Hacker News new | past | comments | ask | show | jobs | submit login
Transfer.sh – Easy file sharing from the command line (transfer.sh)
240 points by thunderbong on July 5, 2021 | hide | past | favorite | 84 comments

This is exactly the use case for Magic Wormhole, which is what the cool kids use to transfer files:


Magic Wormhole uses an end-to-end PAKE to create an encrypted transport between two points in the Internet, using a rendezvous server.

It doesn't store files, which is almost never what you want; it's not a way to send a file and have 10 or 100 people download it. But it's probably the best way to get a file through a bunch of arbitrary network controls, NATs, &c to a desired destination. There's a Go implementation as well:


... which is what I use most of the time. If you haven't played with it, I highly recommend it.

I wish magic wormhole used federated rendezvous servers, was usable from within a locked down corporate network, had a .NET implementation with a pretty GUI so that even my mom could use it, came with all major OS by default and was as accepted as e-mail so that I can actually share files with everyone, not just my nerdy friends. Is that even remotely a realistic thought?

I feel like a web clone of it hits some of your goals: https://webwormhole.io/

It does, except it removes a giant advantage of magic wormhole: True end to end encryption requiring only TOFU. The web version downloads JavaScript every time and unless a specific version is somehow pinned by default, you are in principle vulnerable to MitM attacks.

Host your own version and hash all the JavaScript sources https://www.srihash.org/

This and croc. Link: https://github.com/schollz/croc

Considering that a small deviation from a cryptographic protocol could fully turn cipher text to plaintext in a revered tool frequently recommended in HN:


I would hesitate a bit before rushing to use cool kids’ software (until it’s sufficiently proven).

I don't know anything about croc, I haven't looked carefully at it, and don't recommend it (or have any opinion on it). Lots of smart people have looked at Magic Wormhole, which is one of the things that makes it neat.

This is a great way to make sure there are no alternatives to Magic Wormhole. If this attitude was common in web browsers, we would only have one software of its kind in every category. No choice for users whatsoever.

What's a good way to make sure of it? Not having any opinion of it, because I haven't looked at it?

There are a lot of alternatives to Magic Wormhole. Unfortunately, most of them are pretty sketchy. One thing I can say about Magic Wormhole: it's not sketchy.

This sounds like a slippery slope. No one is saying not to try anything else, they're saying to make sure and use stuff that is more likely to be safe. In the case of web browsers, we do only use like 4 or 5 out of thousands.

Since not everyone will click the link and read to the end of the post, it seemed worth pointing out that the vulnerability being commented on here was fixed: https://schollz.com/blog/croc9/

Ha - so cool. I love that it can be easily used to send a stream (the only thing I missed in magic-wormhole). Basically,

   ls -lah | croc send  

Thanks for this link!

No, it's not. Transfer.sh does not require anything to be installed in both sender and receiver ends. Only the browser is enough.

That's not actually related to Magic Wormhole, it's "inspired by" it.

It's a frustrating naming decision, to be sure.

Then it's not secure.

You seem to be missing the point. If I wanted to send a funny webm in a room on Discord or IRC for example, if I didn't want to upload it directly to Discord that is, I could use this with ShareX to upload it and get a link that's easy to share. It's not supposed to be secure. It has its place alongside Magic Wormhole just fine.

If you want to send a funny webm, use whatever you'd like. The comment to which I responded to said "no, this isn't the same use case, because Magic Wormhole makes you install something". If they'd said "this isn't the same, it's supposed to be OK for this to be grievously insecure", I'd have shrugged and moved on.

What stops someone from using up all the channel IDs on the rendezvous server.

Also why no attempt at NAT traversal; instead relaying traffic through a transit server.

It's almost as if the project's purpose is not so much to create superior file transfer but more just to showcase a use of SPAKE2.

> almost as if the project's purpose is not so much to create superior file transfer but more just to showcase a use of SPAKE2.

That's my feeling too. See my rant: https://news.ycombinator.com/item?id=24519895

This rant is pretty silly. Nick Lamb's took the time to refute it on that thread; you should acknowledge that before continuing to cite your thread as if nobody had corrected you.

Who's Nick Lamb?

Anyway, the thead is very short, so if there were any corrections there, people can read them and make their own mind.

Sure, people should just read that whole thread. It doesn't sound like Magic Wormhole's authentication really clicked for you in the original rant.

I think this is your question, if not, my apologies https://youtu.be/oFrTqQw0_3c?t=1594

But does it support a time difference between sending and receiving?

This is the main feature I'm curious about.

Thanks for sharing wormhole!

I used to self-host transfer.sh, but nowadays I just use WebDAV.

1. it's easy to get WebDAV running, most of HTTP server support it through modules. or you could run it with rclone, on non-standard port or behind a reverse proxy

2. I don't share upload access with others, it's only for my own use. and this way I don't need to deal with huge uploads or illegal contents.

3. I could also just curl it, the uploaded content will have proper mime types. It's convenient for me to share pictures and videos this way on Telegram because it generate previews for me, and it's easy to just copy-paste a link to send to more than one person.

  curl https://user:password@domain.tld:port/path/to/file.png -T file.png
4. I could use WebDAV for various other cases, such like keeweb instance, Orgzly (android) notes syncing, saving keepass database etc.

Could write a simple shell script to include random characters in the URL, copy url to clipboard etc, such like this one I wrote [1]

btw for plain text, I prefer to use fiche [2] a simple netcat based pastebin. I have a public fiche instance [3] which allow people to upload with bash/zsh/netcat and show webpage with syntax highlighting. Text usually consume very a few of storage and not that "sensitive" like some photos and videos could be, so it's less troublesome to provide a public service for that. I've also write a Telegram bot for easily upload to my pastebin.

Lifespan of my WebDAV uploads and pastes are 1 month, it's very easy to clean them with crontab

  @daily find ~/webdav/tmp -mindepth 1 -maxdepth 1 -type f -ctime +30 -delete
[1] https://ezup.dev/git/dotfiles/file/.local/bin/eztmp.html

[2] https://github.com/solusipse/fiche

[3] https://ezup.dev/p/

I’m a big fan of WebDAV. As a bonus, you can host tiddlywiki in WebDAV and it just works.

The only downside as far as I can tell is WebDAV support in Windows Explorer has problems with modern TLS setups.

Haven't use Windows for a while, on macOS I used to use NFS to access files on a LAN server but switched to WebDAV as well because it seems easier and cleaner to use WebDAV compare to SMB/NFS, since it does not require extra services or opened ports on server.

Nowadays I mainly use linux distro, the main use case of accessing files from LAN server is watching movies or TV series. I just create m3u/m3u8 playlist on server and play it through HTTP (not necessarily use WebDAV in this case). this way could avoid potential troubles I could get from mounting a remote directory.

  # LAN server
  ls -1 *.mp4 >playlist.m3u
  # computer, mpv with "save-position-on-quit"
  mpv http://raspberrypi.lan/path/to/playlist.m3u

The problem with webdav on windows explorer for me has always been the lag. Windows explorer has never really handled remotes with latency well, and webdav is one of those when you access a server across the globe

I'll throw Wormhole.app (https://wormhole.app) into the ring as well.

- End-to-end encrypted

- Send up to 10 GB and get a share link in 1 second

- Files are hosted for 24 hours so you don't have to be online at the same time as the receiver

- There's no need to wait for your files to finish uploading before you can copy the link and send it to your recipient. The recipient can start downloading even before the files have finished uploading.

- Browser-based, nothing to install

- Uses RFC 8188, same as Firefox Send. Open source here: https://github.com/SocketDev/wormhole-crypto

Send, E2E encrypted, originally by Mozilla:

Public instance: https://send.vis.ee/

CLI: https://github.com/timvisee/ffsend

Other instances: https://github.com/timvisee/send-instances#instances

How do services like this handle the copyright/malware/child porn problem? That is, I thought the whole reason send.firefox.com shut down was that it became a hub for sharing illegal content and there wasn't a good way to filter that out. If Mozilla couldn't solve that issue for a free service, how can anyone else?

Yes. Malicious uploads.

The fact that Mozilla's well-known name was attached didn't help. That made unsuspecting users trust malicious uploads/links.

> Files stored for 14 days

I think that's the reason, why this service is not very interesting for illegal content.

Illegal content is generally ephemeral regardless of where you host it. I don't think this changes much, it could still provide a good home for some illegal things.

I would very much like it for people to start calling it immoral content more than illegal content.

"Immoral" and "illegal" are not logically equivalent. An act being immoral does not make it illegal and an immoral act is not necessarily illegal.

Immorality is extremely nuanced and heavily influenced by society. Eg. homosexulity is illegal in some south Asian countries such as Indonesia, but is not seen as immoral in most parts of the world.

Conflating the two - or preferring the term "immoral" over "illegal" inherently lends itself to allowing people to rationalise illegal activities - such as child pornography as only being "disapproved of by society" (morality being a fairly abstract concept) rather than an act which violates the laws of the land and is officially and formally condemned by the government.

> preferring the term "immoral" over "illegal" inherently lends itself to allowing people to rationalise illegal activities

Why do you need to rationalize illegal activities if they aren't immoral?

I think you're agreeing with kwitze. It's ok and even desirable for these services to host illegal, moral content but bad for them to host immoral content

This stores files for two weeks on a third-party server.

What advantages for the intended use cases does transfer.sh have over netcat invented 26 years ago? I know some people who have used nc for those entire 26 years to xfer files point-to-point from the command line.

Not sure if your comment is just a re-hash of the now famous HN comment on the Dropbox Show HN ("Why can't you just use rsync/scp"), but netcat which is a unix utility shares basically nothing with transfer.sh which is a web based file sharing application. Comparing them is really apples-to-houses.

Netcat has it's uses, but one of them is not guiding your friends and/or family through a terminal in order for them to receive some photos you took last summer vacation.

What I asked about was the intended use cases, considering transfer.sh and nc. What you mentioned is not one of the many listed use cases. Most of them are to transfer a .txt file.

Netcat is seriously awesome, and still exists very much under the radar of a lot of people. I've used to to copy files around the planet, the datacenter, and the lab.

It excels at doing things "right now". If I have a terminal window open on a server in France and one in the US; then I can easily move that file. However, If I have to move my body to the target location before I can copy the file it doesn't work as well. (Need to jump through a few other hoops that make it more challenging.)

Protip: ALWAYS grab the hash of the file before you send it, and compare.

2nd Protip: Encrypt your file(s) before you send them.

Something like this is decent for moving a file at your leisure, or to give a copy to somebody else at their leisure.

I would like to know if there are any advantages to use nc instead of scp ?

You don't need an account on the target system.

Target PC opens a port and starts listening (outputting to file)

Sending machine establishes a connection to the listening port, and starts copying the file.

Example (hide a file transfer as DNS traffic)

Listening computer:

  nc -l -u -p 53 > output.file
Sending computer:

  cat original.file > nc -u [destination ip address] 53
In this case you'd be dumb not to encrypt the file before transit. And as I mentioned already make sure you have a hash of the original.

You can also use TCP. These are sneaky/simple ways to move files around. Downside: You need to poke a hole in a firewall, but options exist for that too.

ssh/scp downside: You need an account on target PC to connect to. nc downside: you need an open port on the listening PC.


- Your 'sending' snippet should use | instead of >.

- ports 1-1023 are privileged.

Oops, you're right about the pipe..

I thought that looked a bit wrong, but ignored my gut. Privileged port: I'm root anyway. =) I can't make it too easy on these kids.

Most obviously, the same things as its disadvantages:) With nc, you don't have encryption or authentication, which is good - faster, no keys to set up, no fingerprints to accept - and terrible - no transport encryption, no data integrity verification, no access control except for at the network layer. Also, slight difference in how you use them: scp operates on files, nc on streams. But you can just pipe over SSH, so that's not a big difference IMO.

I forgot to mention.

1 tremendous advantage to netcat:


This is the only "real-world" way to test line speed. 0 overhead, no faffing about services.

If you can't get line-rate speed on your LAN with this your hardware needs to be looked at.

iperf is handy, netcat is raw and real.

Is there an online service to `nc` files into with temporary storage (like transfer.sh)? I know of termbin.com for code snippets...

I have literally done this once with a friend of mine, transfer a file over netcat. It cost us about 10 minutes of figuring out the exact commands, and we were at the same LAN party, and thus had a direct network path to each others systems. With most consumer routers and their NAT this would be much more complicated. And this was with a friend with high unix knowledge, so not just the "I know how to paste commands from askubuntu" knowledge.

So yeah, just being able to copy curl commands from a website certainly has value over configuring complicated commands.

Guess mostly nat penetration and storage for a few days

The service itself was broken for a very long time, did it become active again?

Selfhosted alternative: https://github.com/kennell/curldrop

From the repo:

> Disclaimer

> The service at https://transfersh.com is of unknown origin and reported as cloud malware.

That's why the link to their site is https://transfer.sh which was posted

Since this is conspicuously lacking among other threads here, allow me to thank the creators and maintainers for a service invaluable to those of us who are grateful for the ability to share files without installing new software, and who mightn't need e2e protection for it (though as the examples show, this is possible, again without installing additional software).

Thank you! :)


I like transfer.sh and use it occasionally as an easy way to send things to friends that are on a remote server. However, I've realized that the upload speeds are pretty throttled to the point where it takes minutes for 100mb file. So I started using oshi.at which afaik is petty similar but faster uploads. Though, the one downside of oshi.at is that you can't watch mp4s in the browser it just starts download immediately.

I look forward to seeing a CLI for wormhole.app though

Since we're listing alternatives, here's the one I made: https://nopaste.net -- It's open source and available on https://github.com/binwiederhier/pcopy

curl usage is available via: "curl nopaste.net".

Neat! This looks like the closest thing to what I'm looking for when I ssh somewhere and I don't want to cat the file, mark, scroll, scroll, scroll, scroll, copy, and paste into a gist.

If we're listing file uploaders, someone made a spider to find them automatically:


Though it hasn't ran for a few months now, many of them are still up.

Not to put transfer.sh down - it's very useful in many situations, I'm sure! - but I just run a permanent webserver on all the machines I want to share files from. I discuss this more in http://catern.com/computers.html

I find that's a very easy approach.

I see that you run nix - with the help of a configuration.nix and perhaps home manager you could have several identical machines.

It won't remove the file transfer problem though, but perhaps a shared git-annex repo or a memory stick would do.

anything new here?

lots of previous drama with it being declared shut down in Nov 2018 and then resurrected and then complaints of it being down again etc etc

One of the easiest ways I've found to move a file into places like Heroku (think a task where you need to manually import a CSV using something like an app script or rake task)

For text I like http://termbin.com. It just accepts text on port 9999, no HTTP required.

Just text, you say?


`curl -s "https://termbin.com/0nlm" | base64 --decode | file -`

I guessed but how could I have identified the string as a base64 hash?

I could have created a header of some kind to identify it but I figured it would be more fun in this case to give people some ducktective work to do ;-)

And the secure alternative: http://blackhole.run Heavily encrypted, private and free.


Same, and IMO easier to remember (:

This looks great, but does it survive solely on donations? For me that's the one important piece of info missing from the page.

I've not been using this tool, but I'm happy to see that on HN: It's a project one of my teammates is working on :P

i'd like something like transfer.sh but without uploading files to a server. just relay.

if i wanted to upload files, i could just do that on my own webserver.

what i am looking for is: download via browser sharing from commandline or browser shared file is availble as long as the share-process keeps running (ideally also) self-hosted relay servers

I this service used for anything legit? The only times I bumped into transfer.sh were when tracking malwares.

That "transfer" bash function - why does it use "tee /dev/null"?

Good catch! I guess they wanted `--silent` ?

Who is funding this project?

Magic Wormhole is also dank

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact