Best solution for private torrents?

[antoniusostermann]

What would be the best solution to set up private file transfer, so if I want to share a file only with some people or just one person. Would a private tracker be the way to go?

As far as I understood the api, the whole sending / receiving process is inteded to work "cross domain" with all seeders and leechers. Is there any way to create private torrents or to implement an own authentication process to only allow specific persons to download a file I am seeding?

[feross]

You should consider encrypting the file and only sharing the key with the person who you want to receive the file. That way, if the hash of the file leaks out somehow -- say via a bug in webtorrent #271 -- the file will be worthless.

Running your own private instance of bittorrent-tracker and explicitly disabling the DHT with the { dht: false } option to the WebTorrent constructor would help too.

When you create .torrent files with create-torrent or by calling webtorrent.seed, make sure to use the { private: true } option to tell clients to not share the hash with the DHT or with other peers using peer exchange (PEX).

Feel free to share your findings here, so that others who are trying to do the same thing can benefit!

[antoniusostermann]

Is there any option to do this on client side? So, is there any hook/callback available if someone downloads a file / part of a file from me? That way, I could restrict access to files on client side by forbidding the download.

[DiegoRBaquero]

@Canifex Yes, let me explain further what feross said.

You must do var client = new WebTorrent({ dht: false }) and when seeding the private feel do client.seed(myFile, {private: true})

I hope this helps :)

[antoniusostermann]

@DiegoRBaquero thanks for your fast helper (and of course @feross for the help before).

I understood that I can use a private tracker and seed files privatly with these options. But is there any additional option on client side to hook in if someone requests one of my seeded files? This would make it possible to implement some security logic on the client, not on a centralized tracker, which could be untrustable from a client's perspective. In addition, you could authorize requests even with using dht.

For example sth like:

var client = new WebTorrent({ dht: false });
client.seed(myFile, {private: true})
client.onLeech(function(file, leecher){
  if (downloadAllowed(file, leecher)) {
    return true;
  } else {
    return false;
  }
});

[DiegoRBaquero]

@Canifex No, at the moment there is not, and I doubt there will be (I think).

As long as you use those options and use a private tracker and don't share the hash/magnet/.torrent with unauthorized people, there's no way to find the file.

[feross]

There is actually a way to inspect the handshake that the remote peer sends you, and maybe even intercept it / decide to reject it.

The bittorrent-protocol package supports an extension API. Here's an example of an extension implemented with it: https://github.com/feross/ut_metadata/blob/master/index.js

If you hook into the 'wire' event on the torrent, you can add support for your special client-side handling.

Here's some untested code for how you might do it:

torrent.on('wire', function (wire) {
  wire.use(myExtension())
})

Beware that this is really, really low-level.

[lock]

This thread has been automatically locked because it has not had recent activity. To discuss futher, please open a new issue.