Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: NoFile.io – A simple file storage site with lots of perks (nofile.io)
231 points by NoFile on March 7, 2017 | hide | past | favorite | 186 comments



I have some thoughts for you as someone who's done this before. I used to run a file hosting site called MediaCrush with a buddy of mine. It was moderately successful, but we ended up shutting it down. I later switched to a file host called pomf.se, which eventually was shut down as well. I wrote a blog post that sums up my thoughts on public file hosting:

On the profitability of image hosting websites - https://drewdevault.com/2014/10/10/The-profitability-of-onli...

I suggest you read it. In a nutshell: don't.

The problem is growth. It will quickly get too expensive and you will not have nearly enough revenue to support it. I guarantee you it will happen.

Currently I run a file hosting service with controlled growth. Accounts are not available to the public - you have to apply for one, and I approve them conservatively (130 approved, 137 rejected users as of writing). All users are also expected to donate. I think all new file hosting sites should take link rot seriously and if they don't it's a net negative on the internet. I hate that if I look at a forum post written >5 years ago, odds are all of the images will be broken.

If anyone wants an account on my website, I might be inclined to approve a few today: https://sr.ht


I feel like WeTransfer has got this right. They have wonderful full page ads and are monetizing by selling premium accounts to corporates, which have the ability to change the ads to fit their branding. https://wetransfer.com


WeTransfers user experience is great. I'm not sure the economics are ultimately going to work for them; the funding [1] gives them some runway, but they are already transitioning to more of a cloud storage provider. Simple utilities usually add bloat to drive value for premium plans. [2] In my experience, as they approach Google Drive and Dropbox in features, the product will bloat and become less functional and useful.

[1]: http://www.techtimes.com/articles/33710/20150220/wetransfer-...

[2]: https://wetransfer.com/plus/


Agreed. One of the few websites where I actually enjoy the advertisements and even click on them regularly.


I also ran some file/image hosting sites in early 2000s and another reason not to do them is that people post the most vile content and moderating can cause ptsd.


How did you deal with this content?


Basically by not running another file sharing knockoff.


This is the second, possibly third, time I've seen you link to your post about public file hosting - and this is the second, possibly third, time I'll agree entirely.

There are tons of pomf.se clones - many that have been going on for years as well. The important part for many of these hosts is that (a) enough people donate to keep it online and/or (b) the community remains small enough to remain affordable for the dev. Personally I use a combination of safe.moe and mixtape.moe.

Often times I've noticed these are "labor of love" projects where a dev can work on learning how to (a) keep a server running and (b) upgrade services without any/significant downtime, etc. Standard DevOps things. The monthly cost to these sort of people is seen as a "learning cost" in a real environment where they have hundreds of, if not thousands or more, users depending on them to not mess things up.

>I hate that if I look at a forum post written >5 years ago, odds are all of the images will be broken.

Inactivity pruning is largely to blame for this, not just new websites going under. IIRC, even Imgur does pruning after 6 months of inactivity (no views) which is totally possible on niche technical forum posts.


I think that in the end, the way to really address these issues is with WebTorrent or a similar service. When you're online, you should be:

    1. contributing your own bandwidth to the images you upload

    2. contribute your own bandwidth to the images you look at.
If you look at an image, maybe you should be required to seed it twice over. If you upload your image, maybe you have to seed it at least 10 times for it to stay up past a certain deadline.

As a user of image websites and, well, websites in general, I'd gladly contribute my bandwidth to help the services run. Or even act as a mirror rather than a shared peer.

What do you think about that? It could lessen the load on the image host and help scale things. I just can't seen this happening if you embed an image directly unless you embed iframes or require users to go to the site itself.


Although the idea is great but I'm not comfortable with the legal implications of "seeding" the stuff I view. It might work in some legislations but I'd be putting myself in too much risk under my local law.


What if everyone "seeded" random content that others are browsing? Sort of like a Tor Relay for P2P traffic. Everyone assumes some small responsibility and yet could argue plausible deniability.


I believe Freenet and IPFS are both built on this idea.


Upload metering is happening again in Australia. Especially on mobile devices, this could get super expensive.


I liked everything you said.


I'd question the assumption that all having web pages be immortal is a good thing. There is great value in letting natural processes erode items or things that don't get maintained.

Throughout history, we've learned to write down and preserve important stuff. Sometimes we've gotten it wrong or we create huge single points of failure (see, e.g., Library of Alexandria), but we should be careful in assuming that preserving everything is inherently better than the historical approach.


This was an interesting read and we will do our best to avoid this fate.

Right now we're focusing on patching bugs and providing a stable service, but in the future a premium service will be created which targets heavy users.

PS You can change the status of the last active host in your list (Minus.com) to shut down as well.


I've been running a public file hosting site for 11 years, I've always treated it as a side project to use for playing with technology.

The primary reason it's still alive today is out of obligation to the URLs (2 million or so) that call it home. If you don't already find this fun and don't feel the same obligation, then you'll join the thousands of others littering the web with 404s.

Also, be aware that people will upload bad shit, and you can look forward to phone calls from the FBI and others.

The site is open source, maybe you'll find it useful: https://github.com/kudos/hostr


The problem is one of capabilities; unrestricted image hosts delegate too much power to uploaders. An uploader should not be able to create a valid URL with any data under the hoster's domain.

In addition to what's been mentioned, another possibility is to force users to bring their own domains to the table when doing hosting; the user is free to host things from the service at their own domain, and the hoster's domains remain distinct and untainted.


"Currently I run a file hosting service with controlled growth."

Why do you do this ... that is, run a file hosting service for 130 people ? Is it a friends and family IT enabler sort of thing that you do to be nice ?

Or is there some kind of business here that I can't envision ?


Yep, it's a friends and family thing. Often friends of friends. Anyone who gets to know me a little bit can get an account. Since growth is controlled, costs are low. Since users are expected to donate, that completely stops being a concern.

The world is a smaller place than it seems. I've noticed this site having a measurable impact on the web around me, and lots of files that might have disappeared are sticking around now (23,946 of them, in fact).


All users are expected to donate. Ok, but how can this work better than just selling storage space like S3, Dropbox or whatever?


>I hate that if I look at a forum post written >5 years ago, odds are all of the images will be broken.

Could be interesting to sell these placements to advertisers: if you don't donate, we'll change all your linked images to image ads after 12 months.


That's stretching 'donate' a bit...


Sounds like you could use P2P caching to offset traffic costs.


Just in the way of feedback (and I might be really out of the loop/not your target market!) but here was my brain-in-action after I clicked on the link from HN:

"Hmm, this looks pretty... what is it for?

It has a huge area that says "click here or drag and drop to start uploading"... but uploading what? And why?

Let's scroll down and read the 'about'!: "Fast", "Compatible", "Encryption"... um... ok but WHY?! Is it personal file storage for me (Like Dropbox?) or is it like a public FTP server? Or something else? If I drag and drop my tax return there is it suddenly shared with the entire world? Why do I want this thing?! Back to the HN comments to find out more!"

Something like that anyway! According to the comments it seems to be more like a rapidshare/mega thing - and now that I get it I'll keep this site in mind for sure!


I guess it might be a cultural thing, but it seemed pretty obvious to me that it's something in the style of Mediafire/RapidShare/Hostr, before they all went to crap.


Err, Hostr founder here. Not sure if I'm happy that it was mentioned, or sad that it went to crap :P


To crap was a bit exaggerated, sorry. :P

Localhostr was great for a while for just uploading stuff without needing to bother with accounts or RapidShare's wait-a-minute-or-pay thing. It makes sense why you scaled back the free version (I can imagine that these services quickly get expensive to run..) and started requiring accounts. But personally that's the point where it was roughly equally annoying to upload to Hostr and my own server, and so the latter just made more sense for me personally.


Yeah, dropping anonymous uploads made my life so much better. I'm a solo founder of a side project, it's just not worth it.


Thanks for the feedback.

The upload box is the first and almost only thing that you see when you go to the page and the purpose is to make the process simple so that you don't have to click through to a second page in order to start uploading.

You do however have a point as it could be confusing for some new user who haven't uploaded files before. We'll try to add an info box or some additional text to make the message more clear, thanks for pointing it out.


guys, Rapidshare and Megaupload, once pinnacle of pirate file sharing, are now dead. (I miss them so much :))


From looking at "upload.js" you are using AES in counter mode.

    var aesCtr = new aesjs.ModeOfOperation.ctr(encryptionKeyBytes, new aesjs.Counter(-1));
Please use https://github.com/bitwiseshiftleft/sjcl which supports a very high-level sjcl.encrypt(passphrase, plaintext) API and has been audited, instead of using crypto primitives.

One specific issue is you are only encrypting, not authenticating, so if the servers are compromised someone could send back a fake plaintext.


> if the servers are compromised someone could send back a fake plaintext.

The server is sending the JS responsible for doing the encryption, no? If the server is compromised, all bets are off. You must trust this third party with your (unencrypted) data, unless you verify the JavaScript each and every time.


AES-CTR is indeed what's currently being used. SJCL is definitely an option and we will compare the two to see if there are any large advantages to switching over, thank you for your suggestion.

The reason to why the content isn't being authenticated is due to memory issues in the browser, but we're close to adding a solution for that as well.

Overall the encryption feature is currently in BETA and there will be large amount of improvements before it's finalized.


Re authentication: the site uses HTTPS, and doesn't HTTPS provide authentication that you are connected to the right server, receiving only data from that server (assuming the server and it's contents aren't compromised)? Or are you referring to another type of authentication


> assuming the server and it's contents aren't compromised

That's the assumption that file authentication would remove. Well, assuming that the server isn't also sending a backdoored client..


I'm operating DropJar.om and I can say it's a big headache. For some reason I keep getting DMCA notices from all kinds of lawyers and the occasional take down notice from police when ISIS videos are uploaded there. No income and tons of complaints. http://dropjar.com


There's a referral link in the lower right corner of your site. A few seconds after the page loads, clicking anywhere on the page takes you to hidemyass.com.

I don't know if this was intentional on your part, but if so it's pretty deceptive.


That's part of trying to monetize it ... unsuccessfully, bu t I agree with your observation, I should take it down. They way it works right now is misleading.


Um... Isn't it downright against the TOS of that affiliate program? This is in line with every shady torrent site that hijacks clicks to force an affiliate link. Is this not outright cookie stuffing?


I am sure it is. I had a link on the bottom right saying "check out HMA" the fact the click on the background opened that window was a bug, I don't believe someone would buy HMA just because I opened a tab with it ...


Sorted!


Awesome. :)

I know how difficult affiliate advertising can be, sometimes. Perhaps conventional ads would work better for the site?


I think full background ads like WeTransfer have would do it, but couldn't find an ad network that has them ... maybe an idea for another gig :-)


"For some reason I keep getting DMCA notices from all kinds of lawyers and the occasional take down notice from police when ISIS videos are uploaded there. No income and tons of complaints."

Everyone I have shown Oh By[1] to has immediately wondered "Oh, could you upload an image instead of text ?". The answer is no and will always be no, for these reasons.

It's evident right here on HN - limiting people to text weeds out a lot of the children/griefers/criminals.

[1] https://0x.co


I'm kinda curious whether one could "use" your service to upload 4k chunks of a base64 encoded image (perhaps by hitting the shortener using curl)...seems doable from a first glance?

Maybe you have something in place to prevent that?

If not - then I can envision an API of sorts that you could feed an image to, chunk it out, get the codes, then do the reverse...

...the thing is, if I can see this possibility - somebody else likely has long before me (I'd hope).


Pastie sites experience similar problems. Personal details being released, messages from terrorist networks and mirrors to various disallowed content.


I'm curious, what police force is it that reports the ISIS videos? Is there once in particular that seems to be hunting for them or do you get notices from a bunch of different ones that have had the videos reported to them?


If we receive valid content removal request through our contact form then we will have to take the content down.

Judging by your username - is there a connection between you and the infamous file hosting site Oron that closed down a few year ago?


> If we receive valid content removal request through our contact form then we will have to take the content down.

Have you considered how much takedown requests you will get if your site becomes popular? It could be hundreds to thousands per day (some ex file hosters ITT could tell how much).

You'll need a whole lot of premium customers to cover the costs of reviewing the takeodowns.


nope.


Wow, you are plugging your affiliate link hard on that iste.


yep, I even think I made $3.5 in the last ... 6 months from it :-)


sorted!


I see 16 bytes of hex after the anchor slug for the encryption feature, e.g. for 'https://nofile.io/f/86JiUNYM6QK#5827800f46cef978', the key is '5827800f46cef978'.

The key is absolutely does not contain enough entropy, because your key material is only comprised of the ascii-printable hex chars converted into a byte value. So instead of a byte having 256 different possibilities, a byte now will only be one of 16 values. Bruteforcing these keys would be incredibly trivial. To decode the hex into actually random key material, you would have needed to do something like hexToBytes("5827800f46cef978"), which would yield a correctly random byte array of [88, 39, 128, 15, 70, 206, 249, 120]. Note that this is half the proper key size required for AES-128.

I also want to echo the concerns already voiced by others in saying that key material needs to be generated from a strong random provider, and not just from the hash of the file.

I say this in the interest of privacy of those who might use your service, so please don't take any offense: please disable the encryption feature entirely until you can get assistance from someone with extensive experience in implementing crypto, because as it exists now, the implementation is fatally flawed.


Looking at the name first I thought it was some kind of parody - like /dev/null for uploading servers... Yeah, feel free to upload whatever you want...

The About section fits:

FAST - yeah, nothing faster than /dev/null, ok :)

Compatible - sure, why not.

Encryption + Secure - sure, it's hard to get anything out of /dev/null :)

Simple - no kidding...

The first hint that it might actually not be a parody site was the Preview part and then the file size limit in FAQs.

Even the Which file types are accepted? / All of them. combo works great for the /dev/null premise.


Great design & feature set.

Feedback: the navigation bar at the top is quite unusable from an UE point of view. The positions of the icons (and therefore the hovering position) change as the mouse hovers them. It is quite annoying.

Also, in the FAQ: "How can this be a free service? Magic" This sounds to me as: "stfu, don't ask, you are not clever enough to understand" or "there is some dirty way to get money from you, better don't ask".


I agree with both comments, especially the faq language. Often times, lightheartedness in the tech space comes across condescendingly. A simple explanation here would suffice...and if it is truly magic, I'm all in.


I thought it was a scam to datamine documents or something. Still don't quite trust it enough to upload anything.


What's different to so-called 1-click hosters (rapidshare, mega, uploaded, ...)? What's your business model? How do you want to keep DMCA claims at bay? Does this work mobile?


What's different to so-called 1-click hosters (rapidshare, mega, uploaded, ...)?

The main difference is that nearly all of these hosts specialize in a specific type of storage. As an example MEGA forces all users to client-side encrypt files before uploading which is useful for sensitive files, but it comes with the cost of incompatibilities with older browsers and devices which can't decrypt/download the files.

Uploaded provides lots of space for the uploaders, but then pushes all users to its premium plan. The site is ridiculously slow to use as a free user as they cap download speeds to 50 KB/s (they bump it up to a 70 KB/s if you take the time to sign-up).

NoFile bundles all the perks of the different hosts and gives the user more options and fewer limits. You can upload large files and choose whether you want to password protect, encrypt or disable previews for your file while still giving the downloaders speeds of at least 2 MB/s.

It's just a simple file host that allows you to share files without having to worry about the downloaders being infected with a virus, not being able to download

What's your business model?

At the moment there is no revenue source. As costs for the hosting go up, there will be a more "humane" premium plan added in the future, but it will targeted to very frequent users and as a free users you won't be affected by the changes.

How do you want to keep DMCA claims at bay?

If a valid DMCA request is sent in together with a link then we will be forced to respect the content creator and take the link down.

Does this work mobile?

This works on every single device regardless of whether you have Javascript enabled or not. If you however enable the client-side encryption feature (currently in BETA) which is disabled by default then users on older browsers and devices won't be able to download your file.


At the moment there is no revenue source.

So what makes you think your fate will be any different than that of all the other free file hosts that have had to resort to advertising in order to survive?


The site will simply not operate with large margins like other sites. The cost of keeping the servers and development running will be covered by a premium plan that's targeted to heavy users.


Isn't storing and serving terabytes of stuff pretty expensive? How many heavy users do you think you'll manage to win over in the first place, much less convince them to pay for the privilege of uploading their 100GB of illicit car diagnostic software to your website? Do you have an actual niche you plan to target?

I don't mean to be negative, it's just that I've seen the transition from free to freemium to ad-supported to Rapidshare to dead happen over and over again. These services don't seem to operate with large margins - from the outside, it looks more like all of them are on the brink of bankruptcy.


A few years ago bandwidth and storage was much more expensive than it is today.

Rapidshare was a service that had to swiftly and reluctantly change their business model. They were operating out of large offices with over 60 employees and due to the change they saw a sudden drstic drop in revenue.

Rapidshare's financial information isn't public since it's a private company, but one could argue whether they were actually losing money or not making the profits that they expected at the time of the shutdown.


I think Rapidshare earned tons of money. At one time RS was the go-to filehost for pirated material. They had almost anything you wanted, and they seldom removed files.

Then came the FBI raid against various filehosts. I remember few of the other hosts got taken down and charged, while others shut their site down as precaution. I remember Rapidshare starting their decline during this phase, something tells me Rapidshare did it on purpose and 'ran away' with the earned money before the feds got them.

Well thats my theory :)


This is a misnomer, as bandwidth gets cheaper, file sizes get larger due to technological advance. Think about the average size of a photo from 2006 and from 2016.


I generally see prices of 2 cents per gigabyte per month for active storage, even less, most under half a cent per gigabyte per month for long-term archival. Assuming there were willing to fork out 10 dollars a month, they would be able to get around a terabyte of storage.

Lets imagine our average citizen uploads quarter of a gigabyte, that means 4,000 visitors uploading files per $10 client. Assuming you can keep other costs really low, it's not too outrageously expensive.


You're forgetting the transfer / bandwidth costs.


But also offsetting credits from dedup.


Not with encryption


Your post reads like someone who knows nothing about the difficulties or complexities of this space, the economics, what customers will or will not pay for, or the legalities associated. I've heard this same pitch (or a similar variant) many times in the past, and the result is always the same.

The most concerning aspect of your model is charging users for download speed. That might cause users to pay you, but it puts an incentive on business to host questionable content. Megaupload and Rapidshare were doing the same thing.


>> "there will be a more humane premium plan"

In plain-English, what does this mean?


Basic features will be available to all free users and no extreme upload/download limits (e.g 100 KB/s download speeds, 100 MB upload limits, etc.).


Sounds exactly like other services that offer premium file services, how is this different? Also, while I know you're claiming this doesn't take away from the free users, it clearly does.


I think he meant to say he isn't limiting them to 100kbs and 100mb (drastic limits).


Sounds awesome, now if you could integrate with Rclone, that would be great.


It will definitely be looked into as it seems to be compatible with lots of different platforms, thanks for the advice.


Also: how can I trust it even if it supports encryption?


These are the essential questions. The technical side of filesharing is easy. The legal and economical side is not.


I like it. But I would like a more concrete answer to how long the files are kept. "As long as possible" is not really a great answer. I don't expect it to be there indefinitely, but something like "For at least 5 days. And no guarantee longer than that" would be fine with me.


It's a difficult question to answer exactly how long a file would be kept as the deletion is based on two factors:

- How active the file is (e.g if the file isn't downloaded in X days).

- How much space that's available on the storage servers.

As mentioned in a previous comment, the site's operating on small margins so the majority of the income will go to expanding the storage in order to make sure that your file is never deleted (unless you request).

At the current rate your file would never be deleted (again, unless you request it) and at a bare minimum your file will be stored for at least a week without downloads so you don't have to worry about your file being deleted before your downloaders get to it.

This will be updated in the FAQ section to avoid confusion as well, thanks for pointing it out.


I understand there is a technical aspect of how long you keep the files. But the end users probably don't really care. When I use a service like this to transfer a file to someone else, I would like to be able to write a message to the other person saying, "please download this file in X days".


What storage back-end do you use ? I assume S3 but am genuinely curious ...


I might be wrong, but it seems to me that the encryption key for the file is the truncated SHA256 hash of the file itself. This is not how you want to generate an encryption key.

Edit: also, password protection is enforced server side, and has nothing to do with encryption


The key is the truncated hash of the file for the purpose of file deduplication. However, it will not impose any security risks as the person who wishes to decrypt it would have to know the hash of the file which requires them to already know the contents of the file making it useless.

The password encryption is indeed server-side, but it is mainly there to protect the file against anyone who somehow finds/guesses the URL and it's a useful feature if you want to slightly increase the level of security without encrypting the file with AES.


> would have to know the hash of the file which requires them to already know the contents of the file

That is incorrect. Knowing the hash does not mean you know the contents of the file. You should generate encryption keys randomly, preferably using a secure random method such as that shipped with SJCL, rather than JavaScript's random API.


Unfortunately it's required for the file deduplication. Although it slightly degrades the security it's not serious enough to impose any security risks as the attacker would already have to know the hash of the file which almost always requires them to know the contents of the files.

Random strings and numbers are also securely generated through a CSRPNG with window.crypto.getRandomValues().


Just curious, why would a file storage site name themselves "nofile"?


I thought it was a joke so scrolled down the page. Thought there was going to be a punchline at the bottom.


FAQ says "What's the file size limit?: 10 GB."

Tried to upload a 9.66 GB test file but am getting following error message

"File Size Limit This file is too large. The largest file size that can be uploaded is 1.25 GB"

What am I doing wrong?


This was due to an old client-side limit that hadn't been updated.

It's been changed and you can now upload files up to 10.2 GB, thanks for pointing it out.


Looks like either a type on their page or code. Because 10 Gb == 1.25GB. Mixing bits and bytes somewhere


The page states 10 GB (not Gb). To be completely correct the precise limit is 10.2 GiB.


I liked the service but I'm afraid it will end up like all the 1-click-hosters: as a storage for pirated content, blacklisted in most corporate networks.

Few comments:

Animated backgroud is very distracting. I'm constantly reacting to the new icons floating into the screen.

Underlined "Or" in "Click Here Or Drag & Drop To Start Uploading" makes me think it's some kind of a link. Any reason to underline it?

If I upload multiple files (which worked well) I want to be able to copy all the URLs at once. Displaying them in a text box would be good.


The reasons to why NoFile won't become a storage site for pirated content is that uploaders aren't rewarded for downloads.

"Animated backgroud is very distracting. I'm constantly reacting to the new icons floating into the screen."

Another user pointed this out and a toggle for the animations will be added to the settings so that you can turn them off.

'Underlined "Or" in "Click Here Or Drag & Drop To Start Uploading" makes me think it's some kind of a link. Any reason to underline it?'

It's underlined just to separate the two options (clicking and dragging) for those who just read the "Click Here" part and assume that the rest of the sentence is just a description to why they should click here (e.g "Click here to start uploading your file").

"If I upload multiple files (which worked well) I want to be able to copy all the URLs at once. Displaying them in a text box would be good."

Instead of a text box there could be checkboxes next to each file allowing you to copy URLs and delete files in bulk. We'll work on adding this as soon as possible, thanks for your suggestion.


> The reasons to why NoFile won't become a storage site for pirated content is that uploaders aren't rewarded for downloads.

This is a very very naive view of the situation. You're allowing user A to upload content which can be downloaded by an infinite(?) number of other users they give the link to. Therefore it will be used for piracy. And worse.

Edit: actually, a free unmonetized file hosting site? In this day and age? Behind whoisguard and cloudflare? Ideal law enforcement honeytrap tbh.


This guy gets it. But hey if the NSA wants to provide free hosting that is private and secure -- or apparently so until the drones level your neighborhood -- that's fine.


Settings to toggle animated background? Seriously?


There are plenty of sites not offering rewards that get used for piracy. There are other ways to monetize, and many pirates don't do it for money anyway. Don't expect that to keep pirates away.


So who do you think actually will use this site and for what? For pirated content there are tons of free torrent sites. For legit content Google Drive, Dropbox and many others offer very generous free to use packages. Why would I ever use a file sharing site like this instead?


"Encryption - Protect Your Files

Protect sensitive files with encryption. Only users with the URL will be able to view it. "

This is not encryption - you should change the copy to tell what encryption is used (AES-128 from the info here), even if it's beta. Some more information on that will be welcome.


They may be encrypting the file with a parameter passed in the URL. In this case, assuming no logs are kept, it would be a reasonable encryption setup.


The encryption key is passed after the hash (#) in the URL. Therefore the keys are never sent to the server over the HTTP request (more info about this can be found here: https://nofile.io/security/).


https://nofile.io/security/

"Your file is first securely encrypted using a secret key (AES-128) with Javascript on your device. Once it has been encrypted, the encrypted data is uploaded to a NoFile storage server over a secure HTTPS connection preventing any malicious users from seeing what you're uploading (as an extra layer of security).

Only those with the secret key (which is in the URL) will be able to see the correct content and filename - if a single character of the key varies, then the file will be unrecognizable."

You need to set this as your preferred method on the upload page.


There is actually a page that explains the encryption used and how it works which can be found here: https://nofile.io/security/

A link has also been added to that block to make it easier to find, thanks for pointing it out.


I give it a week or two before it gets shut down because of the inability to deal with uploads of child porn and other disgusting stuff.

Best of luck anyway, and good luck dealing with law enforcement. Make sure you put some text on the front page indicating that you will collaborate with LE and it might save you from a little bit of bad stuff.

I ran something like this for a couple of years and shut it down because I was tired of dealing with the filth.


"There's nothing more annoying than selecting a file and having it removed due to a disallowed file type, therefore all files are allowed*."

CTRL+F finds no other asterisk on the page, what's the caveat?


Currently all different file types are accepted so the asterik has been removed - thanks for pointing it out.


I interpret the * as "we can interpret this to mean whatever we want, whenever we want".


The PDF preview doesn't show my PDF ... is that a placeholder or someone else's file?

http://i.imgur.com/IEHrxm7.png

https://nofile.io/f/KrLDHQyKt4J


This was caused by a bug and the PDF preview had been briefly replaced by a placeholder.

You should now be able to see your own PDF instead of a placeholder, thanks for pointing it out.


I have a tough time trusting a new service where I cannot figure out where this business is located / registered, where they have a physical presence, the person/team who built this service. Having more details in an About Us section would help it look more legit.


We'll try to work on this. More importantly you can enable the encrypted upload feature for sensitive files if you do not trust the storage servers.


Exactly this.


Can you remove the animation at the beginning, I've a bad vision and I could only read the text once it stopped moving, and I don't think this animation adds anything except eating the few seconds I give to a new website before choosing if I leave or stay. (at the opposite of the background animation that is okay)


> How long are my files kept?

> As long as possible

What a stupid answer to that question! (it gives more info - "You can set an expiry time by pressing the "Options"-button that's next to your uploaded file, otherwise your files will float in the clouds for as long as possible." - but it still doesn't really give any answer)


Well, in all honestly they can't really say "forever" or "indefinitely" because that is really an impossibility. How long is "forever" in your estimation? 10 years? 100 years? a thousand?

In all likelihood, the internet itself might evolve into something different in that time. This service might get bought out, or shut down, or the original founders may (fate forbid) get hit by a bus next week.

Setting any sort of indefinite limit is opening themselves up for legal action if it is even one minute less than someone expects. "As long as possible" at least is honest enough to say that as long as there is enough interest to keep the lights on, they will be there.


You already assume that the scale of the retention will be in years.

What makes you think that ? It may be days, where "as long as possible is "we hope to keep the files a few weeks".

Without some sort of project plan you don't know if NoFile.io is aiming at snapchat for file, or S3 for everyday Joe.


Speaking of "getting hit by a bus". What is the bus factor of this site.


Nice work, looks like an interesting project. I do think your site copy could do with some work though. It's not entirely clear from the current text what the service actually is - is it for sharing files with others, is it a Dropbox competitor or is it an S3 competitor?

The following phrase made me feel a little uncomfortable about using the product.

"How can this be a free service? Magic. In the future a paid service will be introduced offering more awesome features, but don't worry it shouldn't affect the free service."

I'd rephrase this - definitely remove the shouldn't as that tells me that while my files shouldn't be deleted, they might be.

Finally, just a minor thing, but the down arrow under the "Click Here Or Drag & Drop To Start Uploading" doesn't work for me (latest Chrome on Mac). I assume it should scroll down the page but it didn't for me at least.


Dropbox and S3 are too far from us right now and I wouldn't call them competitors.

NoFile is a simple tool that allows you to quickly share files with lots of options, nearly no limitations and at the same time as you don't have to sign in.

"I'd rephrase this - definitely remove the shouldn't as that tells me that while my files shouldn't be deleted, they might be."

You're right about that as the premium plan will never lead to files uploaded by free users to be deleted. The premium plan will only be targeted to more heavy users and won't affect the free users.

"Finally, just a minor thing, but the down arrow under the "Click Here Or Drag & Drop To Start Uploading" doesn't work for me (latest Chrome on Mac). I assume it should scroll down the page but it didn't for me at least."

The button was indeed not working and it's now been fixed, thanks for pointing it out.


"NoFile is a simple tool that allows you to quickly share files with lots of options, nearly no limitations and at the same time as you don't have to sign in"

put that on the top of your page!


Does anyone remember the name of the file hosting platform that had a music player built into it? It was so goddamn elegant and easy to use, but was bought out by Facebook. It was a huge staple for me all throughout high school for my band, it's kind of shame that there was no way it could have been viable.


drop.io?


Some initial feedback:

  * Title Case Everywhere Looks Weird  
  * Hovering over 'resolution' on the detail page shows a tooltip with the text 'Upload date'  
  * I uploaded a .NEF file and it seems to think it's 160x120 (it's actually 6000x4000)  
  * The buttons next to the link field on the detail page are not the same height as the input.  
  * When uploading the background icons become jerky (presumably due to the upload causing long frames)  
  * When uploading there was no speed / ETA data shown, just a spinner.  
  * I felt the animations on the homepage were all a little superfluous.  
  * The links in the footer link to places on the page, but without updating the URL hash, probably worth adding one to make it more linkable.


How do you plan to compete with older (& less crappy) services like mediafire?

Also tonnes of decent ad supported options with no crap like wait time and million popups like Openload Zippyshare AFH

(oh and site looks & performs great! Best of luck for future)


> compete with older (& less crappy) services like mediafire?

Did you mean to infer that MediaFire was less crappy than this showcased one? Or crappier than this one? Your follow up sentence would indicate the latter.


I think he/she meant the less crappy among the older services.


I meant less crappy among the usual "file hosting sites". Mediafire for one is a pretty good service with 10GB for free but some times has too many annoying ads

OP's site looks great!


These services (Mediafire, Zippyshare, Uppit) are among the best file hosting sites online, but unfortunately they have their issues too.

The problem being that you have to jump between different hosts depending on how large your files are and which features that you want to use (e.g Mediafire for larger files, Zippyshare from public PCs so you don't have to login, MEGA for sensitive files that you want to send securely, Dropbox when you don't want grandma's PC to get infected when you're sending her the videos from Christmas).

The goal is to create one single host that saves you from having to jump from each host and having to maintain dozens of accounts to bypass limits.


I did something similar recently https://streambin.pl/, you can upload whole directories but only when web-browser is on.


This is really neat as a technical demo. What's your anticipated real-world use for something like this?

My first thought was that it would be fantastic in a case where I needed to pull a file off a server I was SSHd into but didn't feel like setting up a SFTP session. Of course, in that case I probably wouldn't be comfortable having the data pass through a third-party.


this is cool, I like the way the time limit is just built in with the life of the process. Perfect niche use case.


Seems pretty cool. I was actually thinking of building a similar 'accountless' file upload and sharing service, but this one is a lot better than what I was envisaging.

Question - would you, in the future allow uploading to configurable destinations, e.g. my own S3 buckets? Also, do you track the number of time a file asset was downloaded from your service so that the original uploader can check activity stats?

EDIT: Feedback - when I scrolled to the bottom of the home page, the "There is something I have to tell you" section is duplicated under itself.


Thanks for the positive feedback.

Right now there's only an option to upload files to Dropbox, but the plan is to add as many useful alternatives as possible and S3 would be a good option.

The number of times a file was downloaded is currently being counted, but it isn't public. It would be an interesting idea to display it on every download page by default (similar to Imgur) and give the uploader the option of disabling it.

The duplicated info block has also been replaced, thanks for pointing it out.


OK, this looks promising but one question - how do you plan to avoid rapidshare, uploaded and mega fate? This is not 2006, copyright owners will tear you apart day 1.


Any valid content removal requests that come in through the contact form will be obeyed.


With no information (that I can see) about where these files are hosted, or who or where the organisation is behind this, using this could be a big mistake.


Bandwidth and storage aren't free. What is your business model? Things without clear business models usually me YOU are the business model.


Looks like nofile.io is depending on cloudflare. Which, I assume doesn't jive with their TOS "SECTION 10: LIMITATION ON NON-HTML CACHING" policy.


Only static content is served over Cloudflare. All uploads/downloads are done directly with the storage servers.


You sure about that? I just uploaded a file and then..

    curl -o /dev/null -v https://nofile.io/f/01ZAJO7Qhfe

    *   Trying 104.18.59.89...
    * Connected to nofile.io (104.18.59.89) port 443 (#0) 
    * TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    * Server certificate: sni212289.cloudflaressl.com
    * Server certificate: COMODO ECC Domain Validation Secure Server CA 2
    * Server certificate: COMODO ECC Certification Authority
    * Server certificate: AddTrust External CA Root
    > GET /f/01ZAJO7Qhfe HTTP/1.1
    > Host: nofile.io
    > User-Agent: curl/7.43.0
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Tue, 07 Mar 2017 15:18:16 GMT
    < Content-Type: text/html; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < Set-Cookie: __cfduid=d3f6984a870cdd03cea954585ac19e38c1488899895; expires=Wed, 07-Mar-18 15:18:15 GMT; path=/; domain=.nofile.io; HttpOnly
    < Vary: Accept-Encoding
    < Strict-Transport-Security: max-age=15768000
    < Server: cloudflare-nginx
    <
    { [957 bytes data]
    * Connection #0 to host nofile.io left intact
Looks like that ran through Cloudflare, even if it wasn't cached. Doesn't look like it's going directly to whatever storage you are using.


Yes, completely positive. You need to make sure that you're following the 301 redirects as that is not the final file location, hence why the data returned is only 957 bytes.


I see. Thanks.


"It's ridiculously difficult to share a single file online without a bunch of hassle. Most sites either riddle their pages with ads so you have to guess where the correct download button is and usually restrict useful features to their premium users.

All those useful features have been added to NoFile and made available for anyone who wants to use it - all free from ads, registrations, payments and it respects your privacy. Here are some of the current features (more to come):

* Simple upload process compatible with nearly all devices - accepts files as large as 10 GB to be uploaded

* Upload & download files without Javascript enabled (nearly all features are still available, although the site runs smoother with Javascript enabled)

* Password protect files (hashed with SHA256)

* Ability to encrypt files with AES-128 on the client-side before uploading to the server for secure storage (BETA)

* Easily view the metadata of a file (file type, dimensions, upload date, size, etc.) on its download page (URL to a live demo below)

* Preview files (PDF viewer, video/image/audio previews) before downloading (see demo URL below)

* All transfers are made securely over HTTPS to prevent malicious users from viewing what you're downloading/uploading (forced SSL)

* Securely view your upload history without having to create an account (history is stored in your browser's local storage)

* Save files directly to Dropbox (Dropbox scripts are only loaded when button is pressed to protect your privacy)

* No tracking codes and no third-party CDNs are used for external scripts, CSS or fonts in order to protect your privacy

---

Here are a few demos

- Download pages

https://nofile.io/f/BJ6MyXboYLj (an image with its preview enabled)

https://nofile.io/f/UH58eLI68Cl (an image with its preview disabled by the uploader)

https://nofile.io/f/Yl4NcFvsliN (an image with password protection - password is 12345)

https://nofile.io/f/OoG2wQwS33R#c725690e45b3a393 (an image encrypted with AES-128, secret key is stored securely after the '#' and not transmitted over the HTTP protocol)

- Upload completed page

https://nofile.io/edit/?id=UH58eLI68Cl&key=w69gz2D5y0RoH9umu...

To start uploading your own file(s) within seconds (without signing up): https://nofile.io If you have suggestions, a complaint or any features that you would like to see added then feel free to leave a comment or use this contact form: https://nofile.io/contact/"


> It's ridiculously difficult to share a single file online without a bunch of hassle. Most sites either riddle their pages with ads so you have to guess where the correct download button is and usually restrict useful features to their premium users.

Imho, if you really want to be the "Google of file-sharing", then the UI should be a lot less distracting.


I have to say I humbly agree with this advice - the NoFile.io name got me clicking (the most difficult hurdle) - then when stuff started to animate I thought 'oh' and closed the window. Perhaps this is small minded of me :-)


"Google of file-sharing" would be a too heavy title to hold right now. The animations are there in the background to give the site a comfortable touch, but it should be easy to distinguish them from the actual site content (e.g the download button comes inside a "box" with a different background color and animated icons hidden underneath).

Perhaps it would be useful to add an option that toggles the animations on/off.


> Perhaps it would be useful to add an option that toggles the animations on/off.

If hundreds of people are telling you the animations are too much, kill the animations.

If a small handful of people are saying it, ignore them.

But please, please, do not add _any_ complexity to a small-margin, intentionally simple service like this in the hopes of pleasing everybody.


> Securely view your upload history without having to create an account (history is stored in your browser's local storage)

How can I view my history? I think I've clicked every link available but I can't find this at all.

I do see some data in my localstorage. I'm not expected to fish it out myself from there am i..?

> You can set an expiry time by pressing the "Options"-button that's next to your uploaded file

Same for this. There is no such option to be found. Screenshot: https://www.NoFile.io/f/FHA0M03bmm0#057e7d69b089e719

Also, I tried downloading my own screenshot but nothing actually happens. (The loader does pop up) Downloading & preview does work for an unencrypted file.

Firefox 51.0.1 (64-bit)


"How can I view my history? I think I've clicked every link available but I can't find this at all."

The button had been hidden for some users due to a bug. It's been fixed and you will be able to see it after refreshing the page, thanks for pointing it out.

"Same for this. There is no such option to be found."

This feature was disabled shortly after the launch due to a bug. It'll be added again as soon as possible.


The example download pages from the FAQ all return 404, you might want to look into that.


Updated, thanks for the help.


Seems interesting, consider adding the option of "link to file directly", that is without a "file landing page". Enable it for paying customers if you have to.


It looks like the 'Forum URL' and 'HTML URL' fields on the upload completed page are mixed up


Fixed, thanks for pointing that out.


Parse error: syntax error, unexpected '!' in /home/nofile/public_html/download.php on line 382


Switching the link format (html, bbcode, plain) is broken after the first switch, showing the wrong URL

When you upload the same file it warn. Good enough. But when you continue anyway the KB/s and ETA displays do not show anything.


Really cool stuff! I love the design. One bit of feedback I would give you though is to go easy on the CSS transitions, especially where the user has a target for interaction (navigation links, dragging and dropping...). Not that it's not visually interesting to keep them but makes it a little painful to have moving targets.


Other users complained about this as well. A setting will be added which will disable the animations for those that find them annoying.


This is pretty awesome - I really want to replace Filepicker as it's way too expensive for what I need. But I really like their embeddable widget that I can embed with a button click. Also I like all the sources for files rather than just a drag/drop or click upload. Can you support any of these features?


Since there's no business model, NoFile could disappear overnight.

Without some sort of guarantee of availability, I wouldn't be able to recommend it to friends, coworkers, or family. I don't want to advertise something that is truly a great service but ends up shutting down few months from now after people start abusing it.


There is of course nothing other than our word that will guarantee the site being up.

But if the site does decide to shut down then we will be sure to notify users about this at least a month in advance in order to have time to make backups.


A few more:

Console gets spammed with "not active or paused - skipping speed" messages, what are these?

There seems to be an onclose-like handler which warns me that I might have not saved the changes (I've uploaded 6 files). Do I need to "save" somehow? I see no "Save" button, nothing similar.


"not active or paused - skipping speed" is sent from the upload speed and estimated time measurement function and won't affect your upload.

The warning message that you receive when trying to close the page is only there to prevent accidental exits and in case you're in the middle of an upload or if you haven't copied the URLs of the uploaded files.

Unfortunately browsers no longer allow you to change the warning message, hence why it's telling you to save.


I love how simple your site is. I hope is stays around. I would take everyone's advice and remove the animations. I and a few other people I showed it to in the office all had the same annoyed reaction. Everything else is great and seems to work!


Nice work, thanks for sharing.

I'd like to challenge you on the site name, though. Why'd you pick it? If I'm a normal user who stumbled across the site, I might be confused if a site called "NoFile" wanted me to upload files.


Like the concept.

Testing on FF 51.0.1 and I can't seem to see the expiry option which is supposed to be alongside the file that I uploaded. Maybe using a different browser would work?


On the iPhone the margins to the edge of the page don't feel large enough and I keep thinking the words are bleeding off the edges of the screen.


How do you prevent fraud? What keeps users from uploading copyrighted material or using the site as download-mirror?


The only way to prevent this is through valid content removal requests sent in through the contact form.

As mentioned in a previous comment, since uploaders aren't rewarded for downloads this shouldn't become too big of an issue to handle.


I don't see a DMCA link... that might be problematic for you in the future, legally speaking.


There is a contact form (https://nofile.io/contact/) where all content removal requests can be sent to.

All requests will be checked and the file will be taken down if the request is valid.


> Which file types are accepted?

> All of them

It is not accepting my Calculator.app. It just sits there, never uploading.


Neither the file type nor the content inside the files are being checked.

This issue must've been caused by something else. Were you able to upload other files?


Will there be a public API?


The plans were to have the API added from the start. To prevent a rocky beginning the API wasn't released, but it will be added as soon as possible.


i've been looking for a site where i can upload my audiobooks files and an app for andriod that would play it for me, (possibly offline).

Is there any other options other than dropbox?


There isn't currently an app, but there shouldn't be any disadvantages between using the site.

You can upload as many files as you wish and save them on your phone to play offline (similar to what an app would do in the background) or play them directly from the site.


Check your contact area. I notified you of an XSS issue.


Thanks for reporting the issue. The XSS was related to the filenames.

Although most operating systems don't allow users to upload files containing greater-than/less-than symbols, it's possible to add them by tampering the requests and changing the filename.

From there you could change the filename to "<script>alert("xss")</script>" and run an XSS. This has now been patched by encoding the characters.

Once we're a bit more stable we'll be sure to release a bug bounty program.


Curious what it is. No CSRF token?


Manual deletion doesn't work


Same here.


Nice idea and design. Along with what other people have said, though, turn off all the js animations. They make it nigh impossible to quickly asses content and actionable items, requiring that a person sit and stare for longer than needed without getting any new or useful information. The design is nice on its own; it doesn't need to be dressed up more, and if you feel it does than that's a sign that you don't like the design and should change that instead. Just my opinion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: