I've used sendme a few times after coming across Iroh on Bluesky. It's honestly great. Just Works™, very fast, supports files and folders, resumable transfers, one sender to many receivers, and has fast relays as a fallback when a direct connection truly isn't possible, and it will actually tell you whether you have a direct connection or are using a relay (unlike others like Magic Wormhole or Croc from my experience).
My understanding is that the signaling server could be used as the perfect place to perform MITM attack. The README does not mention how berb addresses this concern at all.
Oh I would love some more details if you think that's the case. With Berb only two clients can connect really. So let's say you somehow guess a peer ID, which is very tough, and connect to a random user. You can technically send a file but they can easily ignore it since they didn't initiate the transfer. That being said, I can definitely add a way to verify the file is legit like the suggestion in the reply with hashes.
Should users trust the signaling server? IIRC, the signaling server can easily intervene SDP offer/answer so that it can intercept user files or instruct users to send files wherever it wants.
Oh I see what you are saying. Yeah I guess if we didn't know what the signalling server was doing, that would be a valid argument. But in my case we can see the server code is pure and simple. Unless you mean there's a bug that allows an attacker to do that?
Either way, would love to know your thoughts on improving trust with this.
Connecting browsers directly is a fascinting area to explore in web development. It always goes a little haywire when punching thru NAT and I wish there was more research into what the best methods are.
Do you think the AT protocol could ever work for this? I wish we had one centeralized scriptable method that was popular to enable ubiquitous discovery.
There are many, many products to address this, like Mozilla's defunct Send, or the excellent but not self-hostable Wormhole.app. You will need to describe what is novel with Berb and why we should use it over other solutions, and no, using WebRTC is not sufficient.
My personal choice for this kind of situation is Wormhole-William, but it is not something my dad could use when he asks me to send the last year's worth of his granddaughter's photos to make a photobook of.
You make a good point there but all those solutions you mentioned store your file one way or another. Which also means your file is getting uploaded to some random server and you pretty much have no control over what happens after. With Berb that simply is not the case. WebRTC is a tool to achieve what I want and not the main selling point. It is simple - I don't want my files to be uploaded and I want the transfer to be instant (no download link later).
Beside the fact that this JUST got launched and can either be liked and used by many, or another dead product in a year, I have found myself using it multiple times so far. Like sending a large file to/from my work computer etc. If this is solving a problem for even a small number of people, that is great!
Im not a js programmer but index.js has the line: "Signaling server running on http://localhost:${PORT}" -- is that what you're talking about? I think you're talking about the initial connection right?
util.js also contains "copyToClipboard = (value) => {", not sure why that would be needed.
and googletagmanager for tracking error/diagnostics I think? its hard to understand this code without learning the language lol.
Also in privacy.html: "To initiate a peer-to-peer connection, Berb uses a temporary signaling server to exchange network metadata (such as IP addresses, session descriptions, and ICE candidates)."
Thx for the analysis! copyToClipboard is for copying the session link so it can be opened on your other device.
As for analytics, you are exactly right. I need to know if people are using the app the way it was intended and soon need to add more events for errors. Though perhaps it is something I can maintain on a separate repo? idk, the goal for me was to truly make everything on berb.app open source. no hiding anything
Thx for the suggestion. Just added a license but don't really have a good contributing guideline yet. Would love to discuss any feature requests/bugs if you open an issue.
This looks cool. However my goal with Berb is pretty much browser to browser only. Although if people keep asking for other features, I might consider a desktop/mobile app.
Right, many people can connect directly, but also many cannot.
And because a large number of people do need TURN (always), coupled with the majority of WebRTC apps not properly supporting TURN (giving no way to set your own details, or provide a free one, of which there really aren't any reliable public ones)... I've basically never seen it work.
No p2p WebRTC app I have ever tried with a friend has worked.
https://github.com/n0-computer/sendme
Either way, would love to know your thoughts on improving trust with this.
https://github.com/dmotz/trystero is a one tool I've used to build these kinds of apps.
My personal choice for this kind of situation is Wormhole-William, but it is not something my dad could use when he asks me to send the last year's worth of his granddaughter's photos to make a photobook of.
Beside the fact that this JUST got launched and can either be liked and used by many, or another dead product in a year, I have found myself using it multiple times so far. Like sending a large file to/from my work computer etc. If this is solving a problem for even a small number of people, that is great!
util.js also contains "copyToClipboard = (value) => {", not sure why that would be needed.
and googletagmanager for tracking error/diagnostics I think? its hard to understand this code without learning the language lol.
Also in privacy.html: "To initiate a peer-to-peer connection, Berb uses a temporary signaling server to exchange network metadata (such as IP addresses, session descriptions, and ICE candidates)."
As for analytics, you are exactly right. I need to know if people are using the app the way it was intended and soon need to add more events for errors. Though perhaps it is something I can maintain on a separate repo? idk, the goal for me was to truly make everything on berb.app open source. no hiding anything
Except an impressively large amount of people in the world are behind symmetrical or CGNAT and would require a TURN server.
Because of this, I've personally never gotten a single p2p/WebRTC site to work with another person.
My understanding is that ICE tries to establish a direct p2p connection between clients and only if there is no path, it uses TURN?
In either case, the files definitely don't go through my servers and are not stored anywhere and are e2e encrypted which really matters the most.
And because a large number of people do need TURN (always), coupled with the majority of WebRTC apps not properly supporting TURN (giving no way to set your own details, or provide a free one, of which there really aren't any reliable public ones)... I've basically never seen it work.
No p2p WebRTC app I have ever tried with a friend has worked.