Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

📝 Correction | rework the file-sharing site #1828

Open
1 task done
DJCrashdummy opened this issue Apr 13, 2020 · 9 comments · May be fixed by #2326
Open
1 task done

📝 Correction | rework the file-sharing site #1828

DJCrashdummy opened this issue Apr 13, 2020 · 9 comments · May be fixed by #2326
Labels

Comments

@DJCrashdummy
Copy link

Description

well... this issue is a mixture of a correction and a kind of suggestion:
how about differnciating between file-sharing tools using 3rd-party services resp. servers and them who are not.

Why I am making the suggestion

it makes a big difference if a 3rd party is involved and stores the data on its servers or not... similar to messengers which are centralized, federated or p2p.

IMHO tools like Snapdrop (LAN-sharing with notifications) or ShareDrop (possibility to share files between different networks) are at leasst "worth mentioning" because i know a bunch of people who won't setup neither wormhole nor OnionShare because of convenience and so still use unencrypted mails or other "curious" services for quick file-sharing.
i know, metadata are leaked, but IMHO it is still better than handing over the files itself to a 3rd party.

My connection with the software

none... i'm just a FOSS- and privacy-enthusiast.

  • I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

btw

what is FreedomBox doing at this site? on the one hand with FreedomBox itself you can't share any file, but on the other hand it's much more than file-sharing and thus would fit anywhere.

what about a general self-hosting site and then also add things like YunoHost, Sandstorm and DPPM?

@DJCrashdummy DJCrashdummy added the 📝 correction Correction of content on the website label Apr 13, 2020
@lrq3000
Copy link
Contributor

lrq3000 commented Apr 15, 2020

I have tested ShareDrop, and although it's very easy to use, it has some limitations.

First, it's only fully compatible with Chrome browser, and only partially with Firefox (depending on the network configuration, the Firefox browser may not send notifications).

Secondly, it has an unclear file size limit. The limit is not hard coded, but if the file is too big, it's not going to be transmitted fully. Magic Wormhole and the other solutions provided on PTIO are much more reliable in my experience.

I don't know about Snapdrop, it looks quite promising, but if it's limited to sharing with LAN it's a big limitation.

@DJCrashdummy
Copy link
Author

it's only fully compatible with Chrome browser, and only partially with Firefox (depending on the network configuration, the Firefox browser may not send notifications).

well... on firefox webrtc implementation is worked on right now, so perhaps it will get better with the next releases.

Magic Wormhole and the other solutions provided on PTIO are much more reliable in my experience.

i would expect this from them as they are designed for file-sharing... but a simple browser-upload not really.

i never suggested, that even one of them is better at any nuance than the solutions provided on PTIO, thus i just suggested them to be only woth mentioning (the smaller section below)... because they are still better than unencrypted mails or messengers for quick file-sharing if someone just needs it once in a while and/or doesn't want to install an extra software.

@ThracianKnight1907
Copy link

While tools like snapdrop.net are limited, there are use cases for them. For example, I have a linux laptop and an ipad. I can't use itunes to transfer files since it doesn't have a linux version (and it doesn't work on wine) so I use snapdrop for transfering files between the two devices. Or even android to ipad &vice-versa. It's more convenient than using cloud or firefox send.

@lrq3000
Copy link
Contributor

lrq3000 commented May 25, 2020

So here is an updated opinion on sharedrop and snapdrop:

  • snapdrop is limited to LAN sharing at the moment. Although this may change in the future, for the moment this limitation means for me that snapdrop should not be added for now in PTIO, because all other tools work over the internet, which is the harder and most useful service such a tool can provide IMO. Indeed, there are lots of LAN file sharing tools, and PTIO doesn't list them. But there are only a handful of internet file sharing tool that are open-source.
  • sharedrop can work over internet as I have tested myself, but as I wrote above there are unclear technical limitations, but they are not that big of a deal for a "worth mentioning". However, the bigger issue for me is that security is unclear. Indeed, there is no details about the encryption of files during the transfert. However, the server is not used for file sharing, only for initiating the file transfert between devices, and the connection to the website is encrypted using HTTPS for all devices, so it may be fine, but I would prefer a confirmation by someone more knowledgeable (or the devs, but sharedrop is not maintained since a year it seems).

So IMHO if someone can confirm that the security of file sharing with sharedrop is OK, I would support adding it in Worth Mentioning.

@DJCrashdummy
Copy link
Author

DJCrashdummy commented May 26, 2020

ok... the LAN/internet argument sounds reasonable.

regarding encryption:
(i'm not a security researcher, but) IIRC these tools use WebRTC. and transport encryption in WebRTC is mandatory, so either DTLS or SRTP is used for the files... and because it uses P2P connections, it's kind of de-facto E2EE.
the only data which gets to the server are data used to establish the P2P connection. so beside the IP address, the time and the browsers fingerprint could be collected... which i highly doubt (look at the source).
...and btw: all these data may even be collected by any other website you are surfing.

@lrq3000
Copy link
Contributor

lrq3000 commented May 26, 2020 via email

@DJCrashdummy
Copy link
Author

so is websockets as secure?

well, you can compare WebSocket with HTTP: it can be unencrypted (ws:) and TLS-encrypted (wss:)... so i hope and guess Snapdrop uses wss: for file transfer in case of a fallback.

@lrq3000
Copy link
Contributor

lrq3000 commented May 26, 2020

Ah great thank you, that will be something to consider when (if?) snapdrop implements support for sharing over internet.

@lrq3000 lrq3000 linked a pull request Jun 2, 2021 that will close this issue
3 tasks
@lrq3000
Copy link
Contributor

lrq3000 commented Jun 2, 2021

Sorry for the delay, I forgot to make a PR! It's now done :-)

BTW, ShareDrop now added an introductory dialog box on first connection to explain how to use it and also its security, which clears up any doubt:

Security
ShareDrop uses a secure and encrypted peer-to-peer connection to transfer information about the file (its name and size) and file data itself. This means that this data is never transfered through any intermediate server but directly between the sender and recipient devices. To achieve this, ShareDrop uses a technology called WebRTC (Web Real-Time Communication), which is provided natively by browsers. You can read more about WebRTC security here.

Also SnapDrop may allow transfers through internet in the future.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants