Skip to main content

xx Haven with Tribler

· 6 min read
ArmchairAncap
ArmchairAncap

What's Tribler?

It's an app for Tor-like Torrent-based file sharing that doesn't suck like Tor does.

What's Haven?

It's a privacy-focused, decentralized chat and messaging Web app on xx Network's cMixx mixnet.

What integrations, and why?

Let's see about the whys first: you need to find torrents that you want to download.

Tribler has internal search feature but it's not that good yet.

So you go out on the Web to find torrents, which means one or more of the following:

  • Being tracked on Torrent search Web sites
  • Monetary (and sometimes privacy) cost of subscribing to VPN service
  • Using Tor to hide your activity
  • Registering at Torrent sharing private Web sites or chats
  • Using some password-protected site where you're registered with a fake or real identity

Is there a better way? I think there is: one UI with Haven and Tribler:

  • Someone posts RSS feed into a private (or public) Haven Space ("chat channel")
  • Users copy links and download them using Tribler

Integrations

Ideally, Haven could run inside of Tribler. But the Tribler project would have to make that happen. Alternatively, someone could create and maintain a patch. Not very good.

Another way is to create a small patch to Tribler menus and run Haven in an iFrame.

Another way is to run Tribler in a Haven iFrame. That's easier, but you have to create a small patch for Haven, which some privacy-sensitive people may not like.

Pros and cons of DIY approaches

A Haven iFrame in Tribler chat menu is available here. I call this attempt v1.0.

You click on the chat cloud icion and Haven opens in the main pane (iFrame).

Tribler with a Haven iFrame

  • Step 1: join a Haven Space ("chat channel")
  • Step 2: find a magnet link
  • Step 3: paste it into "Add torrent"

The bad:

  • every time the user navigates away from the chat menu, Haven state is lost and user cannot access Haven again without logging in

The good:

  • every time the user navigates away from the chat menu, Haven state is lost and user cannot access Haven again without logging in

Do you see what I mean? If your use case is "get into a Haven Space, get one link, copy it to Tribler and leave Haven", this is actually a good approach. All it takes to secure access to Haven is to navigate away: you won't leave Haven iFrame open because in order to use that Magnet link you'll have to leave it. Just make sure your Haven profile password is strong!

Note that this only hides your Haven identity, Spaces, and chat data, while Tribler UI is still running and downloaded data is on disk.

The second approach I tried - a Tribler iFrame in Haven - works the other way around, except there's no state in Tribler (it's a server-based application with a Web UI) so if you download multiple torrents or like to chat with Space members as you download, this may be better for you.

Haven with a Tribler iFrame

Join a channel, get your links, download them in Tribler and watch/manage downloads as they go.

In this approach there's a small patch to Haven which seems low-risk to me if you're the only user of your Haven instance: you own the Haven instance and you own the Tribler instance as well, so as long as you're not concerned about Tribler in a Haven iFrame, I think patching Haven and using it this way is fine.

I'm working on finalizing these small patches in another release at the same location as v1.0.

Do we actually need any integration?

That's a good question. If you don't use both of these applications at the same time often, it's probably best to use them separately and avoid complications.

As an example of yet other approaches, I've built a simple browser extension which downloads selected (Magnet) links using Tribler: very easy to use, no patches required. But you can't see or control what's going on with downloads without going to another tab or window with Tribler UI.

I couldn't load Haven in this "preview" version of Firefox (WASM issues), but this is how simple the extension is: select a Magnet link in Haven chat and use the extension to initiate Tribler download.

Download with Tribler Extension

This can work anywhere including the "Haven with a Tribler iFrame" approach because it simply talks to the Tribler API and Tribler UI doesn't need to be visible. It saves some copy-and-paste even if Tribler runs in the same browser tab as Haven. I've posted a proof-of-concept version here - see the link for the details.

If you're a security freak, I won't try to persuade you to use these iFrame approaches.

Security concerns

It is possible that the app in iFrame does something to its parent frame. If you worry about that, of course just run the apps separately or even in different VMs.

In the "Haven with a Tribler iFrame" approach we could tighten the iFrame CORS, and also properly integrate applications so that we don't have to skip authentication from localhost clients on Tribler (which I currently do). I'll post the patches in the repo for easy reviewing. Risk of someone else accessing your instance of Tribler on localhost (where Haven is running) through Haven iFrame should be extremely low, though.

And this instance of Tribler should not listen on public IPs - simply close off its Web UI and IP ports.

If you want to let others access Haven on the same computer, you could simply start another container binding a public IP and port. The same goes for extra Tribler instances.

In a crazy mix-up setup you could run a "groupware edition" of Haven-Tribler compose.yaml:

  • Haven-Tribler setup for multiple users (who all share same Tribler and can be in the same channel if they're all focused on same content)
  • One Web server gateway sharing static content (Tribler download directory) for authenticated downloads

That would be as secure as the stupidest downloader.

Summary

Haven provides private and confidential access to Magnet links that can be used in Tribler: free access, post-quantum E2EE, and metadata shredding eliminate the need to use Tor, VPNs or privacy-leaking Web sites.

Among DIY approaches at lightweight integration:

  • For single-torrent and one-off use, Tribler with a Haven iFrame is a good approach which forces inconvenience (and results in good SecOps)
  • For parallel use (Haven + Tribler) and multiple downloads, I like Haven with a Tribler iFrame because it gives me full control over Tribler
  • For "hidden Tribler" we can run Haven + browser extension that hooks into the Tribler API, but you'd want extra controls and visibility into downloads, which means either occasional access to Tribler UI or a fat extension with some Tribler indicators similar to "Down Them All" or such (which is complex).