Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

People keep reinventing Magic Wormhole, and nobody has really done it better; most of them don't even reach parity.

https://github.com/magic-wormhole/magic-wormhole




But you have to have it installed. I could see this solution being useful for dealing with non-technical users.


There is a Web client at https://winden.app (although it uses different servers than the defaults in the Python CLI, the latter can be easily configured to use the same servers).

However, see further discussion in this article about the difficulties of Web / JavaScript security in this context (i.e. you're depending on the people operating the Web server to not serve different JS on each and every visit).


Haven't found anything better than croc, personally.

https://github.com/schollz/croc


Croc is an iteration of the magic wormhole design. Magic wormhole is more popular. Either is fine.


I know github stars isn't a very accurate metric but croc has roughly 8 thousand more github stars than magic wormhole.


That's fascinating.


I meant to imply that croc is more popular than magic wormhole.


How secure is that, though?


Very. Much more secure (respectfully!) than this is.


I'm curious as to why you think that?

I only took a glance at their "why we built this" page, but it seems sound to me. Also, it seems to serve a different purpose to wormhole.

Wormhole allows you to easily ans securely transfer files between two machines, if I understand correctly.

This is a convenient way to generate a public / private key pair and share your public key with someone encoded in a URL. In turn they can conveniently encrypt a short message using your public key which is also encoded in a URL for sending back over an insecure channel.

Being in the browser and having to trust it is not sending anything online, is not ideal. But on paper the concept seems pretty sound to me. I think it's a cool idea and can imagine it could come in useful.


> Being in the browser and having to trust it is not sending anything online, is not ideal. But on paper the concept seems pretty sound to me.

This seems contradictory. If the main thing that's useful is that it uses URLs/browsers, but using URLs/browsers breaks the security of the system, what part of it seems pretty sound?


I mean the concept of generating a private / public key pair and sharing a public key is pretty sound.

If your browser is compromised or can't be trusted then you have bigger problems.

But if we assume this site can be trusted not to send secrets online (which is easy to verify) and they are not rolling their own crypto primitives in javascript, then the idea is pretty sound imo.

Personally I would use gpg or openssl for this, but it's not that easy for non-technical users.


> But if we assume this site can be trusted not to send secrets online (which is easy to verify)

This would require every sender and recipient to read and understand the JavaScript on every page load, because there’s no guarantee that the server is sending every request the same content. It is in fact not easy, especially for non technical users.

If we’re just assuming the site is trustworthy, the public key crypto isn’t necessary. If the site isn’t trustworthy, the public key crypto isn’t secure, because the site is in a position to compromise the private keys.


Sorry, I got confused. I just looked back at old HN discussions, and it was Croc with the security issues, not Magic Wormhole.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: