Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: File.io – Ephemeral file sharing (file.io)
155 points by ca98am79 on July 29, 2015 | hide | past | web | favorite | 89 comments

i personally prefer file.pizza, especially considering it is an open source webrtc implementation that doesn't persist the data via any middle man (https://github.com/kern/filepizza)

Thanks for sharing that, it is also very cool! I think the two projects have slightly different use cases though. Two things come to mind: * Sender and Receiver must directly connect using file.pizza, revealing IP addresses to one another. * Both users must be online at the same time with file.pizza, and be able to communicate in near real time to exchange the link.

More WebRTC p2p services like this:

https://reep.io/ https://rtccopy.com/

And my favorite,


similar is https://instant.io/ which is bit torrent but in the browser

Have you tried http://www.pizzatext.net?

Pastebin for binary files? By the look of things, clean and easy to use? Handy!

It's probably time to start thinking about ways to monetise this to pay for the hosting costs at least.

Also, have you talked to a lawyer yet? If this takes off and you keep it up long enough, inevitably you're going to get people using it for child porn, stolen credit card numbers, leaked classified documents, instructions on how to make home-made bombs etc and someday a relevant law enforcement agency is going to want to have a conversation about the content that Mr Smith sent to Mr Jones via your server. It's probably a good idea to get your legal position straight before that day rather than trying to do it after the fact. And yes, I do recommend talking to an actual lawyer. Internet commentary is not an adequate substitute for legal advice here.

Seems like a lot of the issues are mitigated by the file going away after the first download. Especially if there really are no logs or anything at that point.

I am not a lawyer™ but the creators should definitely consult one to 1) determine how much risk they are exposing themselves to and 2) determine a reasonable course of action to limit that risk exposure. The question is not on whether or not we believe something to be "legal" or "illegal" but whether or not some part of their service might draw the attention of a group large and angry enough that might try to make them prove something in front of a judge. This is the real danger to a small group of developers: the RIAA has many lawyers on retainer while the upfront cost of dealing with a lawsuit would bankrupt most individual developers.

> How did you get such a great domain name? From the awesome service at park.io

A little disingenuous since the domain was never listed on park.io and this site was made by the same company as park.io.

Makes me believe that they snatch up the best domains for themselves so people can't bid on them.

I've bought multiple domains from park.io before and had a good experience, but I was always worried about this.

Thanks for using park.io and I'm glad you had a good experience.

park.io doesn't just get domains from drop-catching when they expire. Sometimes we buy them from the previous owner directly. Also, not all sales go through the drop-catching/auction process, for example users can park their domains on park.io and set a "Buy it Now" price for their parked domain, so domains also sell in this way.

file.io was never listed because it never expired/dropped or went to auction. We bought it directly from the previous owner and it was parked on park.io. I have now used it for the service posted here. What you quoted above was said to advertise park.io, and I apologize if it is misleading.

So I assume "park.io" posted the domain for sale and gave the market ample time to buy the domain before snatching it up for them/your selves?

You buying it before posting it is no better than you drop-catching it.

you're free to buy the domains yourself? he bought it from the previous owner and has every right to use it as he sees fit, and in this case actually launched a useful service in place of just sitting on it.

park.io discloses that they buy some names for their own portfolio. Whether disclosure makes it appear less disingenuous is in the eye of the beholder.

In their FAQ, park.io writes that one of the reasons an expiring name might not be listed is "because we intend to order this domain for our own portfolio. We don't do this often, but every once in a while there is a domain we want for our own collection and so we do not list it on park.io."

I built this site and appreciate any feedback from the HN community

Nice service. You should considered a default expiration (a week?) to lighten the load, and an option for multiple downloads (?dl=3) so the first n get a copy or multiple tries if corrupted.

Also, you don't keep logs but what about your cloud provider? What guarantees can you make about them, and what responsibility do programmers have to explain the risks to the public? It seems wrong to say "anonymous and secure" without some qualifiers: you must use https, unencrypted files might be copied by the cloud provider, etc...

Thanks for the helpful feedback. Yes, I think a default expiration is a good idea and will be adding this. Other have asked about the ability for multiple downloads, so I am considering this.

I was using https://usetorpedo.com (similar service) before it shut down. Probably some lessons to be learned from them.

While I didn't use it super often, when I did want to use it, it was very valuable. Thanks for building this!

Maybe it failed because USE TOR -> PEDO :)

Lol at the downvotes. Not my fault that a privacy oriented filesharing service has a domain with the words use, tor, and pedo all in a row.

It doesn't add anything to the discussion. This isn't Reddit.

^ And that did?

Nice work.

Large files could become a problem, since any request causes the file to be deleted. There is no chance to retry. But, this is the most secure way handle file deletion.

You could offer an option that would delete the file after X% of bytes are downloaded.

I have been working a simple server to do just this, I am calling it a nonce file server. I have been coming across times when I need to deliver a file once, and only once.

THANK YOU for giving this an api I can use from Curl.

https://curl.io/ has been doing that for a while. 20GB file size limit, deleted after 4 hours. I've used it here and there and its useful for quick, temporary storage.

you are welcome, I am glad to have people using it - let me know if you have any feedback

In addition to the token returned, it'd be handy if it returned the full url as well.

Cute. Potentially useful. It would, of course, be a disaster for you if its use took off and you ended up handling a lot of illegal material, or even if it were enough of a success that you used a lot of bandwidth.

The oneshotness of it does mitigate that a bit. If someone wants to share material with N people they have to upload it N times, which rate-limits (ab)use.

What is the filesize limit? and is there any LESS time limit? like hrs? or days?

I think the file size limit is currently 500MB, but I may try to increase this at some point. There isn't any lower time limit than one day right now, but thanks for the feedback - it would be cool to have, so maybe I can add it soon

Time limits of a few minutes would be useful, but if you do that make sure you time from upload complete to download start and don't expire things in the middle of a download.

It's a very simple yet useful idea. It might be cool if you could specify your own link. That way you could tell someone in advance to check file.io/someLongRandomString in the future .

The link should be automatically copied to the clipboard upon creation IMO.

Unfortunately you can't reliably do that without Flash.

Very nice. Also very similar to https://transfer.sh/

tl;dr from the FAQ:

Q: "Why should I trust you?" A: "Because you should! We're good people! Honest!"

I'd love to trust a service like this, but there's no credible effort to actually establish that trust.

Don't trust. Use a client that adds an encryption layer on top of file.io.

Or just encrypt your files.

Now it says

> file.io is a project of humb.ly. It was created simply out of the joy of trying to build cool things on the internet, and we thought it may be useful for others. We take privacy very seriously and do not save any data once it has been deleted.

But going to humb.ly still doesn't really get me to trust you, there's not even any identifying info on that page. Two projects, one discontinued and one -- it seems -- novelty "religion".

It said that before, too — I was paraphrasing. "humb.ly" is a more trustable name than, say, "Megaupload", but they can say whatever they want.

What I want is some assurance like "The EFF has complete read-access to our platform and maintains a continuous independent audit of these services to verify that we comply with our own privacy assurances." The EFF is probably not the organization to do such a thing, but that's kind of what I'm looking for.

Humb.ly also makes park.io where the domain file.io is from.

So encrypt client-side?

I built a service for this a few years back - it encrypts and decrypts on each side, all in JS. It's pretty quick with web workers.


This is close to something I keep meaning to make.

It would be awesome if I could download the file without the password to verify that it's stored encrypted though.

That could be faked. The best way to ensure I'm not cheating is to watch the network requests and to look at the code (https://github.com/STRML/securesha.re-client/tree/master/jqu...).

You'll see the POST to the server going up encrypted, and the subsequent GET when you download the file coming down encrypted as a binary XHR.

Okay, but then the receiver has to know how to decrypt. Kind of narrows down who I can realistically send files to.

If you are that concerned about security you should be willing to deal with the effort of encrypting it client side and understanding how to also decrypt on the receiving side.

If paranoia is this high, why would a security policy text on a web page make any difference? They could claim anything they want, but you wouldn't have any idea if any actual encryption was happening, so best to do it yourself.

awesome - thanks!

I wrote a small shell script to make the upload process painless - (https://github.com/Prajjwal/dotfiles/blob/master/bin/fileio).

This is an extremely useful service, btw. I can see myself using this a lot. Kudos.

Although perhaps more constraining, why not use a website that uses WebRTC data channels to transfer the files? Then you can be more sure the data isn't persisting in a datacenter somewhere. Plus, it is more plausible that the service can remain free and private.

I did exactly what you're suggesting at: https://filesender.io

As you pointed out, it is a bit more constraining due to the support for WebRTC and users behind an SNAT, but I think for the majority of users it works well.

You should probably filter out .exe files otherwise Chrome and other websites might block you off.

It might be a bug (could be a feature?) but when I paste the link into Slack, Slack visits the link and then when a contact goes to download it, it's already been deleted.

Love the site though. Maybe it's not designed for sharing files over services like Slack.

1. Nice implementation of a potentially useful micro service. 2. Nice domain name. 3. You should put more details in your FAQ like "no, this is not guaranteed to be a perfect technical solution" and "we'll happily work with law enforcement if you're a pedophile". 4. I always look down on services that don't have an immediate and obvious way of making money, as it'll likely be gone tomorrow. 5. MVPs are all well and good, but a few more simple features wouldn't hurt: time-based expiration, multiple downloads allowed and passwords, or whatever else seems simple and useful.

Data remanence is a really hard problem. Are you sure this lives up to your claims that "the file is completely deleted without a trace"? How are you storing them? Do they ever hit e.g. an SSD in plaintext?

Claims are irrelevant, data breaches happen all the time.

If you are concerned about the confidentiality of a file then use encryption or don't upload it to the internet.

"Also, no illegal files are allowed."

Is this a "(our lawyers made us put this in)" sentence?

It's not like there is a .ilgl file type, and with 1 time downloads DCMA takedowns are unlikely.

Do you think that it makes sense for a new ephemeral files hosting site to signal that it accepts child porn on its servers, in a jurisdiction where child porn is completely illegal and can potentially get the creators of the site onto a sex offender list? Is that wise? Why are we punishing people for being careful about this?

CYA language on a FAQ is not prevention. I am guessing that they are not performing heuristic analysis of uploaded files against NCMEC databases.

Is the NCMEC hashset even publicly available? Last time I checked you have to "partner" with them in order to possibly get a copy.

Personally I use http://filebin.net/ which has nice and simple looks and uses Drag & Drop for easy uploading. Source available at : https://github.com/espebra/filebin

It is made in Flask and is licensed in AGPL.

Project comes with Vagrant and Puppet-files for easy deploy!

Is drag & drop really easier than just selecting a file from a dialog box? Almost every modern file uploading service has it, but I've never really found it useful. I've always thought of it as a feature that people enable "just because they can."

As a developer, it's pretty rare for me to have the folder containing the file I'd like to upload already open in an Explorer/Finder/whatever window. (I'm more likely to have it open in a terminal.) So it will take exactly the same amount of work for me to navigate to the folder in a dialog box as in an Explorer window.

Even if I happen to have the folder open in Explorer, it's a hassle to move, resize, or otherwise organize my non-tiled windows so that both the file I'd like to drag and the space where I need to drop it are visible at the same time. Larger or multiple screens won't help, as I'll just clutter them up with more windows. I could drag to the taskbar to bring the browser to the foreground, but again that's the kind of hassle that I won't need to incur if I just used the dialog box.

For ordinary people with small-screened laptops and tablets, I assume it will be even harder to keep two apps open in a way so as to enable drag & drop, especially since a lot of people just maximize every window. (Can't blame them when they're stuck with 1366x768 screens and/or platforms that encourage fullscreen apps.)

I love drag & drop with Trello, especially when dragging Skitch screen shots. You don't even have to save the file.

Ha - have you tried dragging a file into the "upload" button on file.io? It works!

Something similar I made a while back for those interested in hosting their own file-upload service via S3. You can configure S3's object expiration to delete/expire files after a set amount of days.

I still use it today for sending files here and there. :)

https://github.com/alfg/dropdot - Source with demo.

Maybe tangential, but i find myself reminded of a article/blog entry a year or more ago that talked about how the ISPs and big media was to blame for why we still don't have simple, practical ways of transferring files across the net.

Sadly i didn't bookmark it at the time, and i would like to revisit it and check some of the details.

Isn't https://curl.io/ the same thing?

No privacy policy, no technical details on how the files are stored / "securely deleted" / etc., no definition of what "illegal" means (i.e. which national/state/provincial/local/etc. jurisdiction is relevant for this site). Looks cool, but I'm certainly not touching this without client-side encryption until those missing things are made not-missing.

Don't try to share the link via Facebook though - Facebook will visit the URL and gone is the file.

Not sure if OP is listening, but I had this same problem and SO had a simple solution.


yes, thank you - this will be fixed sometime soon

Facebook is one, Slack (mentioned by someone else) is another, Yahoo Mail, Microsoft...

Does anyone know of a listing of these bots that attempt to preview links? From what I've seen, these bots tend to ignore robots.txt since they are not crawlers, so seemingly need to be handled one by one.

This should be fixed

Do you store the IP of the uploader and downloader? If you don't you're going to want to.

>If you don't you're going to want to


If authorities ask you/demand with a court order "who uploaded this file" you can hand out his ip. I also believe( haven't checked his one) you must retain a copy of all files for a short period of time even if they inaccessible to end users.

You can't provide information that you don't have. Keeping no logs is the best default practice from a legal and privacy perspective.

Privacy yes, but legal? If you operate a website/ service that may be used for illegal purposes then I think you need to be able to track down illegal activities.

The US actually does not have any kind of legally mandated data retention for internet services. If you do not log the data, you cannot be compelled to turn it over.




This is nice service and I like these kind of microservices, but I miss security here. I think you should consider some integration with services such as metascan-online.com(I work for company who is creating this), or other services for file scans. I always try to answer following question with services like this:

How can I know, that there is no malware in the shared file?

Very nice, no sign up, no nonsense.

Love this service -- beautiful site, simple docs, simple API, great concept.

Well I guess I now know who bought the file.io domain name...

Add a privacy policy

Where's the source?

good luck hosting this. Are you blocking any filetypes?

From the username I noticed the creator is also the owner of http://park.io --- a cool domain dropcatching service for .io, .ly, .to, and .me domains.

The one time I had a support request it was dealt with promptly by the founder himself.

Be careful though --- I got the bright idea to be an amateur domain speculator... So far I've spent a cool $1000 on 10 domain names and am now discovering flipping them is harder than I thought!

Shameless self-plug for anyone who might be interested in my portfolio: http://cerebral.io

haha, thanks for using park.io! I'm glad you were pleased with the support, it is important to me. Best of luck selling the domains - you have some nice ones

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact