These are some features: - Share photos, documents, videos, and more with ease, no matter the size. - Connect instantly with anyone for speedy and reliable file transfers, bypassing the need for centralized servers. - Get started in minutes with our intuitive interface designed for seamless communication. No registration. - Easily connect with others using QR codes, simplifying the sharing process further.
The inspiration behind NeighborHoodShare stemmed from a common dilemma: the reluctance to share personal contact details like phone numbers or email addresses when sharing photos or messages with strangers. With NeighborHoodShare, you can share content securely without compromising your privacy.
I would be happy to hear your feedback and suggestions for improving NeighborHoodShare.
I had written a blog on how p2p networking in browsers work: https://dikshantraj2001.medium.com/nat-stun-turn-and-ice-466...
All I can say is: There are a lot of red flags here.
Also I'm curious like others, does this only work if no nat traversal is required? or are you leveraging public stun/turn infrastructure?
Yes only the network layer encryption. No file encryption as it will cost client browsers a lot in case of encrypting and then decrypting that at other end.
I have written more about it here: https://dikshantraj2001.medium.com/nat-stun-turn-and-ice-466...
Currently, I am using the public STUN servers only. If the IPs are not reachable, it would show an error and won't work as setting up TURN server would mean same as a third party server saving in file and serving it over network
[0]: https://webrtchacks.com/webrtc-and-man-in-the-middle-attacks...
Or something like that?
> bypassing the need for centralized servers
I don't follow this part... it's using a centralized server to serve the web app, which could easily serve JS code that steals confidential data right?
Web apps are better than native apps from a security perspective. Browsers have fairly decent built-in debugging tools that you could use to verify that data isn't being uploaded to a 3rd party.
On the other hand, to do the same with a native application you would need to use a separate network protocol analyzer application.
Web apps also run in a sandbox that users tend to have fairly good knowledge about. For example, they generally cannot access any file on your device unless you grant permission. What are the limits of the iOS, OSX, Android or Windows application sandboxes? Can apps on those platforms access files without explicit permission? I think the vast majority of users wouldn't be able to tell you.
This isn't true. Sure, they have less access to the host system, but verifying the integrity and authenticity of a web app is harder than that of a native app, where code signing is commonplace (not that code signing is a whole solution, but it's a great start). Extensions[0] exist to improve the situation but it's not yet broadly applicable.
A compromised web app doesn't have to upload your data to a 3rd party, it just has to (for example) encrypt with weak keys. You'd never notice that from the network logs alone.
And while I agree that debug tooling for the web is great, there's a lot of great stuff for native code too. Ignoring "expert" tools entirely, a more user-facing example is Little Snitch[1], which handles the "detect data being sent to 3rd parties" use case.
[0] https://engineering.fb.com/2022/03/10/security/code-verify/
2) Legit trusted applications are already what siphons everyone’s content, not malware. At least in the browser there’s uBlock Origin and even a dev console.
Just some things to keep in mind when comparing the differences.
Not saying native apps are universally better, but I do think their treat model tends to be a better match for encrypted messaging. This comment on Signal explained it well: https://community.signalusers.org/t/google-to-retire-chrome-...
With the web you have to trust the app developer and with mobile you have to trust the app developer plus Google or Apple on top of that.
Fdroid is maybe the only exception to that.
The linked comment goes into it, but you have to trust the web hosting platform, the CA ecosystem, etc. We're talking not just Apple/Google being able to attack you, but also China, and even some script kiddie with a Node.js exploit.
> with mobile you have to trust the app developer plus Google or Apple on top of that.
The OS/browser vendor can record what you're doing with a web app just as easily as a native app. Thankfully they have very strong incentives not to do so, and can usually be held accountable with code signatures (the non-repudiation part).
For starters, there's not even automated reports of app signatures on mobile and no transparency authority at all.
Unless maybe you are on some things like GrapheneOS and only install apps though fdroid, that's not really a mainstream configuration though.
Fdroid supports that but you need a modified rom so that the play store cannot interfere with it in any way. To my knowledge, only GrapheneOS does that.
The only exception I'm aware of is GrapheneOS where that's not possible. Otherwise if you are using iOS or any other Android rom than GrapheneOS, you are vulnerable to that.
Though even in that case the dev can't do that, so your trust is :
web: dev every time you load an app
native: dev once you install an app, OS vendor any time
A native p2p application needs to be downloaded or built once, from any place (say a git mirror) and bootstrap to its overlay network and then you're in.
It can not do anything without your permissions. All websites are well scoped and run in their private environment in a web browser.
> It is a p2p files and messages sharing platform without involvement of any server. It has end-to-end encryption, ensuring your messages and files remain confidential.
However the clients get the JS code from the web server. Since you control that server, you can change the code to disable the encryption, or send a copy of the messages somewhere else. You can even make the server give specific people / IPs one copy of the code and others a different copy.
Hence my point is there is a trusted centralized server involved.
Why would I use this one instead of them?
https://github.com/RobinLinus/snapdrop
> the mailbox server, and the transit relay.
The dream of the P2P internet died with NAT.
Language sure is weird...
Similar open source solutions exist like:
How does this compare?
- FileBrowser (https://filebrowser.org/features)
- Syncthing (https://syncthing.net/)
Run both as Docker containers on a server at home. Syncthing keeps the files on your PC, Mac, and BSD systems in sync, and FileBrowser can point to the sync share and supply a convenient web UI for phones, etc. It works for me, it's kind of like a local Dropbox.
Syncthing + KDE connect does a lot.
The only issues I have had is that I cannot ensure that both are always running on android.
For example, imagine you save a file on your laptop then put it to sleep. You turn on your desktop and the file isn't there because the laptop is now asleep. Having a central 24/7 Syncthing server allows the share to always be available.
[0](https://github.com/psanford/wormhole-william)
[1](https://f-droid.org/en/packages/com.pavelsof.wormhole/)
[2](https://f-droid.org/en/packages/com.leastauthority.destiny/)
kdeconnect-cli --share [url|path/to/file] --device [device_id]
For CLI stuff, I usually just run the python http server or woof and make a QR code with the URL.
Secret chats don’t work between the desktop client and the app, so I would suspect that, like the rest of the messages, everything is saved on telegram’s servers in the clear.
Or am I missing something?
They hold the keys, irrespective of how many proprietary protocols they wrap over the message.
A great product tho! I used saved messages extensively!
Not just plain-old HTTPs. MTProto 2.0 is a whole encryption algorithm for Cloud chats: https://core.telegram.org/mtproto/AJiEAwIYFoAsBGJBjZwYoQIwFM...
I do not feel it is any different from Google Chat, Twitter DMs, etc. They do have a lot of censorship resistant and anti-MITM attack features in between, but they hold the keys by default
I use it for convenience and amazing features, not for security!
Telegram doesn't support markdown though, that's why I decided to build writedown.app
You can found more in depth details in this article: https://telnyx.com/resources/webrtc-encryption-and-security
And sorry for not replying I was not on the platform lately
Are you employing E2E on the client side? Encryption during transit shouldn't be claimed as E2E. Please correct me if I'm wrong.
> To broker connections, PeerJS connects to a PeerServer. Note that no peer-to-peer data goes through the server; The server acts only as a connection broker.
> If you don't want to run your own PeerServer, we offer a free cloud-hosted version of PeerServer.
So I suppose there's still a server, but it's shared and run by two folks based on donations: https://peerjs.com/peerserver