompts like that also do absolutely nothing to stop malicious use, hidden
under a facade of legitimacy. For example, somebody could put together a demo
purportedly showing "serverless pure JavaScript P2P file sharing in the
browser" solely to trick people into using something harmful. (I'm not saying
that's necessarily going on here, of course.)

------
StavrosK
Why is everyone thinking about torrenting in browsers? I want a service where
I can select a sensitive file, give my associate a link, and have that file
transferred between our two computers without ever reaching an intermediate
server.

Does anyone know of a service like that, easy enough for my father to use?

~~~
ShirsenduK
This does exactly this as of now.

~~~
StavrosK
Great, I'll give it a go soon. I had a look but it can only share folders, not
a single file. Otherwise, a very useful service!

EDIT: And it's all static HTML, fantastic! I just hosted it on my server,
although there doesn't seem to be much of a reason to do that, since it's all
static! Thanks a lot for this.

~~~
piranna
I worked REALLY HARD to make it all statil HTML and Javascript, and I'm still
working hard to remove the handshake servers... Any help here will be greatly
welcome :-)

~~~
StavrosK
Hmm, who runs the handshake servers, and how can you remove them?
Unfortunately I haven't managed to get the app to run, but it sounds fantastic
in theory...

~~~
piranna
Currently I'm using PubNub as a "pool of peers", where a new peer connect and
send a "presence" message that's listened by the previous peers, that then
send a SDP offer to that new guy. Later, it keeps waiting some time sending
offers to the new guys, and when it has several connections (from older and
newer peers) it disconnect and start to search for new peers only over the
WebP2P network.

Ideally, I would like to use something more "agnostic" like SIP or XMPP, but
didn't be able yet to do it in an anonimous way, since both protocols require
to create accounts somewhere that later when you register on a SIP or XMPP
server it ask to confirm that you exists, so goodbye anonimity :-(

~~~
StavrosK
Hmm, it sounds like you're reimplementing Gnutella for the browser, which is
not necessarily a bad thing!

~~~
piranna
I don't know how Gnutella works, but it's good to know! :-)

EDIT: Ok, I have just read about Gnutella design on wikipedia and although in
the past I didn't understand anything (I never was too much into P2P programs
since I had internet from neighbours wifi...) now I can say that yes, both
Gnutella and ShareIt!/WebP2P has a lot of things on common about their
purposses and how it's designed, although just by serendipity :-P This
definitely it's not bad, since I can be able to learn from their errors and
also I would be able to propose to extend Gnutella to support DataChannels &
HTTP as transport layer, so everybody wins :-D

------
jaip
Looks like the future of file sharing. Just waiting for the day when all the
browsers would start supporting it.

~~~
pranny
this is exciting. Only Chrome24 supports it, but sooner all browsers will.

~~~
fastball
I'm running Chrome 24.0.1312.56, on Mac OS X 10.8.2, yet I still get the alert
about unsupported browsers...

~~~
ShirsenduK
I also sometimes face the same issue on the same configuration. It seems
chrome sessions doesnt always get support for IndexedDB. Try refreshing.

------
joelthelion
I'd like to see this technology used to build a decentralized, uncensorable
alternative to twitter or reddit.

That would have a far greater impact than yet another file-sharing system.

The architecture would basically be a flooding P2P network with measures
against spamming (machine learning?).

~~~
loceng
Wouldn't this require each computer on any receiving end to process all of the
incoming data in order to determine if it's spam or not?

~~~
joelthelion
All of it, no, only the data coming from peers. Peers would only repeat data
if they consider it good.

Also, you could also select peers for the quality of the content they forward
to you.

------
kybernetikos
Is the data encrypted on the wire?

~~~
ShirsenduK
Files are transferred as blob. Encryption can be dropped in if required. :)

~~~
chongli
Encryption ought to be standard. Making it optional means most people won't
use it.

~~~
icebraining
Encryption without authentication is (mostly) useless, and authentication is
application-specific, so mandating encryption would have little effect.

~~~
chongli
I thought the original post was an application.

------
davedx
What are the security implications of this?

------
StavrosK
If you're attributing, please make sure you spell people's names correctly:

> by @prianna

yet the link goes (correctly) to @piranna. It irks me to see people's names
misspelled in attributions.

~~~
ShirsenduK
Fixed it.

------
plusfour
This is a lot better, and works on most browsers: <http://dropandload.com>

------
bartl
I thought Javascript wasn't allowed to touch any files on the local
filesystem?

~~~
ShirsenduK
This was made possible through File System API.
<http://www.html5rocks.com/en/tutorials/file/filesystem/>

------
roothacker
Great Hack Shirsendu. Once again, JavaScript Rocks!!!

------
aoprisan
not working in latest chrome?

------
wildmXranat
wow

