Hacker News new | past | comments | ask | show | jobs | submit login
WebTorrent – BitTorrent over WebRTC (webtorrent.io)
380 points by Doolwind on Jan 18, 2016 | hide | past | favorite | 94 comments

I feel like I've seen this pop up a few times now, but this is really, really cool stuff. The only thing that concerns me about the growing popularity of using WebRTC is the security concerns around unknowingly joining a p2p network like this for potentially any site you visit. It's not hard to imagine what a bad actor could do to content before passing it along, or more simply, the fact that your true IP is exposed.

Curmudgeony security issues aside, this undeniably feels like The Future™ and a big deal to watch out for. It's also one of those cases where a creator / maintainer makes a huge difference for long term viability in my opinion. Feross is crazy smart and has been working with all the related tech for a while now (via PeerCDN, Instant.io, etc, etc), and is just an all around respectful, nice guy, which is important for the continued development / community aspect.

Seems like this is an opportunity for a tor like network over a webRTC peer to peer network, maybe? (Dunno maybe that's a bad idea for some reason...)

Why Tor-like? Why not just Tor? Seems like a great way for people to send messages that don't involve a cloud-based server.

Same reason webtorrent isn't quite bittorrent. WebRTC gives you P2P in a webapp, but it doesn't let you connect to arbitrary hosts and ports.

You could have an onion routing protocol derived from tor or i2p that uses the webrtc data channel. You could even, like webtorrent, have the concept of hybrid nodes that existing network to the new webrtc-based one.

IIRC, torrent clients do heavy checksumming by default. You should be mostly safe from malicious content.

There are concerns about connecting to a malicious network besides just voluntarily downloading an unsafe file.

Amazing project, really! But please, for the sake of users (like me) who live in countries where ISPs set a "quota" on DSL connections: ask the users whether they want to start downloading Sintel before doing so :) Now I'm afraid of opening the website again.

You shouldn't have to "beg" website authors to "play nice" for you, as a user. Web Standards and browsers have failed you by putting that much control into the authors' hands.

It is reasonable to consider that "web" maybe should not have this capability, and web browsers should provide intuitive UI controls for users to enable/disable the ability for sites to do this to you.

To be fair, if the problem is the amount of data that will travel through your connection, there is not much difference between this and a 120MB text-only html file.

So maybe browsers should offer a setting to cap the data retrieved from each individual domain on metered connections, unless instructed otherwise on a domain-by-domain basis?

This is only problem on fast and capped connections which I would guess are rare. On slow connection (and proper browser) you see that it's downloading data, how much, how fast and you can stop it.

4g is fairly fast and generally capped. That is hardly rare.

Oh, you are right. I was under the impression that 4G is something like 2-3 Mbps, which would make the caps somewhat proportional and hard to pass by accident. But I just tried speedtest.net (app) and download speed was almost 40 Mbps. I really had no idea.

ISP offering 100/1000 Mbit connections with a data limit of 2 GB /month is absurd. I think that is the problem here, and not heavy content. Then there are bandwidth monitors ...

I noticed though that the video continued downloading even though I had hit pause.

Author of WebTorrent here. Sorry for surprising you with a large download. To be fair, YouTube autoplays videos too, and the video size is comparable.

Good news, though! Looks like we can use detect users on a metered connection with `navigator.connection`, or worst case look for a mobile user agent. Thanks for the feedback!

Or, you know, you could ask users if they want to download it :-).

It seems to be done as a demo right now. Why not just add a big red "click here for a demo" thing?

There are very few things that you can reliably find out over the web. Whether or not a connection is metered isn't one of them.

Or a "The download will begin in 10 seconds. Press the pause button to stop it"

> or worst case look for a mobile user agent

Please don't. There's nothing special about mobile devices that inherently makes them metered, so please do not assume this.

Even in big cities in India people only have 1 or 2 GB per monthly limit on their broadband connection for their PCs.

It would be better to use a manual approval rather than a automated detection.

When I visit youtube, I know that the video is going to start immediately but that wasn't the case with this.

I don't go to youtube to read. You've got something genuinely extremely useful, but at the moment you are poisoning the well.

Could you explain please, how can it work in Firefox with media.peerconnection.enabled=false? What exact features of WebRTC are you using?

I appreciate that it sucks for you personally (I used to have a capped connection myself), but frankly the web should not be held back by such arbitrary limits.

A demo that starts working immediately with no input required is a LOT more impressive and impactful than something behind a "try" button.

129.24 MiB is actually really small for a 15min video.

Not to mention those of us with cell phone plans that have bandwidth restrictions. This could be very bad for our phone bills.

Even worse, if you are using a firewall it will block and potentially throw warnings about all of the connections that the site is trying to setup. I had a deluge of Little Snitch dialogs that showed up again when I backed up to the home page. The whole thing should really be behind a "try it now" button.

Yeah, took me a second to realize why one of the tabs I opened from HN was trying to do NAT STUN traversal

Does this site really start downloading a 124MB torrent right after opening the page (sintel.torrent)? If so, why would that be a good idea to do?

I really think WebRTC should require explicit permission from the user, same as the geolocation and push notification APIs. This tech has a lot of potential, but I don't like the idea that any site can add my browser to a P2P network without my knowledge.

More accurately, the browser should monitor the data usage in the current page (including iframes and possibly subsequent pages in that domain) and cut and request an explicit permission when it reaches a high water mark.

The major issue I see here is that someone can upload and make you share a copyrighted material. It could cost you lots of money. I wouldn't be surprised if it will be abused...

The existence of a negative outcome doesn't invalidate positive outcomes. If that happens, people will gripe to browser vendors, and they'll adapt.

It's a cool piece of technology and has a lot of neat uses.

This should be default behavior but in Firefox:

URL box -> about:config <RET>

Set _media.peerconnection.enabled_ to false.

A handy extension for FF for enabling/disabling: https://addons.mozilla.org/firefox/addon/happy-bonobo-disabl...

EDIT: funny, even though I disabled WebRTC using it, the torrent from the site still automatically downloads...

Doesn't work for me with FX 42.0. While https://www.browserleaks.com/webrtc shows "disabled".

I agree with you, but the average Medium blog post is around 3-8MB, so this isn't an unusual flaw.

It's a relatively small download (for desktop) and it demonstrates its simplicity.

120MB is no small deal when you're using a 50MB data bundle on a crappy Kenyan ISP, on your phone. There should definitely be a prompt, I just lost half my day's data (before I stopped it).

Edit: changed "your" to "you're" ;)

WHAT? You mean you're not sat in a cafe in San Francisco?

oh the horror, the horror!

Or a coworking open plan space?

It might be good to show a download of something like a 1MB video file that you could turn on. Tying a 120MB download to reading about what you are showing to people is ridiculous.

A 120MB video downloading and playing in real time as a torrent is a lot more impressive than a 1MB clip. A page showing a 120MB video that is not DDOSed by making it to the front page of Hacker News is even more impressive ;)

This is also not different (on desktop) from visiting a Youtube channel page which has an auto-play "intro" video. I just hope this at least tries to detect device/connection type before starting on cellphone. Wonder if there is an HTTP 'connection-metered' header or something like that...

I can turn off autoplay on YouTube. I know, when I visit youtube, that it's going to be bunch of video.

I wouldn't be very happy if I opened it in the background tab on a metered connection (say, 3G).

Except when it just blew through my data allowance for mobile..... Just have a demo page for this.


This makes me so happy. If we can get good support for WebRTC and getUserMedia the web will be able to keep going as a decent platform for apps.



We're really at the mercy of open platform-minded engineers at Google, Apple and Microsoft though! I wonder what we can do to help support those folks.

Well, there's also Mozilla.

Very curious about the legal implications if every site that I visit can transfer files to unknown peers in the background. P2P is, AFAIK, a big source of costly cease-and-desist orders in Germany. With WebTorrent, I guess I could tell the right holder to bring the matter to court and plausibly state that some malicious ad iframe must have distributed that MKV without my knowledge.

Not just that, but why wouldn't ads start using your bandwith for this sort of thing ? Do you get a legal claim for your bandwith costs (especially on mobile) against the site owner for doing this without your permission ?

Do you get a claim against your browser maker ?

Is there a difference between using bandwidth this way, or loading say 150MB image? (bandwidth costs wise)

I would certainly say yes. They're using your bandwidth to serve another one of their customers, for free, without compensating you in any way.

Whereas loading a 150MB image from their server is using their bandwidth (that they're paying for) to serve you.

Legally, I have no idea. Morally, it'd be nice if they at least asked and actually had a working site if you say "no".

Those cease and desist orders are toothless. You can either ignore them or write them a nice letter that you didn't violate the copyright and don't plan to in the future.

They aren't toothless if the only ISP in your city cuts you off.

You can try out WebTorrent at Instant.io[0]. It's probably the easiest ways to share files with someone, as long as both people have modern browsers.

Unfortunately, after a certain file size it'll just crash your browser. It'd be great if there was a way to work with large (+2GB) files.

[0] https://instant.io/

Very interesting. Figured the day would come but the dev finally did it. Re-decentralizing the web is a great goal and with simple demonstrations like yours, we'll get there! Cheers mate

This seems very interesting already! I now have some more technical questions:

- Where is the downloaded data being stored? With a traditional bittorrent client I the data is written to disk. Since JS doesn't make raw disk access available, I'm assuming it's being kept track of in through some js api that tells the browser to store this data. What API is it using?

- Even when I finish downloading the video, the player doesn't allow me to seek to random positions in the video. It displays a "this is how much is buffered"[0] bar that is way smaller than the green bar at the top of the page indicating download progress. Why is this the case?

- As you can see in the screenshot[0], there's lots of nodes that are labeled with ip addresses that are not visible to my computer at all. Is this because the displayed ip addresses are self reported?

[0] - http://nacr.us/media/pics/screenshots/screenshot--17-46-37-2...

Presumably the data is stored in RAM (or potentially on a swap disk) by the browser. Most likely they are feeding the data into the Media Source Extensions [0] APIs.

I'm not sure why you can't seek to random positions. It seemed to work for me, after a few second delay (presumably to issue commands to start downloading different blocks).

Those IP addresses are private network addresses. The machine you are connected to is probably behind a NAT and is connected to you through a different address. The UI is probably just showing the local address that that node reports.

[0] https://w3c.github.io/media-source/

idk, works perfectly for me. It pauses for ~1-2 seconds then begins the video at the new position. Mac os x el capitan, google chrome latest.

Not sure what the deal on your end is but I can seek immediately on page load, and the video begins there after buffer.

Question: I see there are some local network IP addresses in the graph ? I suppose external IP addresses are hidden for privacy/security purpose but how well are there hidden ?

Anther question: How do I open the file once downloaded ? (I use ublock, should the file be displayed in the rectangular area next to the graph ?

Page wants just a tiny bit of explanation about what's going on. Firefox 43.0.4 doesn't play the movie; it just sits there with a black box.

I've had the same issue. It seems h264 support is turned off by default in FF43. Just go to about:config and set

media.peerconnection.video.h264_enabled => true

That's great, but BitTorrent over JS is also dangerous, at least where I live.

C/D letters come with a 200-1000 € fee depending on the content and now it's trivial to make someone download stuff illegally in the background.

See it the other way around:

One big website in your country could implement this in the background with a list of know "C/D letters" triggering torrents, and the business model of these C/D letter writing laywers would be broken in half a year. Because if they target people that really didn't download anything knowingly, they will get lawyers themselves and go to court. And when the courts figure out that the old way of "proving" a download doesn't work any more, the business modell is broken.

Unfortunately there is collateral damage :/

In theory, yes, but you have no idea how incompetent German courts are. They believe everything copyright holders feed them.

There was a similar case last year that, fortunately, went very badly for the copyright attourneys. Thousands of users were redirected from an ad to copyrighted porn videos and then C/D'd. The attourneys got into a lot of trouble and even lost their license, but their clients still ran off with the money.

The case was only reviewed when it got media attention, but using torrents makes it even more difficult to prove the scam.

Believe me, I have a pretty good idea how competent or incompetent German courts are.

Still, you're right. This would only work at scale, after quite a long time and cause a lot of damage on the way. The website implementing this would probably also get sued into the ground.

Better get a Netflix subscription and/or install Kodi on some FireTV thingie...

What a coincidence, I was just playing with this for the first time last weekend! They also have an npm package that can be used for both torrent streaming via node and the browser (https://www.npmjs.com/package/webtorrent). Awesome project.

WebRTC requires the use of a centralised signalling server for the initial connection between two peers. I feel many miss this point when reading about WebRTC-enabled projects. Even if you do have Universal Plug and Play which port forwards automatically (and thus you can communicate directly between two peers), you still need this centralised signalling server.

Correct me if I'm wrong, but this poses a problem if you ever want to take WebRTC further (i.e. in a self-hosted mesh network).

You need a server for holepunching/STUN via IPv4, but not for IPv6 since each client has a unique IP instead of being behind the router's address.

I've setup Minecraft/web servers which required no server for holepunching. Just plain old IPv4 with port forwarding.

The "with port forwarding" is the problem there. That assumes you have access to your NAT resolver to add the rule, which isn't a fair assumption to hold. People at colleges, businesses, hosted events, etc. need to do NAT traversal (or be on IPv6) in order to do P2P.

I didn't see that you mentioned UPnP in the OP though, sorry. I'd assume downloading metadata from a signalling server if you don't need it for traversal is completely optional - most P2P networks have an initial list of peers to connect to to bootstrap new clients.

Interesting, if the player never starts you never connect to additional peers. I'm running this in firefox 43 with flash disabled and the video never starts.

1 Pretends to work on a browser not supporting WebRTC. This got me thinking so I went to webrtc.org and all the examples/samples also pretend to work and/or fail silently - is WebRTC API really not able to even ascertain level of support of the running browser? .. looked under the hood and found https://webtorrent.io/bundle.js: throw new Error('No WebRTC support: Not a supported browser'), so it definitely can, but fails to catch those errors and do anything/inform user.

2 looked at network traffic and it seems to open separate TLS sessions per transferred data packet, not the most optimal thing to do, might be an artefact of being hosted on https. Probably a cpu bottleneck right there.

3 doesnt store anywhere (local/session storage).

Interesting, I'd be curious to some speed tests. I was seeding to around 22 peers for a while but did not get over 5Mbps up, while my internet connection is capable of around 530Mbps. Wondering if this was an inherent WebTorrent problem or simply that not enough people were online with strong connections.

Like many, I thought about this since a couple of years.

My idea was a browser-plugin for youtube, that would take the downloaded video and start seeding it. On the other side, if a video has been blocked by YT, it would automatically use the torrent version.

How come the download was already completed but the video only buffered around 50%?

Can't wait to see a popcorn time in the browser. :)

I was toying with the idea of doing something like this a couple of days ago, but two things stopped me:

- No support even in modern browsers by default [1]

- Don't want to [maybe] get into legal troubles if it's wrongly used

[1] http://caniuse.com/#search=webrtc

PS, apparently the caniuse info was wrong, since now it appears in green

What is the animation on the left full of RFC 1918 addresses ? I assume those are really NAT-ed at some point, aren't they ?

WebRTC can bust through NATs with STUN and provide a TURN proxy in case the NAT can't be busted through. STUN will generate a number of candidate addresses that may be tried for initiating WebRTC connection(s). These addresses may be exchanged through a third party or directly communicated between peers once a data connection is established. It looks like the addresses in the animation are generally the local host addresses of the machines you are connected to. Perhaps the site is just showing the first candidate in the list, or, intentionally picks the local name to allow for moderate privacy.

That's what caught my eye as well. I didn't know that was possible to get via the browser and started to think about its implications. I wonder if exposing private IP to any website is a very good idea when router firmwares have all sorts of basic security bugs in their web panels.

Very cool, but what annoys me is it starting the p2p download and upload without asking authorization?

Other companies like http://streamroot.io/ are also using WebRTC to help content hosting sites like YouTube and Netflix deliver VOD and live streams. Really exciting!

>Error: No WebRTC support: Not a supported browser

Funny, Fx44 does support WebRTC

If I use Safari on that site it's just downloading from your server, right? Since Safari doesn't support WebRTC.

Looking forward to see Popcorn time on WebRTC

it is so fucking obvious that this idea is exactly how browsers will work in the future. A browser is going to just be something like node-webkit/webkit/electron etc. so compatability won't be an issue, then you just connect to a ton of different clients that are running narrow crawls of shit you are searching for. The browser will then not take you to the page, but just display the information directly without loading a shit ton of js.

You can tag or organize the data locally and cache it, or return it sorted to the nodes which serve it to others. People don't give a shit about webpages for search, they care about information. The web is a big rss feed, and our old feedreader "google" stopped doing that well, and also we pay a massive privacy tax for that now.

I see this happening in ~2 years for really techie people and being standard in 5.

edit: elastic search, webkit, real time, distributed file systems, apache spark, google tensor flow. These ingredients will be used to make the new browser which browses information and returns that information not the actual web pages.

Yes, but there is no reason to wait ~2 years. It can be built now.

obviously. I think it will become mainstream with technological people in 2 years. It will take time to, of course, actually be built. Then, have enough data fed into it to actually be useful. That will take about 2 years(ish).

How does this project differ from ipfs?

Nice tech!

Nice demo.

are you a wizard?

WebRTC will anyway become obsolete with IPv6, right?

No. For security reasons, nobody wants Javascript to be able to open actual TCP connections – Javascript is supposed to be sandboxed, and if it can open TCP connections it can do any number of malicious things. So this whole Websockets thing have been invented, which is just like TCP sockets, except it’s understood that Javascript can access it, so nobody should implement any service accessible on a Websocket which could be misused by malicious Javascript. I’m not sure this is a solid plan.


Complains it cannot play the file for not having Chrome with Mediasource. Why not serve an ogg or webm for crying out loud?

Also, why auto-start the download?!

After the download is finished, where can I watch the video? There's no link for watching it anywhere.

If I refresh the page the download starts again.

I realise this is just an experiment and kudos for that, but the author could have made some better choices re above.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact