Outils pour utilisateurs

Outils du site


php:zerobin

ZeroBin - Because ignorance is bliss

Flattr this

TL;DR: ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES. You can test it online.

Paste, share, discuss about it.


Features

  • Easy to install (put the files, open the page)
  • No database required.
  • FAST
  • Brain-dead easy to use: Paste text, click “Send”, share the URL.
  • Data compressed and encrypted in the browser before sending to server. Uses 256 bits AES.
  • Server has zero knowledge of data being stored. Your data is safe even in case of server breach or seizure.1)
  • Expiration: 5 minutes, 10 minutes, 1 hour, 1 day, 1 week, 1 month, 1 year or never.
  • Burn after reading” option: The paste is destroyed when read.
  • Unique deletion URL generated for each paste.
  • Syntax coloring for 54 languages (using highlight.js), supporting mixing (html/css/javascript).
  • Automatic conversion of URLs into clickable links (http, https, ftp and magnet).
  • Search engines are blind regarding paste content.
  • Single button to clone an existing paste.
  • Rate limiting: 10 seconds between each paste.
  • Size limiting: 2 Mb per paste (of compressed and encrypted data - cleartext data can be larger).
  • Discussions:
    • You can enable discussion on each paste.
    • Discussion is of course also encrypted/decrypted in the browser.
    • Server cannot see comments content or nicknames.
    • VisualHash on each post to identify IP addresses without revealing them. Same image = same IP. 2)
    • With paste expiration, you can have ad-hoc short-lived discussion which will disappear in the void after expiration. This will leave no trace of your discussions in your email boxes.
    • Discussions cannot be indexed by search engines. Period.3)
    • Send a link by email to a friend for private discussions which will leave no trace in your email box, will not be indexed by searchengines, will not be read by robots and will never be archived.
  • Free software
  • GitHub access to source code.

Screenshot

Requirements

  • Server:
    • php 5.2.6 or above.
    • GD
    • No database required.
  • Client:
    • A modern, javascript-capable browser (See FAQ for list of supported browsers).

Pros/Cons

Benefits

  • Low server requirements, easy installation.
  • Benevolent server admins can provide a service which protects their users privacy: text sharing and discussions.
  • User data is protected even in case of server breach or seizure.
  • Server admins cannot pro-actively moderate documents and (hopefuly) be held liable because they have no knowledge of data being shared and there is no searchengine.
  • There is no public feed of google-indexable content (Google will not index documents except if you leak the URL).
  • Admins can still remove a document upon injunction or infringement notice… but have no way to tell if the same document has been posted again.
  • No advertising.

Drawbacks

  • Won't work if javascript is disabled.
  • Users still have to trust the server regarding the respect of their privacy. ZeroBin won't protect the users against malicious servers.
  • Won't protect against Man-in-the-middle attacks (eg. javascript substitution)
  • Shitty look in Internet Explorer (but who cares ?)

How does it work ?

When pasting a text into ZeroBin:

  • You paste your text in the browser and click the “Send” button.
  • A random 256 bits key is generated in the browser.
  • Data is compressed and encrypted with AES using specialized javascript libraries.
  • Encrypted data is sent to server and stored.
  • The browser displays the final URL with the key.
  • The key is never transmitted to the server, which therefore cannot decrypt data.

When opening a ZeroBin URL:

  • The browser requests encrypted data from the server
  • The decryption key is in the anchor part of the URL (#…) which is never sent to server.
  • Data is decrypted in the browser using the key and displayed.

Sample URL

http://sebsauvage.net/paste/?7a5dd0979f712164#QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg=

  • 7a5dd0979f712164 is the paste identifier.
  • QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg= is the decryption key. It is never sent to the server 4)

A test service is available at http://sebsauvage.net/paste/
(Please note that this is a test service: Data may be deleted anytime and the service may be shut down. Please do not abuse this service.)

Source

Please note this is ALPHA software. It means “unfinished”, “incomplete” software, not production-ready code. Use at your own risks. (Nevertheless, it's very solid and stable.)

The zip file includes all necessary files (including the javascript libraries mentioned below). Just drop the files on your server and open the URL.

ZeroBin uses:

Licence

ZeroBin is under the zlib/libpng OSI licence.

Installation

Unzip in a directory, open the page. Yes, that's all.

Upgrade

If you want to upgrade from a previous ZeroBin version, delete everything in your ZeroBin directory except the data directory, and unzip the new version.

Authors

Contributing

Version history

Versions history is available in this page.

FAQ (Frequently Asked Questions)

The FAQ is in this page.

ToDo list

The project todo/ideas list is in this page.

Discussion

Your remarks, suggestion, critics, ideas, bug reports are welcome in the ZeroBin discussion page.

After creating ZeroBin, I stumbled upon similar projects, but with different perspectives:

  • ezcrypt.it. 128 bits AES, and very similar. Closed source, but sources will be opened soon.
  • crypt.ch. 128 bits AES, and very similar. Closed source.
  • cryptobin.org. 256 bits AES with password. Requires to type the password. Closed source. Google tracking javascript included in page.
  • securepastebin.com. 56 bits DES with password. Requires to type the password. Closed source. Google tracking javascript included in page. (Please note that DES can be broken in 3 days and should not be used anymore.)
  • pastecrypt.com. 256 bits AES with password. Requires to type the password. Closed source. Nice password security estimation. Google tracking javascript included in page.
  • privnote.com, burn-after-reading note. Key in URL (like ZeroBin). Crypto unknown (AES ?). Keysize unknown. Close source. Google tracking javascript included in page.
  • selinked.com. 128 bits Twofish. To decode, you need to paste the Key and the message id. Google tracking javascript included in page.
  • pastevault.com. SJCL (AES ?) with password. Google tracking javascript included in page.

You can also have a look at:

  • MyCryptoChat, browser-based encrypted chat. Chatroom expire.
  • crypto.cat, a browser-based encrypted chat. 256 bits AES. Requires a browser addon.
  • NoPlaintext.com, One-liner message, can only be read once.
1) In that even, only your past pastes will be protected, of course, because the hacker could implant crooked javascript libs to get your future pastes.
2) No: It's not trivial to bruteforce because it's salted (each ZeroBin installation has its own random salt). You don't have to bruteforce the 32 bits IPv4 space, but a 536 bits space. Good luck.
3) Search engines may stumble upon the URL of a paste, but they will not index the content of the paste itself, because they never execute javascript code.
4) If you don't trust me, Wireshark the damn thing !
php/zerobin.txt · Dernière modification: 2014/07/12 13:26 (modification externe)