This is very nice and simple. A few areas for improvement, in my opinion: the URL should be easy to copy, paste, or type into another device. I'd suggest designing the route like pindsend.app/pin/CODEHERE. Also, for some reason, copying and pasting the URL didn't seem to work in its current form. I would also consider implementing a QR code to allow quick scanning and redirection on another device, especially a phone, see Wormhole's implementation for reference [1]. Regarding security, the PIN looks quite short; I'd suggest increasing its complexity or length and automatically expiring sessions after a few minutes of inactivity. Additionally, definitely consider implementing end-to-end encryption if you haven’t already.
neat implementation!
i often use the 'me' channel in slack, but not every device has that. similarly, between myself on apple devices, I might use 'notes' - which is fine (and long lasting) but I like this approach.
i do share the other stated concern about security. offering '5 minute sessions' and/or a way to 'approve' another device connecting would alleviate some concerns about a random unknown connection happening.
This looks interesting. What I don't understand is: how was it implemented without a server relay. I am no expert in WebRTC (or P2P for that matter) but I always assumed that there needs to be a central location for users to exchange their addresses and only then a P2P connection can be established. This must be the case here as well right? Or am I mistaken?
If the server stores the transcript of a session, can it brute force the PIN later on?
Magic Wormhole (https://github.com/magic-wormhole/magic-wormhole) avoids this by using a password authenticated key exchange (PAKE) protocol. If you don’t use a PAKE, you get trivial brute force attacks from anyone with a transcript.
Some feedback:
- Superb domain name.
- I'd clean up less relevant bits as much as possible. The subtitle for example says "Share text and images instantly and securely across all your devices". I'd s/and\ images// and s/across\ all\ your devices//.
- There is a strong use case for sharing just text. I'd encourage you to focus this app on just that. If tempted to add file/image/whatever sharing, I'd break that out into something separate.
- Shortening the url would be an expression of focus. Think https://pinsend.app/sessioncode .
- The copy functionality for each text string shared is great.
- Why not make the qr code visible by default?
- Let your audience decide how they want to use string sharing functionality. Don't presume on their behalf. What if two technicians on either side of a theatre want to use this to share secret streaming strings? You'd want to make sure your messaging is welcoming to them too.
If you're just sharing text, why do you need a website and a pin? Why not just encode it into a QR code and scan it, which most phones nowadays support? For files/photos a website makes sense because you can't send a 2MB file over qr code, but the text use case just isn't there.
I don't see mentioning of e2e encryption, that would be nice but I love the webrtc usage here!
Shameless plug: I built small file sharing tool with encryption in browser and added a "tunnel" feature to make it easier for sharing between personal devices : https://www.relaysecret.com/tunnel/
The aes256 key is derived from hashing the tunnel name but never sent back to backend as it is behind anchor tag and the tunnel name is derived from substring of this hash. It is quite fun to use and share files. The file never lives more than 10 days (bucket lifecycle) but user can reduce this to delete upon download and the code can easily be reviewed (back end is a single lambda function to generate signed url):)
How are you managing the initial ICE offer/response negotiation without a relay server?
Looks interesting, but I don't really understand how it works. I open the website, type a message, then I see my own message. I scan the QR code with my phone, then I also see a message window on my phone where I can type messages. Now both my laptop and phone can type messages, but the phone only sees the phone ones and the laptop only sees the laptop ones. Yet, somehow they are in the same session (since the phone scanned the QR code from the laptop). What am I doing wrong here? How do I send a message from one device to the other after connecting them in the same session?
Great job.
I have a lot of suggestions and I would love to get into touch with ya on some suggestions as I have unplugged my computer for quite some time now and am solely on mobile at the moment.
Maybe on signal perhaps?
Now there are a lot of suggestions I can give.
Firstly, there is piping server through which I sent my brother some link using hello and he curled it and it felt so cool. I love piping server.
Secondly, wormhole protocol as I mentioned in other post.
There is also iroh.computer which is coming to wasm as well.
Theoretically, if one had to ask me the most private way though. My truest bet would be tor and onion routes though its a shame that additional software has to be configured for it. But if you don't mind a computer hosting texts "live" ie no middleman store the text (I am of course assuming webrtc works the same way)
Of course, there are a lot of fancy stuff but a big problem with them is that they have a huge link for better privacy I suppose.
One can use a link shortener. Wouldve recommended dub.sh earlier but I am seeing quite some limitations in it and the free tier to me personally the last time I checked if I remember correctly, was very slow but its still nice and can be used.
I reckon if one wanted collaboration of text, one could also use proton docs + dub.sh to a similar experience to your website except its more collaborative given proton can now support accountless edits in some sense(of course, I forgot its real name but it was in their blog post, I wish to create a github issues like stuff but using it but like in the web but maybe after some time, wish proton had better dev support.
Great idea. If I may ask Btw whats the tech stack and what services are you using to host it and do you intend to make money(unlikely I presume), what's your take on it
Cheers man. I have seen the world ignore people when they build something. I don't know but I want to say from the bottom of my heart that I think you made a meaningful change to world I suppose in its own manner. Of course, i watched the princess bride so I feel quite poetic at the moment but one must imagine you happy.
This doesn't seem like something I'd market as secure. Couldn't someone randomly join your session through entering a random 6 digits? Seems like it would need to expire, have owners approve new connections, etc.
This is a cool idea!
I solved it for myself using Signal, it has a "Note to Self" feature and you can access it with Signal mobile and desktop. It's also E2E encrypted. https://support.signal.org/hc/en-us/articles/360043272451-No...
Nice!
How do you set up the initial connection? A six digit alphanumeric code isn't long enough to include WebRTC connectivity setup data, so I assume a server is involved for at least that part?
Also, a small nit: The code is alphanumeric and also to be shared with the recipient, so it's arguably neither personal, nor is it a number ;)
Good job, it solved a problem you had and might be useful for others. I'd love to learn more about webrtc without getting a phd, are there any resources for dumb programmers that would get me up and running in a short amount of time?
I’m always interested in such solutions.
How do we know that it’s end-to-end encrypted and that it’s peer-to-peer (without examine the network traffic)? The source doesn’t seem to be available (I presume this is not open source) and there doesn’t seem to be a self hosting option. This brings me to my next question: what is the business model here?
Your page says “Share text and images instantly and securely across all your devices”, but I don’t see a way to send images. Is that on the roadmap or is the inclusion of images in this description a mistake?
Transferring data across devices on different platforms (like photos from an event, for example) is not easy if one wants to avoid messaging apps. Firefox Send and similar services hosted by generous people for others to use have different limits to manage costs and handle abuse. If this service offers transferring images and videos and the concerns about encryption and privacy are addressed, it could be very useful.