📝 Correction | rework the file-sharing site

[DJCrashdummy]

Description

well... this issue is a mixture of a correction and a kind of suggestion: how about differnciating between file-sharing tools using 3rd-party services resp. servers and them who are not.

Why I am making the suggestion

it makes a big difference if a 3rd party is involved and stores the data on its servers or not... similar to messengers which are centralized, federated or p2p.

IMHO tools like Snapdrop (LAN-sharing with notifications) or ShareDrop (possibility to share files between different networks) are at leasst "worth mentioning" because i know a bunch of people who won't setup neither wormhole nor OnionShare because of convenience and so still use unencrypted mails or other "curious" services for quick file-sharing. i know, metadata are leaked, but IMHO it is still better than handing over the files itself to a 3rd party.

My connection with the software

none... i'm just a FOSS- and privacy-enthusiast.

• [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

btw

what is FreedomBox doing at this site? on the one hand with FreedomBox itself you can't share any file, but on the other hand it's much more than file-sharing and thus would fit anywhere.

what about a general self-hosting site and then also add things like YunoHost, Sandstorm and DPPM?

[lrq3000]

I have tested ShareDrop, and although it's very easy to use, it has some limitations.

First, it's only fully compatible with Chrome browser, and only partially with Firefox (depending on the network configuration, the Firefox browser may not send notifications).

Secondly, it has an unclear file size limit. The limit is not hard coded, but if the file is too big, it's not going to be transmitted fully. Magic Wormhole and the other solutions provided on PTIO are much more reliable in my experience.

I don't know about Snapdrop, it looks quite promising, but if it's limited to sharing with LAN it's a big limitation.

[DJCrashdummy]

it's only fully compatible with Chrome browser, and only partially with Firefox (depending on the network configuration, the Firefox browser may not send notifications).

well... on firefox webrtc implementation is worked on right now, so perhaps it will get better with the next releases.

Magic Wormhole and the other solutions provided on PTIO are much more reliable in my experience.

i would expect this from them as they are designed for file-sharing... but a simple browser-upload not really.

i never suggested, that even one of them is better at any nuance than the solutions provided on PTIO, thus i just suggested them to be only woth mentioning (the smaller section below)... because they are still better than unencrypted mails or messengers for quick file-sharing if someone just needs it once in a while and/or doesn't want to install an extra software.

[ThracianKnight1907]

While tools like snapdrop.net are limited, there are use cases for them. For example, I have a linux laptop and an ipad. I can't use itunes to transfer files since it doesn't have a linux version (and it doesn't work on wine) so I use snapdrop for transfering files between the two devices. Or even android to ipad &vice-versa. It's more convenient than using cloud or firefox send.

[lrq3000]

So here is an updated opinion on sharedrop and snapdrop:

• snapdrop is limited to LAN sharing at the moment. Although this may change in the future, for the moment this limitation means for me that snapdrop should not be added for now in PTIO, because all other tools work over the internet, which is the harder and most useful service such a tool can provide IMO. Indeed, there are lots of LAN file sharing tools, and PTIO doesn't list them. But there are only a handful of internet file sharing tool that are open-source.
• sharedrop can work over internet as I have tested myself, but as I wrote above there are unclear technical limitations, but they are not that big of a deal for a "worth mentioning". However, the bigger issue for me is that security is unclear. Indeed, there is no details about the encryption of files during the transfert. However, the server is not used for file sharing, only for initiating the file transfert between devices, and the connection to the website is encrypted using HTTPS for all devices, so it may be fine, but I would prefer a confirmation by someone more knowledgeable (or the devs, but sharedrop is not maintained since a year it seems).

So IMHO if someone can confirm that the security of file sharing with sharedrop is OK, I would support adding it in Worth Mentioning.

[DJCrashdummy]

ok... the LAN/internet argument sounds reasonable.

regarding encryption: (i'm not a security researcher, but) IIRC these tools use WebRTC. and transport encryption in WebRTC is mandatory, so either DTLS or SRTP is used for the files... and because it uses P2P connections, it's kind of de-facto E2EE. the only data which gets to the server are data used to establish the P2P connection. so beside the IP address, the time and the browsers fingerprint could be collected... which i highly doubt (look at the source). ...and btw: all these data may even be collected by any other website you are surfing.

[lrq3000]

Thank you for the clarification, this makes sense. According to Snapdrop's readme, it uses both WebRTC and a fallback to Websockets to support more devices and browsers (so is websockets as secure?), whereas Sharedrop uses WebRTC only.

If noone raises an objection, i will make a PR to add Sharedrop in Worth Mentioning :-)

Le mar. 26 mai 2020 à 09:26, DJCrashdummy notifications@github.com a écrit :

ok... the LAN/internet argument sounds reasonable.

regarding encryption: (i'm not a security researcher, but) IIRC these tools use WebRTC. and transport encryption in WebRTC is mandatory, so either DTLS https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security or SRTP https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol is used for the files... and because it uses P2P connections, it's de-facto E2EE. the only data which gets to the server are data used to establish the P2P connection. so beside the IP address, the time and the browsers fingerprint could be collected... which i highly doubt (look at the source). ...and btw: all these data may even be collected by any other website you are surfing.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/privacytools/privacytools.io/issues/1828#issuecomment-633857208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXQ5U7JM3DAAPQZJDYDRTNVK5ANCNFSM4MG3TX4A .

[DJCrashdummy]

so is websockets as secure?

well, you can compare WebSocket with HTTP: it can be unencrypted (ws:) and TLS-encrypted (wss:)... so i hope and guess Snapdrop uses wss: for file transfer in case of a fallback.

[lrq3000]

Ah great thank you, that will be something to consider when (if?) snapdrop implements support for sharing over internet.

[lrq3000]

Sorry for the delay, I forgot to make a PR! It's now done :-)

BTW, ShareDrop now added an introductory dialog box on first connection to explain how to use it and also its security, which clears up any doubt:

Security ShareDrop uses a secure and encrypted peer-to-peer connection to transfer information about the file (its name and size) and file data itself. This means that this data is never transfered through any intermediate server but directly between the sender and recipient devices. To achieve this, ShareDrop uses a technology called WebRTC (Web Real-Time Communication), which is provided natively by browsers. You can read more about WebRTC security here.

Also SnapDrop may allow transfers through internet in the future.