HN Showcase
Back to browse
ShareNova – Zero-knowledge file transfer with magic-byte scanning

ShareNova – Zero-knowledge file transfer with magic-byte scanning

by HatemDabet·Mar 7, 2026·2 points·0 comments
Visit ProjectView on HN

AI Analysis

●●SolidSolve My ProblemDark Horse

Magic-byte scanning catches disguised executables; but Tresorit and Sync.com already do encrypted transfer.

Strengths
  • Magic-byte file scanner detects executable disguise (MZ headers in .jpg) server-side before receiver downloads.
  • No-account WebSocket streaming with bitfield resume logic handles reconnects gracefully.
  • AES-256-GCM with PBKDF2 (200K iterations) and client-side key derivation—keys never touch server.
Weaknesses
  • Encrypted deferred storage still requires server to hold ciphertext; trust model unclear if server is compromised.
  • Magic-byte scanning only reads first 16 bytes—misses polyglot files or multi-stage payloads hidden deeper.
Category
Security
Target Audience

IT professionals, system administrators, anyone transferring sensitive files without account friction.

Similar To

Magic Wormhole · Tresorit Send · Sync.com file transfer

Post Description

Hi HN,

I'm a software engineer in IT support. I constantly need to transfer large log files and system images securely between machines. Existing tools either had size limits, required accounts, or lacked real encryption. So I built ShareNova.

How it works:

Live transfer: Server-relayed WebSocket streaming, chunked with bitfield tracking for automatic resume on disconnect. No account required.

Deferred storage: When the receiver is offline, files are chunked and encrypted client-side using AES-256-GCM (PBKDF2 key derivation, 200K iterations) before upload. The server only stores ciphertext. Keys never leave the browser.

Magic-byte file scanner: Every deferred file is scanned server-side by reading the first 16 bytes and comparing against known signatures. Detects disguised executables (MZ header in a .jpg), double extensions, and archives containing dangerous files. Results are shown as safety badges to the receiver.

In-browser preview: Images, video, audio, PDF, and code files can be previewed before download without breaking the security model.

The stack is Node.js + Express + ws, single-server, no external dependencies for the core transfer logic.

Try it: https://sharenova.io

I'd love feedback on the architecture and the scanning approach.

Similar Projects