ZeroBin Frequently Asked Questions

I'm a 39 years old software engineer. I like technology. I hack for fun, not profit.

Because I have no twitter account.

@sebsauvage and @seb_sauvage do not belong to me. But they replicate my news.

You can contact me by email: sebsauvage at sebsauvage dot net. Or start a ZeroBin discussion if you want and send the URL.

Because that's a pastebin where the server has zero knowledge of data.

Pastebin.com declared they have started to pro-actively monitor and censor content, in addition to their abuse service. They have to do this because their can read the content posted by their users, and thus be held liable.

I do not like the idea of a service pro-actively censoring data. In fact, I'd like to see a service where the admins cannot pro-actively monitor data. This is why I created ZeroBin.

Besides, even private pastes can be read by Pastebin staff. With ZeroBin, the server hosting the data cannot read it.

The idea of storing the decryption key in the URL comes from the brilliant Freenet anonymous P2P network. ZeroBin does not aim at providing the same resilience, privacy and anonymity levels as Freenet, but to provide a simple service which can help server admin protect their users privacy and freedom.

My test service is http://sebsauvage.net/paste/. This is a test-bed for the development version, but as soon as it's stable enough, I intend to make it permanent (at the same URL).

There are many other ZeroBin servers on the net. You can also install one on your own website.

I do not plan to sell ZeroBin. I will not fund a startup to market it. It's just an opensource hobby project, and a free service.

My host, Digital Network, has been hosting me for free for many years, and never asked for any compensation. I don't want to bother them with that.

It's a humorous way of saying: « Hey, I provide this service to everyone for free, so please be kind, don't hammer my service, do weird things with it or try to hack it. I made reasonable provisions so that the service supports a good load, but it has not been extensively load-tested. »

Well, my website has been online years before Facebook and Twitter existed. I plan to renew my domain until I die. Maybe even after that.

So yes, I guess you can rely on it. If the load is too high on my host or the attacks too frequent, I may tear the service down.

ZeroBin is not about providing client-side-super-magical-military-grade-crypto to protect the user from the server. No. As a user, you still need to trust the server with providing non-crooked js crypto.

But if you do, you know the admin cannot peek on your data. (There is a shift from "do not want" to "cannot"). As a privacy/freedom proponent, I do not want to know what you are pasting on my service. With ZeroBin, I cannot even know.

About javascript crypto: It's just a matter of where you place your trust. You say you prefer GnuPG. Good. So I guess you trust the repositories of your distribution to provide clean, non-crooked binaries ? No ? So you downloaded the source code and compiled it youself. I guess you trust the website where you downloaded the sources from ? No ? Oh… you checked the signatures of the source code with the keys. So you downloaded the public keys from a keyserver. Which one ? pgp.mit.edu ? So I guess you trust the key server… etc.

See ? It's only a matter of trust shifting.

Don't trust my service ? Hack your own, or fork/hack ZeroBin, install it on your own server. That's what the free software license is for.

Like the authors of Freenet wrote: « humanity should not be deprived of their freedom to communicate just because of how a very small number of people might use that freedom. ». I don't want to be able to review, "moderate" or choose what has the right - in my view - to be communicated, because that would not be freedom of speech anymore. And I value privacy too.

Recommend reading: The philosophy of Freenet

Note that I will take down pastes when necessary. I'm not rich and I can't afford the rates of lawyers.

But don't tell me to monitor content posted on ZeroBin: I can't. That's a side effect of protecting my users privacy.

Please do not post hacked accounts and private information on my service. There are plenty of ZeroBin servers on the net. Don't use mine for that. Thanks.

You can't. With ZeroBin, you still have to trust the server.

If you don't trust the server, don't post data to it, or install your own service (it's easy with ZeroBin !), or post OpenPGP-encrypted messages (best choice).

Let me put this correctly: Internet Explorer does not work correctly with ZeroBin. Mind you, ZeroBin works as-is, with no special adapation, with ALL OTHER BROWSERS. Only IE wouldn't work. ZeroBin is not the problem here. IE is the problem.

I had to add special javascript code so that IE works. So ZeroBin does work in IE 6/7/8/9 (paste creation & reading), but it looks like shit and has no "Clone" button.

I don't plan to waste anymore time adapting my app to IE. Get a decent browser.

Screenshot of ZeroBin in IE:

No.

The moment I do that the ZeroBin servers would be filled with piles of AVI files. I'm not going that way: ZeroBin will remain a tool to share text.

ZeroBin is known to work with:

• Firefox 19
• Chrome 18
• Chromium 18
• Opera 12 (small color glitch on a combo)
• Opera Mobile 12 (works best when Turbo disabled)
• Opera Mini 12 (small display glitches)
• Safari 5.1.5
• Internet Explorer 6/7/8/9 (Ugly look, but it works. No "Clone" button though.)
• Epiphany 3.0.4
• Android browser
• Konqueror 4.7.4
• Midori 0.4.0
• Dooble 0.07 (You must enable Javascript)
• rekonq 0.8.0 (some wrong background colors)
• Luakit 2012.03.25
• Arora 0.11.0
• SeaMonkey 2.8
• K-Meleon 1.5.4 (small display glitches)

You can't. Just create a new one or use the "Clone" button.

When you create a paste, a unique delete link is provided. Opening this link will immediately destroy the paste.

If you lost the URL, you will not be able to delete the paste.

When creating a paste, you can also set an expiration date. The paste will automatically disapear after this date. (Note that the default expiration is 1 month.)

You can't. ZeroBin is a fire-and-forget paste service. No registration, no accounts, no logins. Once a paste is posted, you lose control on it (except deletion). If you lose the URL, you lose your past. If you lose the key, you lose the paste.

When you click a link, all browsers send the Referer. In other terms, they tell the new page where you came from.

If you click a link in ZeroBin, the new website will know you came from a ZeroBin paste (and which one), but will not get the key, and thus will not be able to read the text.

For example, if you click the link to Google in this paste: http://sebsauvage.net/paste/?406cbf5e7a9c7e03#0sDi6e4acQhaCTI9II/aq4X+QiMAx6onhL3KczjpsVY=

The only thing Google will see in the Referer is: http://sebsauvage.net/paste/?406cbf5e7a9c7e03

Which is unreadable without the key:

Your browser will not leak the key when you click a link.

No.

The URL shortening feature was removed. Don't use URL shorteners: That's bad for your privacy (and it gives away the key !) and may break if the URL shortening service goes titsup.

You can't. You don't have the crypto key, so you can't edit the content.

Get the paste identifier from the URL (eg. http://sebsauvage.net/paste/?abcdef0123456789#QdnCROuH9…) and look into your data subdirectory.

If the paste identifier is abcdef0123456789 you will find the file data/ab/cd/abcdef0123456789 which contains the paste. Just delete it.

Hover the cursor over a comment date: You will see a CommentID

Now go to the paste directory (see previous question), and look for the discussion directory corresponding to paste.

eg. If the CommentID is AAAAAAAAAAAAAAAA and the pasteID is abcdef0123456789, the comment is stored in the file:

data/ab/cd/abcdef0123456789.discussion/abcdef0123456789.AAAAAAAAAAAAAAAA.xxxxxxxxxxxxxxxx

(where xxxxxxxxxxxxxxxx is the identifier of the parent comment.)

Just delete the file.

ZeroBin limits the trafic: An IP address can only post every 10 seconds. Behind a reverse-proxy, ZeroBin sees only one IP address. This is a problem.

You need to change:

if (!trafic_limiter_canPass($_SERVER['REMOTE_ADDR']))

to

if (!trafic_limiter_canPass($_SERVER['HTTP_X_FORWARDED_FOR']))

The script probably does not have to write where it is installed. Manually create the subdirectories "tmp" and "data" where you have installed ZeroBin. Don't forget to add write rights to the user who runs the webserver (chmod a+w tmp and chmod a+w data).

ZeroBin is on GitHub: https://github.com/sebsauvage/ZeroBin

(Keep in mind that I want to avoid feature creep. Don't be upset if I reject a patch.)

No. It's not a simple IPv4 space. A 504 bits salt is added to the IP address before hashing and computing the Vizhash. And each ZeroBin installation has its own, random, salt.

So if you want to bruteforce a Vizhash, that's not 32 bits you are going to have to explore, but 536 bits. Good luck with that.