back to article Wormhole encrypted file transfer app reboots Firefox Send after Mozilla fled

Earlier this month, a startup called Socket, Inc., launched Wormhole, a web app for encrypting files and making them available to those who receive the URL-embedded encryption key, without exposing the files to the cloud-based intermediary handling the transfer. That may sound a bit like what Mozilla tried to do with Firefox …

  1. sbt Silver badge
    Paris Hilton

    Could be adaptable to self-hosting, maybe?

    If the encryption/decryption is done on the client side, then I would assume it could be hosted from another domain with a simple upload API. Be interesting to see what licence they open access to the source under.

    Looking at their homepage, they're not just betting on JavaScript, but also WebAssembly. Assembly! The snake has eaten itself.

    1. Snake Silver badge

      It won't last

      Any person who invests interest in this product seriously needs to investigate, and actively lobby for if necessary, the self-hosting solution you mention.

      This web app uploads your encrypted file to Socket's servers. The app is free to the user.

      But what's in it for Socket? Exactly how are they going to cover the ongoing costs of the web hosting space they are giving away?

      This project won't last; sooner or later the project must amortize the costs. Either the project will fold or they'll start charging customers when they use the product; either way, that final result won't be popular.

      Start the clock, folks.

  2. Esme

    When did that happen?

    "The web is safe, accessible, easy to use...."

    Safe? Not sure I'd agree with that. As for accessible and easy to use, it CAN be, but media twonks all too often seem intent on making it slow and inaccessible by creating "multimedia experiences" with obscure interfaces (though I'll gratn you, I have encountered a few sites that have managed to include stunning moving graphical elements in an easy to use site that doesn't take all day to load, but in my experience, they still seem to be in a small minority).

    Anyway, I like the idea, I wish tem luck, and hope they can get it to work well, but colour me sceptical for now...

  3. Anonymous Coward
    Anonymous Coward

    CPU usage

    Why does clicking on https://wormhole.app/ put my 4 core i5 into a stress test?!?

    Before even uploading anything.

    This is using Firefox 87.0

    1. sbt Silver badge
      Pirate

      Re: CPU usage

      Noticed similar CPU behaviour. Hope there's not a cryptominer lurking within all that WebPack'd js.

      Firefox 78.9.0esr.

    2. TonyJ Silver badge

      Re: CPU usage

      "...Why does clicking on https://wormhole.app/ put my 4 core i5 into a stress test?!?

      Before even uploading anything.

      This is using Firefox 87.0..."

      Christ you're not wrong - it adds a good 30% CPU load to my quad core i7-9750H CPU.

      Hmm second time of launching was more in the 10% range but still...

    3. Anonymous Coward
      Anonymous Coward

      Re: CPU usage

      Did you spot the words "peer to peer" in the article?

      Could that be relevant?

      It probably takes a lot of processing time to look at the whole Interweb to see if anyone else wants to talk Wormhole.

      1. doublelayer Silver badge

        Re: CPU usage

        It's not scanning the whole internet. At most, it just has to advertise its availability to the server which can connect it to the other machine. Machines which have not contacted the server need not be scanned. Machines which don't have a connection established also need not be scanned. That cuts out nearly all of the internet, and it is only necessary to check on the computers involved in the transfer, so that's probably 2 though could be 3-8 theoretically. That doesn't explain the CPU usage.

        1. sbt Silver badge
          Alert

          Re: CPU usage

          Yes. Also bear in mind the original CPU complaint was just in connecting to the homepage; observed here as well. No file, network or encryption transactions on foot just to show the home page, unless and until you interact with it by loading up a file or folder.

          I agree with the other posters blaming the wormhole animation.

    4. Anonymous Coward
      Anonymous Coward

      Re: CPU usage

      Two words: Web Assembly...

    5. Anonymous Coward
      Anonymous Coward

      Re: CPU usage

      Switching to a different tab immediately stops the behaviour.

      Same in Chrome.

    6. Demmers

      Re: CPU usage

      Same for me, Firefox 87. Firefox isn't detecting anything in the background, but I can instantly tell what it is. That pointless moving background picture.

    7. cornetman Silver badge

      Re: CPU usage

      Might be the rendering of that irritating rotating background image perhaps.

      Not sure why anyone thought that was a good idea.

    8. Belperite
      FAIL

      Re: CPU usage

      100% it's the stupid background, generated via CSS. Disabling it in the inspector returns CPU to normal levels.

      1. Claptrap314 Silver badge
        Flame

        Re: CPU usage

        To be clear--this demonstrates that these people are NOT concerned in the least about the end user. Stay away.

  4. Anonymous Coward
    Anonymous Coward

    There's an android client

    It's not just web, there's an android client.

  5. CrackedNoggin

    What permissions does it require?

    1. doublelayer Silver badge

      The Android client requires full network access, prevent device from sleeping, and write to storage permissions. All of those make sense to me. A report using the Exodus privacy scanner for Android apps on that client can be read here.

  6. Anonymous Coward
    Anonymous Coward

    Cue ...

    People emailing the URLs to each other, sending them in SMS or otherwise sharing them in plaintext. I mean - we do actually still have asymmetric cryptography, don't we? But the number of colleagues I've got who can send me a public key, or correctly use one I send them, seems to remain vanishingly small.

  7. ThatOne Silver badge
    Facepalm

    Danger, Will Robinson!

    > The web is safe

    I was rather liking what I was reading - till that. OMG. "The web is safe". Really. Apparently it wasn't a joke, he really meant it...

    So, if I'm kind, it's just another rainbow-unicorn developer with no connection to reality whatsoever. Only if I feel kind, because else he's an unscrupulous liar trying to peddle his favorite pipe dream no matter the consequences.

    Seriously, if the web is already safe, no need to add any security, isn't it. It is telling that the only security feature they mention is already feature creep: A transport app should do just that: Move files from A to B, not scan for viruses, update your Facebook page or walk the dog. Virus scanning is not their main job, and pretending it is done would give people a dangerous false sense of security. People need to always mistrust all and any file they get off the Internet, even from an official corporate source or a friend (even if it is entitled "Grandma's cutest cat videos").

    1. Spoonsinger
      Black Helicopters

      Re: Danger, Will Robinson!

      Was kind of visualizing Dustin Hoffman after the third tooth drilling "Yes, it's safe!"

  8. dan_the_man

    Isn't this just sync.com?

  9. Pascal Monett Silver badge

    So, the service is free, and a Pro plan is being thought of

    And you don't have ads, or tracking.

    VC money is not going to carry you to success, guys. You need to monetize this or you will die. 10GB free is too much, 1GB free is enough and will incite the people who need this to splurge on a paid plan.

  10. Wimmerke

    Nice potential... but also challenges...

    Very nice to see the transparency and the bug bounty startup. Demonstrating good practices.

    Concerning the client side, I believe WebAssembly would be a good bet as well...

    One principle of choice: Authentication, Authorization & Auditability which are key principles to achieve adequate governance and compliance in a business setting

    - Security by design: only relying on the URL to keep a file encrypted is not thé best choice (protecting the encryption secret)

    - Auditability: how to demonstrate who accessed the file (or unencrypted content)

    - Authentication: how do you know "who" is the person accessing the information (unauthenticated access by design on the platform)

    - Short lived links (24 hours) to enable download is perhaps short in a user to user or interactive setting, but a good mechanism to avoid brute force or unauthorized access

    1. doublelayer Silver badge

      Re: Nice potential... but also challenges...

      I think most of those features should probably be limited to their pro plan. Then again, a business can usually have a protected internal network through which files can be transferred. Still, individuals probably don't want most of those features and implementing them will take more resources. Since those are mostly for business users, it makes sense not to give them away.

  11. Francis

    Amused to see that the parent company website - socket.dev - cannot be visited because it has a self signed certificate and has HSTS enabled so you can't add an exception (or can't in firefox, I haven't tried with other browsers)

    Did Not Connect: Potential Security Issue

    Firefox detected a potential security threat and did not continue to socket.dev because this website requires a secure connection.

    socket.dev has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

    Learn more…

    socket.dev uses an invalid security certificate.

    The certificate is not trusted because it is self-signed.

    Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021