Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Pure JavaScript P2P file sharing in the browser (whatareyoudownloading.com)
59 points by troysk on Jan 26, 2013 | hide | past | favorite | 69 comments

False and misleading title.

_serverless_ file sharing says title, yet the technology "requires a HTTP server". "Its completely anonymous as no data is ever stored on the server". Incorrect, only mild protection against sniffing and spoofing is provided.

The underlying code documentations speaks of "This makes it perfect for anonymity": https://github.com/ShirsenduK/WhatAreYouDownloading/tree/mas... No PKI is linked or included. Proxy service or Sender/receiver unlinkability is not provided. The used WebRTC technology limits UDP/TCP listen sockets. Browser constraints mean WebRTC offers a severely limited experience. For instance, the state of the art in UDP NAT traversal using the neighbor-invite method (beyond STUN/TURN) is not possible.

Rant Disclaimer: As an academic working on a real deployed zero-server P2P technology for 7 years, this sort of claims are a bit upsetting. Zero-server file sharing systems, with a proven effective spam/pollution prevention mechanism have been proven to be extremely difficult to build. (e.g. no-spam version of Kazaa,Gnutella) See, https://torrentfreak.com/tribler-makes-bittorrent-impossible... Tribler research group created an upcoming IETF Internet Standard on sharing/streaming which features integrated NAT/firewall puncturing (IETF PPSP work). Compliant IETF PPSP implementations are capable of doing HD-quality streaming, both on-demand and live streaming: https://datatracker.ietf.org/doc/draft-ietf-ppsp-peer-protoc...

Sorry for the misleading title. By serverless I meant direct browser to browser file transfer with no server in between. Files are transferred directly. We need the HTTP Server to host the static webpage which facilitates the bridge. After all, its a browser based solution you need a page to visit. :). Services file dropbox can be used to host the static files and everyone can setup their own file transfer service. With services like WebDHT coming up each of these shares can communicate.

Just read about Tribler, it sounds really interesting. All the best with it.

This, Tribler and countless other solutions will make the internet what it was meant to be, a decentralized, fault-tolorent network for information exchange. Thanks!

Indeed interesting demo of browser-to-browser downloading, very light. Anybody can start a Napster-style service: it only needs a webserver+JavaScript (or trust a tamper-free copy). WebDHT is fascinating, is it leeching of a KAD overlay or can they also fully serve all incoming requests? (due to listen socket limit)

WebRTC defines a FTP-like 1-to-1 transfer. Would Bittorrent-like swarming be possible in WebP2P?

Thats something clients will have to implement. Thats is, the JavaScript needs to split files into chunks and download from peers.

does that mean you the http server is like a tracker / UDP hole puncher?

Strictly speaking, PPSP is a swarm transport protocol ("give me that data over IP, UDP or what have you, use any source available"). I mean, "sharing" is a concept unrelated to the TCP/IP stack thus PPSP is not a sharing standard.

For example, it is easy to imagine HTTP over PPSP (instead of TCP) -- which is essentially a serverless Web.

Serverless web... "use any source available".. Wow, feel free to share the code of that with us. Would be quite powerful and draw HN interest IMHO.

By "any source available" I meant Sec 3.10. "Peer Address Exchange". HTTP over PPSP is a weekend project as long as we mean good old static HTML Web. By the way, what is the current public repo for TUD PPSP?

What's "neighbor invite" NAT traversal? This term doesn't resolve to anything on Google.

<p>This does not work optimally on this site because the following issues:</p><ul><li><b>It uses HTML tags in javascript alert boxes</b></li></ul>


This currently works only on the latest browsers; like Chrome 24 on the desktop. Its still not 100% stable. Stability and support for other platforms will soon arrive through browsers updates and polyfills.

I am using Chrome 24 on the desktop. Not working.

Refreshing should make it work. There is a lot of JavaScript which takes time to load up.

It's not working for me, chrome is giving 404 errors when selecting a directory. Chrome 24 on Linux. If this works, it'll be fantastic, great job!

Not working on Chrome 25 either

no working with chrome 26 ...

Chrome v26 has native DataChannels, but I didn't have time to update my polyfill and also it gave me problem the last time I tried it, so I'm waiting until it gets out of Canary.

Yes: I developed DataChannel-polyfill, the first working implementation of the DataChannels specification, too... :-)

It's based on code from my ShareIt! project (http://github.com/piranna/ShareIt) and both are interoperable thanks to my WebP2P protocol :-)

Can the WebP2P protocol be used for Bittorent, too, like instead of that Torque thing they have?

Someone else made a browser-based BitTorrent-client, http://hcliff.github.com/ampere/

Which, apparently, is based on this code by piranna.

WHAT?!?!?!?!! It's the first news I have about that, I don't know to be happy about it or angry about nobody told me... :-P

I just spotted it on Clojure subreddit few days back: http://www.reddit.com/r/Clojure/comments/16r9ym/my_clojuresc...

Thats the plan :D. WebDHT is what we need to actually replace bittorrents.

that is exciting! :)

Awesome work piranna :D

Isn't the browser supposed to stop pages from making connections to machines other than the server they were downloaded from?

Has that requirement been dropped? Or does this do something strange to get around it?

I strongly suspect they are using something built on WebRTC.

Welcome to the world of impossibilities with WebRTC. http://en.wikipedia.org/wiki/WebRTC

Hummm. I've found that same-origin policy annoying on occasion but always assumed it was there for good reason and that it was important my browser couldn't just open sockets to any old machine.

Was I wrong? Was that not important? Did I go though all that pain for nothing?

Does this WebRTC thing have an on/off switch?

WebRTC is for Real-time communication between browsers. Same-origin policy applies to communication between browser and the server.


There are ways to turn it off on your browser, but why would you? :). The tech is yours to be used.

> The tech is yours to be used.

Well, the tech is for every website to be used, as a visitor to the site that may or may not benefit me. I think that was the reason for the same-origin policy and is, probably the source of concern of the OP.

Personally, I use NoScript and RequestPolicy to deal with it. After all, just because JavaScript exists does not mean I want any random website to execute arbitrary code on my machine (especially not with WebRTC).

The user decides what he intends to share. His files, his webcam, his printers, etc.

Experience has shown that many users just grant such access when prompted, without thinking about it.

Prompts like that also do absolutely nothing to stop malicious use, hidden under a facade of legitimacy. For example, somebody could put together a demo purportedly showing "serverless pure JavaScript P2P file sharing in the browser" solely to trick people into using something harmful. (I'm not saying that's necessarily going on here, of course.)

Looks like the future of file sharing. Just waiting for the day when all the browsers would start supporting it.


It works on most browsers

this is exciting. Only Chrome24 supports it, but sooner all browsers will.

I'm running Chrome 24.0.1312.56, on Mac OS X 10.8.2, yet I still get the alert about unsupported browsers...

I also sometimes face the same issue on the same configuration. It seems chrome sessions doesnt always get support for IndexedDB. Try refreshing.

Why is everyone thinking about torrenting in browsers? I want a service where I can select a sensitive file, give my associate a link, and have that file transferred between our two computers without ever reaching an intermediate server.

Does anyone know of a service like that, easy enough for my father to use?

This does exactly this as of now.

Great, I'll give it a go soon. I had a look but it can only share folders, not a single file. Otherwise, a very useful service!

EDIT: And it's all static HTML, fantastic! I just hosted it on my server, although there doesn't seem to be much of a reason to do that, since it's all static! Thanks a lot for this.

I worked REALLY HARD to make it all statil HTML and Javascript, and I'm still working hard to remove the handshake servers... Any help here will be greatly welcome :-)

Hmm, who runs the handshake servers, and how can you remove them? Unfortunately I haven't managed to get the app to run, but it sounds fantastic in theory...

Currently I'm using PubNub as a "pool of peers", where a new peer connect and send a "presence" message that's listened by the previous peers, that then send a SDP offer to that new guy. Later, it keeps waiting some time sending offers to the new guys, and when it has several connections (from older and newer peers) it disconnect and start to search for new peers only over the WebP2P network.

Ideally, I would like to use something more "agnostic" like SIP or XMPP, but didn't be able yet to do it in an anonimous way, since both protocols require to create accounts somewhere that later when you register on a SIP or XMPP server it ask to confirm that you exists, so goodbye anonimity :-(

Hmm, it sounds like you're reimplementing Gnutella for the browser, which is not necessarily a bad thing!

I don't know how Gnutella works, but it's good to know! :-)

EDIT: Ok, I have just read about Gnutella design on wikipedia and although in the past I didn't understand anything (I never was too much into P2P programs since I had internet from neighbours wifi...) now I can say that yes, both Gnutella and ShareIt!/WebP2P has a lot of things on common about their purposses and how it's designed, although just by serendipity :-P This definitely it's not bad, since I can be able to learn from their errors and also I would be able to propose to extend Gnutella to support DataChannels & HTTP as transport layer, so everybody wins :-D

I'd like to see this technology used to build a decentralized, uncensorable alternative to twitter or reddit.

That would have a far greater impact than yet another file-sharing system.

The architecture would basically be a flooding P2P network with measures against spamming (machine learning?).

Now thats an idea! The web as it should be - Uncensored!

Wouldn't this require each computer on any receiving end to process all of the incoming data in order to determine if it's spam or not?

All of it, no, only the data coming from peers. Peers would only repeat data if they consider it good.

Also, you could also select peers for the quality of the content they forward to you.

Is the data encrypted on the wire?

Files are transferred as blob. Encryption can be dropped in if required. :)

Encryption ought to be standard. Making it optional means most people won't use it.

Encryption without authentication is (mostly) useless, and authentication is application-specific, so mandating encryption would have little effect.

I thought the original post was an application.

Per spec DataChannels should use encryption by default, you must still encrypt all WebSocket or other traffic that goes via your server.

You are true. DataChannels are encripted by spec, and WebSockets are also being cyphered. I've taken security and anonimity as far as I could (I'm not a security nor frontend guy... :-P )

What are the security implications of this?

If you're attributing, please make sure you spell people's names correctly:

> by @prianna

yet the link goes (correctly) to @piranna. It irks me to see people's names misspelled in attributions.

Fixed it.

This is a lot better, and works on most browsers: http://dropandload.com

I thought Javascript wasn't allowed to touch any files on the local filesystem?

This was made possible through File System API. http://www.html5rocks.com/en/tutorials/file/filesystem/

File API is the answer. http://www.w3.org/TR/FileAPI/

Great Hack Shirsendu. Once again, JavaScript Rocks!!!

not working in latest chrome?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact