Michał "rysiek" Woźniak · 🇺🇦Hey #InfoSec, anyone with opionons #LocalSend? 👀
Specifically, I am interested in anyone with informed opinions on how secure it is. Has it been audited?
LisPi@rysiek The site design sucks. There's no clear way to get documentation or whitepapers on its operating theory or design.
Nazo@nazokiyoubinbou @rysiek That's still distinctly worse than what Magic Wormhole (https://en.wikipedia.org/wiki/Wormhole_(protocol)) does with PAKE (https://en.wikipedia.org/wiki/Password-authenticated_key_agreement).
It being off by default is a major malus.
It being off by default is a major malus.
@lispi314 @rysiek I'll agree it should be on by default and just generate a random PIN or something. But it isn't hard to check the box. I'm wondering if more than this is needed for over the LAN (well, I wouldn't want to run this on the Web -- at least not without tunneling or something -- but it's not really meant for it.)
For basic LAN usage, only running it as needed, etc as intended, would you say the PIN is sufficient?
Is there anything with such an alternative that is as universal as this? LocalSend has builds for most modern computer types as well as Android and iOS smart devices.
Right now I'm guessing it's ok for home LAN use, be very careful and judicious on public LANs, and of course WANs are a big no?
@nazokiyoubinbou @rysiek Assuming everything on the LAN can be trusted is a mistake.
IoT malware devices are common-enough to be a concern, as are other infected devices or malicious users (semi-public wifi networks, for example).
A pin long-enough to be safe against bruteforcing by such devices would be more unpleasant/error-prone than a passphrase.
A maximum number of tries enables DoS so that's not a good way to mitigate the issue either.
magic-wormhole and https://github.com/LeastAuthority/destiny differ by relay used. Passing the desktop/CLI program the right relay (and possibly transit-relay) as a parameter(s) enables them to interact without issue.
iOS is a difficulty for Free Software due to absurd costs in putting anything on the paywalled platform.
magic-wormhole is (originally) Python, so it should run on basically anything.
IoT malware devices are common-enough to be a concern, as are other infected devices or malicious users (semi-public wifi networks, for example).
A pin long-enough to be safe against bruteforcing by such devices would be more unpleasant/error-prone than a passphrase.
A maximum number of tries enables DoS so that's not a good way to mitigate the issue either.
magic-wormhole and https://github.com/LeastAuthority/destiny differ by relay used. Passing the desktop/CLI program the right relay (and possibly transit-relay) as a parameter(s) enables them to interact without issue.
iOS is a difficulty for Free Software due to absurd costs in putting anything on the paywalled platform.
magic-wormhole is (originally) Python, so it should run on basically anything.
@rysiek @nazokiyoubinbou Huh. Destiny is on iOS apparently, so yeah that works too.
@nazokiyoubinbou @rysiek Given it's Golang (for Destiny), that is most likely because it hasn't been rebuilt/etc since for those platforms, as I assume that Apple provides compilers capable of doing this.
So rebuilding the source & paying the absurd fees would permit fixing that.
So rebuilding the source & paying the absurd fees would permit fixing that.
@lispi314 @rysiek I do want to say, looking this over, it does jump through more hoops. Am I correct in understanding it needs to connect through a relay server?
LocalSend's simplicity may win for simple things like just copying over a (non-serious) picture or driver file or something where security isn't that big of an issue anyway.
@nazokiyoubinbou @rysiek Yeah, it uses a mailbox/rendezvous server.
It's possible to use one in one's LAN. If the two peers can't connect to eachtoher, it then uses a transfer relay (this is also self-hostable).
It's not fully P2P, but it is e2ee.
It's possible to use one in one's LAN. If the two peers can't connect to eachtoher, it then uses a transfer relay (this is also self-hostable).
It's not fully P2P, but it is e2ee.
@nazokiyoubinbou @rysiek I think Briar might be more suitable for fully P2P, but that's not /just/ file transfer (and the desktop version has more limited connectivity support).
@nazokiyoubinbou @rysiek Yes. Briar supports Bluetooth P2P connectivity.
It also supports WLAN & Tor.
It also supports WLAN & Tor.