Hacker Newsnew | past | comments | ask | show | jobs | submit | meejah's commentslogin

I am not a cryptographer, but can explain that Magic Wormhole uses SPAKE2 to negotiate a shared secret (RFC9382 claims equivalent to gap Diffie-Hellman), and then uses NaCl SecretBox to symmetrically encrypt all data between the peers.

(If using the newer Dilation protocol -- which is true for many of the non-file-transfer tools like ShWiM, Git-WithMe or Fowl -- peer traffic uses this shared secret with Noise, specifically "Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s")

One tool that does now use Magic Wormhole for "introduction" like this is EtherSync: https://ethersync.github.io/ethersync/


Correct.

It does learn some metadata: the endpoints of the messages (unless you use Tor) and the number of bytes in those messages.


...and also "Git-WithMe" for peer-to-peer, one-off Git usage: https://sr.ht/~meejah/git-withme/


Note, too, that you may run your own "transit helper" (code: https://github.com/magic-wormhole/magic-wormhole-transit-rel... ) and then specify this via "wormhole --transit-helper tcp:<your host>:<port>" when doing a transfer.

You do need to run the helper on a public IP address, like a rented VPS for example.


You should probably first test and ensure that you're sending "directly" instead of via the relay -- but if that's true then yes.


One use-case could be for SyncThing to actually _use_ magic-wormhole as a way to introduce / join another endpoint to a SyncThing folder.


There are Rust and Haskell implementations too (not quite as feature-full as the Python code yet, though) as well.

In principal WebRTC communication could be added to magic-wormhole, but that work has not been done yet. There is WebSocket support in the relay (including "cross-protocol" so one client can be WebSocket and the other TCP). This is only deployed on the Winden.app servers (tcp://relay.mw.leastauthority.com:4001 and wss://relay.mw.leastauthority.com for the relay).

You'd need to use the Winden.app relay server if you want https://winden.app users to reach your Python CLI (e.g. via "wormhole --relay-url wss://mailbox.mw.leastauthority.com/v1 send" for example)


You might even use Magic Wormhole to securely transfer WireGuard keys!


Nerdsnipe accomplished :)


There are several different clients available for Magic Wormhole, including GUIs and phone apps: https://magic-wormhole.readthedocs.io/en/latest/ecosystem.ht...


If two Magic Wormhole clients _are_ on the same LAN they should communicate directly that way (i.e. no relay required).


Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: