https://github.com/magic-wormhole/magic-wormhole-mailbox-ser...
Debian was kind enough to configure their distribution's copy with a distinct hostname for the transit relay helper (the bit that forwards bulk encrypted traffic when both parties are behind NAT). "magic-wormhole-transit.debian.net" is currently a CNAME for "transit.magic-wormhole.io" (which is what the upstream source uses), so all this currently costs them is some DNS maintenance. Both sides exchange transit server hostnames, so they don't need to use the same one, but Debian does this so we could switch Debian-based clients off to a different server if/when my costs of running transit.magic-wormhole.io grow too large.
The "mailbox relay server" for all mutually-communicating clients must be the same. Both upstream and Debian (and most of the other distributions I've seen) use "relay.magic-wormhole.io". The mailbox server helps the clients exchange tiny key-exchange and setup messages, so its costs are trivial.
/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */
Now, only uv needs to be installed (two self-contained binaries). Then you can do `uvx magic-wormhole --help` and it will quickly create a transient environment with the required packages. You don't even need to install Python (uv will do a transient install of Python as well).
In principal WebRTC communication could be added to magic-wormhole, but that work has not been done yet. There is WebSocket support in the relay (including "cross-protocol" so one client can be WebSocket and the other TCP). This is only deployed on the Winden.app servers (tcp://relay.mw.leastauthority.com:4001 and wss://relay.mw.leastauthority.com for the relay).
You'd need to use the Winden.app relay server if you want https://winden.app users to reach your Python CLI (e.g. via "wormhole --relay-url wss://mailbox.mw.leastauthority.com/v1 send" for example)
> Because of firewall network address translation (NAT) issues, rendezvous protocols generally require that there be at least one unblocked and un-NATed server that lets the peers locate each other and initiate concurrent packets at each other.
So probably cant help with a VPC unless you pierce a hole for it.
I guess this makes sense, since by design this shouldn't be possible.
Note that the transit relay only sees ciphertext (for bulk data transfers). Even the mailbox server only sees ciphertext or SPAKE key-exchange messages. No server sees plaintext ever.
I like to use it more. What is your use case for this?
BTW, I haven’t found a good iOS app.
Once it is running all you need to type on the phone is the IP:port.
There are some forks since the software was originally opensource but then closed it.
I use magic wormhole everywhere else, servers, vms, etc.
This isn't true. Particularly, if an attacker attempts to connect with the wrong password, this will be seen by the client, which then aborts the connection. So an attacker can only try one password. You can test this yourself:
A: $ wormhole send foobar
A: Wormhole code is 1-whimsical-klaxon
B: $ wormhole receive 1-klaxon-whimsical # wrong password
B: ERROR: Key confirmation failed. Either you or your correspondent
B: typed the code wrong, or a would-be man-in-the-middle attacker guessed
B: incorrectly. Try sending the file again.
B: <exit>
A: ERROR: Key confirmation failed. Either you or your correspondent
A: typed the code wrong, or a would-be man-in-the-middle attacker guessed
A: incorrectly. Try sending the file again.
A: <exit>
The CLI also has an option to further mitigate MITM attacks with the `--verify` flag -- this shows to both clients a hash of the transcript, which can be verbally verified before proceeding with the transfer. This allows detecting an attack even if the attacker gets the password right on the first try (which has probability 1/65536).
In the Magic Wormhole protocol, the number at the beginning of the Magic Wormhole phrase specifies a "nameplate" used to negotiate the "mailbox" which both clients (sender and receiver) use. If a recipient specifies a _matching_ nameplate but a _non-matching_ key phrase, the file transfer transaction between the sender and receiver with a matching nameplate will fail (since they cannot correctly produce a shared key), but nobody else is affected in any way.
An evil attacker could DoS the magic-wormhole mailbox server by spamming mailbox nameplates with bad keys, since there isn't much entropy at all there, but they would affect only single transactions at a time.
Granted croc supports resuming transfers, which magic wormhole doesn't.
https://play.google.com/store/apps/details?id=io.sanford.wor...
Then I genuinely recommend piping-server https://github.com/nwtgck/piping-server
Personally I don't really mind the unencryption as I mean I just use it to pass videos or any software and I don't really think that there are any security concerns but its also really easy to encrypt / decrypt as well so I genuinely recommend it
It can actually work out of the browser and in the ssh server by using curl / maybe even wget but no guarantees. Both standard tools.
https://piping-ui.org/ There is this website which has a better ui
And you can self host the server as well and these ui's are just static pages which you can view the source code of
Focused on speed, so good for video. (If your transfers don’t saturate the network I treat that as a failure and a bug to be fixed - please report if speed is ever lacking)
Disclaimer: I’m the creator.
Do people realize that GPG supports symmetric encryption?
It would be nice if things like GPG would generate an appropriate passphrase for you by default.
I guess if you are only going to send one file the difference is not really all that significant. Otherwise the experience after exchanging email addresses and fingerprints would probably be better with encrypted email.
tailscale funnel --set-path <secret> <DIRECTORY>
(The path is needed because there are lots of bots who scan tailscale hostnames).
This works if the sender is tech savvy (and a tailscale user) but not in the other direction.
Very minor web page issue report: please add a replay to the video. Thanks.
Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?
- Purpose/Scope: WireGuard creates persistent VPN tunnels for ongoing network connectivity. Magic Wormhole handles ephemeral file transfers.
- NAT Traversal: WireGuard typically requires at least one publicly-reachable endpoint. Magic Wormhole's relay server handles NAT traversal for initial rendezvous, then attempts direct connection.
- Configuration: WireGuard needs config files with public keys and endpoints. Magic Wormhole just needs a temporary code.
- Layer: WireGuard operates at network layer (creates virtual interface, routes IP traffic). Magic Wormhole is application-level.
[1] Based on a conversation with Claude 4.5, distilled and lightly edited. This information matches my experience with them.
Both sides connect to the "mailbox relay server" to perform key exchange and setup. That's a host named "relay.magic-wormhole.io".
If either side has a public IP address, the encrypted data is transferred directly (they exchange IP addresses through the encrypted pipe, and attempt to connect to all of them, so this also covers two peers on the same LAN). If neither do, they both connect to a public "transit helper" relay named "transit.magic-wormhole.io" which acts like a TURN server to get the encrypted bytes from one connection to the other. I run both services.
You do need to run the helper on a public IP address, like a rented VPS for example.
It does learn some metadata: the endpoints of the messages (unless you use Tor) and the number of bytes in those messages.
Wormhole William (Android): https://github.com/psanford/wormhole-william-mobile
Destiny (iOS): https://github.com/LeastAuthority/destiny
For interoperability, don't use Destiny's default servers. After you install Destiny, change the config to the standard Magic Wormhole servers:
Mailbox: ws://relay.magic-wormhole.io:4000/v1
Transit Relay: tcp://transit.magic-wormhole.io:4001
(to all the quantum-computer-will-never-come-people: i like to be prepared in CASE it comes, otherwise no one will prepare and users are in the dust, once it is there)
(If using the newer Dilation protocol -- which is true for many of the non-file-transfer tools like ShWiM, Git-WithMe or Fowl -- peer traffic uses this shared secret with Noise, specifically "Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s")
One tool that does now use Magic Wormhole for "introduction" like this is EtherSync: https://ethersync.github.io/ethersync/
peterhadlaw•4mo ago