Magic Wormhole


"Wormhole it to me."

Hover over me Tooltip text


Someone actually said this to me and expected me to know what it means. As it turns out, there's a tool for sending files securely called magic wormhole. And it's really easy use. It's honestly suspiciously easy to use.

To send a file, say interstellar.jpg, you just run this:

$ wormhole send interstellar.jpg

...and you're given a wormhole code. The wormhole code will be a number followed by two words, all separated by hyphens. Something like "7-almighty-clamshell" or "3-equation-minnow". Next, you tell this code to your buddy, and have them run the following:

$ wormhole receive

...and then have them enter the code when prompted. Just like that, a progress bar appears on both the sender and receiver's side, and when it finishes the file is downloaded on their end.

Wait...how?

I'm so used to having to address every message in life--whether it's specifying a phone number, email address, public key, IP address, or username. The simplicity of magic wormhole blew my mind. I just shot a file out into the void, and my friend was able to pluck it back out with some magic words.

After a moment of bafflement, I realized what was going on in my mind. Usually when I have a terminal open and I'm sending a file somewhere I'm using ssh or scp. It hit me that this can't be anything like ssh or scp, during which a direct connection is made between the two computers. Instead, there's a server in between managing the issuance of codes and the transfer of files, and this server is doing the work of figuring out where and when to send each file. It logically attaches the wormhole code to the file submitted by the sender, and whoever attempts to receive with the same code is given the file.

This is secure?

Now that I've opened a couple of wormholes, I'm starting to wonder how this could possibly be secure. The three-part wormhole code is clearly the shared secret for this file transfer. All it takes to steal my message is for somebody to guess that code...which seems difficult but not nearly difficult enough given how fast computers can make guesses.

Let's approximate a little. The format of the code seems to be as follows:

<number>-<word>-<word>

So far, after 5-10 wormhole-ings I've only seen single-digit numbers. So 10 options for the first 1/3 of the code.

As for the words, they seem to be normal english words roughly 6-9 letters long. To vastly overestimate the number of words that they are picking from, let's pretend that magic wormhole can use any word in the English language.

A quick google says that there are 171,146 words in the Oxford English Dictionary, starting at A1 and ending at Zyzzyva. Something tells me I'm not going to run wormhole send and receive the code 5-a1-zyzzyva...but we're looking for an overestimation here so I'm going to go with it.

So the total number of possible codes is:

(# possible digits) X (# possible words) X (# possible words)


which for our estimation is:


(10) X (171,146) X (171,146) = 292,909,533,160

Ok, so that is a lot of possible codes. But also...it isn't. Usually, secure communication or file transfer uses asymmetric encryption keys (e.g. RSA) to establish a secure connection, and then uses that connection to exchange symmetric keys for further use (because they are more efficient). A common symmetric algorithm is AES. An AES key can bit 128 bits long, which is on the low end of what is generally accepted today.

So the number of possible 128-bit AES keys is:

2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456


Wow, that is massive. And for good reason, as computers can now make guesses of this kind thousands to even millions of times a second. What confuses me is that this number is way WAY higher than my estimated number of possible wormhole codes. This means that, from a glance, wormhole seems very far from being as safe as industry standards.

What's wrong with me?

Clearly there's a major gap in my thinking here. There has to be.
I got curious, and perused the magic wormhole website. Turns out they straight up tell us that magic wormhole uses 16-bit codes: "so for each use of the tool, an attacker gets a 1-in-65536 chance of success" (site).

Wait what? That's even less than my estimate, which would already be unsafe if it were accurate. 65536 possibile codes...that could be brute-forced in seconds.

Here's the catch: if the wormhole server receives one incorrect guess, the entire message is discarded.