Wormhole encrypted file transfer app reboots Firefox Send after Mozilla fled Earlier this month, a startup called Socket, Inc., launched Wormhole, a web app for encrypting files and making them available to those who receive the URL-embedded encryption key, without exposing the files to the cloud-based intermediary handling the transfer. That may sound a bit like what Mozilla tried to do with Firefox …
If the encryption/decryption is done on the client side, then I would assume it could be hosted from another domain with a simple upload API. Be interesting to see what licence they open access to the source under.
Looking at their homepage, they're not just betting on JavaScript, but also WebAssembly. Assembly! The snake has eaten itself.
Any person who invests interest in this product seriously needs to investigate, and actively lobby for if necessary, the self-hosting solution you mention.
This web app uploads your encrypted file to Socket's servers. The app is free to the user.
But what's in it for Socket? Exactly how are they going to cover the ongoing costs of the web hosting space they are giving away?
This project won't last; sooner or later the project must amortize the costs. Either the project will fold or they'll start charging customers when they use the product; either way, that final result won't be popular.
Start the clock, folks.
"The web is safe, accessible, easy to use...."
Safe? Not sure I'd agree with that. As for accessible and easy to use, it CAN be, but media twonks all too often seem intent on making it slow and inaccessible by creating "multimedia experiences" with obscure interfaces (though I'll gratn you, I have encountered a few sites that have managed to include stunning moving graphical elements in an easy to use site that doesn't take all day to load, but in my experience, they still seem to be in a small minority).
Anyway, I like the idea, I wish tem luck, and hope they can get it to work well, but colour me sceptical for now...
"...Why does clicking on https://wormhole.app/ put my 4 core i5 into a stress test?!?
Before even uploading anything.
This is using Firefox 87.0..."
Christ you're not wrong - it adds a good 30% CPU load to my quad core i7-9750H CPU.
Hmm second time of launching was more in the 10% range but still...
It's not scanning the whole internet. At most, it just has to advertise its availability to the server which can connect it to the other machine. Machines which have not contacted the server need not be scanned. Machines which don't have a connection established also need not be scanned. That cuts out nearly all of the internet, and it is only necessary to check on the computers involved in the transfer, so that's probably 2 though could be 3-8 theoretically. That doesn't explain the CPU usage.
Yes. Also bear in mind the original CPU complaint was just in connecting to the homepage; observed here as well. No file, network or encryption transactions on foot just to show the home page, unless and until you interact with it by loading up a file or folder.
I agree with the other posters blaming the wormhole animation.
People emailing the URLs to each other, sending them in SMS or otherwise sharing them in plaintext. I mean - we do actually still have asymmetric cryptography, don't we? But the number of colleagues I've got who can send me a public key, or correctly use one I send them, seems to remain vanishingly small.
> The web is safe
I was rather liking what I was reading - till that. OMG. "The web is safe". Really. Apparently it wasn't a joke, he really meant it...
So, if I'm kind, it's just another rainbow-unicorn developer with no connection to reality whatsoever. Only if I feel kind, because else he's an unscrupulous liar trying to peddle his favorite pipe dream no matter the consequences.
Seriously, if the web is already safe, no need to add any security, isn't it. It is telling that the only security feature they mention is already feature creep: A transport app should do just that: Move files from A to B, not scan for viruses, update your Facebook page or walk the dog. Virus scanning is not their main job, and pretending it is done would give people a dangerous false sense of security. People need to always mistrust all and any file they get off the Internet, even from an official corporate source or a friend (even if it is entitled "Grandma's cutest cat videos").
And you don't have ads, or tracking.
VC money is not going to carry you to success, guys. You need to monetize this or you will die. 10GB free is too much, 1GB free is enough and will incite the people who need this to splurge on a paid plan.
Very nice to see the transparency and the bug bounty startup. Demonstrating good practices.
Concerning the client side, I believe WebAssembly would be a good bet as well...
One principle of choice: Authentication, Authorization & Auditability which are key principles to achieve adequate governance and compliance in a business setting
- Security by design: only relying on the URL to keep a file encrypted is not thé best choice (protecting the encryption secret)
- Auditability: how to demonstrate who accessed the file (or unencrypted content)
- Authentication: how do you know "who" is the person accessing the information (unauthenticated access by design on the platform)
- Short lived links (24 hours) to enable download is perhaps short in a user to user or interactive setting, but a good mechanism to avoid brute force or unauthorized access
I think most of those features should probably be limited to their pro plan. Then again, a business can usually have a protected internal network through which files can be transferred. Still, individuals probably don't want most of those features and implementing them will take more resources. Since those are mostly for business users, it makes sense not to give them away.
Amused to see that the parent company website - socket.dev - cannot be visited because it has a self signed certificate and has HSTS enabled so you can't add an exception (or can't in firefox, I haven't tried with other browsers)
Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to socket.dev because this website requires a secure connection.
socket.dev has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
Learn more…
socket.dev uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
