Outils pour utilisateurs

Outils du site


php:zerobin_faq

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

php:zerobin_faq [2014/04/03 12:16]
sebsauvage [Aren't you afraid your service could be used for nefarious purposes ?]
php:zerobin_faq [2014/07/12 12:26]
Ligne 1: Ligne 1:
  
-====== ZeroBin Frequently Asked Questions ====== 
- 
- 
- 
-===== General FAQ ===== 
-==== Who are you ? ==== 
- 
-I'm a 39 years old software engineer. I like technology. I hack for fun, not profit. 
- 
----- 
- 
-==== Why don't you anwser on Twitter ? ==== 
- 
-Because I have no twitter account. 
- 
-@sebsauvage and @seb_sauvage do not belong to me. But they replicate my news. 
- 
-You can contact me by email: sebsauvage at sebsauvage dot net. Or start a ZeroBin discussion if you want and send the URL. 
- 
----- 
- 
-==== Why the name "​ZeroBin"​ ? ==== 
- 
-Because that's a paste**bin** where the server has **zero** knowledge of data. 
----- 
-==== How did you get the idea ? ==== 
- 
-Pastebin.com declared they have started to pro-actively monitor and censor content, in addition to their abuse service. They have to do this because their //can// read the content posted by their users, and thus be held liable. 
- 
-I do not like the idea of a service pro-actively censoring data. In fact, I'd like to see a service where the admins **cannot** pro-actively monitor data. This is why I created ZeroBin. 
- 
-Besides, even private pastes //can// be read by Pastebin staff. With ZeroBin, the server hosting the data cannot read it. 
- 
-The idea of storing the decryption key in the URL comes from the brilliant [[https://​freenetproject.org/​|Freenet]] anonymous P2P network. ZeroBin does not aim at providing the same resilience, privacy and anonymity levels as Freenet, but to provide a simple service which can help server admin protect their users privacy and freedom. 
- 
----- 
- 
-==== Is there a ZeroBin service I can use ? ==== 
- 
-My test service is http://​sebsauvage.net/​paste/​. This is a test-bed for the development version, but as soon as it's stable enough, I intend to make it permanent (at the same URL). 
- 
-<note important>​Pastes posted to sebsauvage.net/​paste may be deleted anytime. This is a testbed service.</​note>​ 
- 
-There are many other ZeroBin servers on the net. You can also install one on your own website. 
- 
-I do not plan to sell ZeroBin. I will not fund a startup to market it. It's just an opensource hobby project, and a free service. 
- 
----- 
- 
-==== Why don't you setup https for your service ? ==== 
- 
-My host, [[http://​www.digital-network.net/​|Digital Network]], has been hosting me for free for many years, and never asked for any compensation. I don't want to bother them with that. 
- 
----- 
- 
-==== "​Kittens will die if you abuse this service"​ ? ==== 
- 
-It's a humorous way of saying: « //Hey, I provide this service to everyone for free, so please be kind, don't hammer my service, do weird things with it or try to hack it. I made reasonable provisions so that the service supports a good load, but it has not been extensively load-tested.//​ » 
- 
----- 
- 
-==== Once installed, can I expect this service to live a long life ? ==== 
- 
-Well, my website has been online years before Facebook and Twitter existed. I plan to renew my domain until I die. Maybe even after that. 
- 
-So yes, I guess you can rely on it. If the load is too high on my host or the attacks too frequent, I may tear the service down. 
- 
----- 
- 
-==== Why should I trust your service ? ==== 
- 
-ZeroBin is not about providing client-side-super-magical-military-grade-crypto to protect the user from the server. No. As a user, you still need to trust the server with providing non-crooked js crypto. 
- 
-But if you do, you know the admin cannot peek on your data. (There is a shift from "do not want" to "​cannot"​). As a privacy/​freedom proponent, I do not want to know what you are pasting on my service. With ZeroBin, I cannot even know. 
- 
-About javascript crypto: It's just a matter of where you place your trust. You say you prefer GnuPG. Good. So I guess you trust the repositories of your distribution to provide clean, non-crooked binaries ? No ? So you downloaded the source code and compiled it youself. I guess you trust the website where you downloaded the sources from ? No ? Oh... you checked the signatures of the source code with the keys. So you downloaded the public keys from a keyserver. Which one ? pgp.mit.edu ? So I guess you trust the key server... etc. 
- 
-See ? It's only a matter of trust shifting. 
- 
-Don't trust my service ? Hack your own, or fork/hack ZeroBin, install it on your own server. That's what the free software license is for. 
- 
----- 
- 
-==== Aren't you afraid your service could be used for nefarious purposes ? ==== 
- 
-Like the authors of Freenet wrote: « //humanity should not be deprived of their freedom to communicate just because of how a very small number of people might use that freedom.// ». I **don'​t want** to be able to review, "​moderate"​ or choose what has the right - in my view - to be communicated,​ because that would not be freedom of speech anymore. And I value privacy too. 
- 
-Recommend reading: The [[https://​freenetproject.org/​philosophy.html|philosophy of Freenet]] 
- 
-Note that I //will// take down pastes when necessary. I'm not rich and I can't afford the rates of lawyers. 
- 
-But don't tell me to monitor content posted on ZeroBin: I can't. That's a side effect of protecting my users privacy. 
- 
-Please do not post hacked accounts and private information on my service. There are plenty of ZeroBin servers on the net. Don't use mine for that. Thanks. 
- 
- 
----- 
- 
-==== How can I be sure the server does not provide crooked version of javascript crypto ? ==== 
- 
-You can't. With ZeroBin, you still have to trust the server. 
- 
-If you don't trust the server, don't post data to it, or install your own service (it's easy with ZeroBin !), or post OpenPGP-encrypted messages (best choice). 
- 
----- 
- 
- 
-==== ZeroBin does not work correctly in Internet Explorer ==== 
- 
-Let me put this correctly: //Internet Explorer does not work correctly with ZeroBin.// Mind you, ZeroBin works //as-is//, with no special adapation, with **ALL OTHER BROWSERS**. Only IE wouldn'​t work. ZeroBin is not the problem here. IE is the problem. 
- 
-I had to add special javascript code so that IE works. So ZeroBin **//​does//​** work in IE 6/7/8/9 (paste creation & reading), but it looks like shit and has no "​Clone"​ button. 
- 
-I don't plan to waste anymore time adapting my app to IE. Get a decent browser. 
- 
-//​Screenshot of ZeroBin in IE:// 
- 
-{{:​php:​zerobin:​zerobin_ie6.png?​nolink|}} 
- 
- 
----- 
- 
-==== Will you extend ZeroBin to store files ? ==== 
- 
-No. 
- 
-The moment I do that the ZeroBin servers would be filled with piles of AVI files. I'm not going that way: ZeroBin will remain a tool to share text. 
- 
- 
-===== User FAQ ===== 
-==== Supported browsers ==== 
- 
-ZeroBin is known to work with: 
-  * Firefox 19 
-  * Chrome 18 
-  * Chromium 18 
-  * Opera 12 (small color glitch on a combo) 
-  * Opera Mobile 12 (works best when Turbo disabled) 
-  * Opera Mini 12 (small display glitches) 
-  * Safari 5.1.5 
-  * Internet Explorer 6/7/8/9 (Ugly look, but it works. No "​Clone"​ button though.) 
-  * Epiphany 3.0.4 
-  * Android browser 
-  * Konqueror 4.7.4 
-  * Midori 0.4.0 
-  * Dooble 0.07 (You must enable Javascript) 
-  * rekonq 0.8.0 (some wrong background colors) 
-  * Luakit 2012.03.25 
-  * Arora 0.11.0 
-  * SeaMonkey 2.8 
-  * K-Meleon 1.5.4 (small display glitches) 
- 
- 
----- 
- 
-==== How can I edit an existing paste ? ==== 
- 
-You can't. Just create a new one or use the "​Clone"​ button. 
- 
- 
----- 
- 
-==== How can I delete a paste ? ==== 
- 
-When you create a paste, a unique delete link is provided. Opening this link will immediately destroy the paste. 
- 
-If you lost the URL, you will not be able to delete the paste. 
- 
-When creating a paste, you can also set an expiration date. The paste will automatically disapear after this date. (Note that the default expiration is 1 month.) 
- 
----- 
- 
-==== Where can I administrate my pastes ? ==== 
- 
-You can't. ZeroBin is a //​fire-and-forget//​ paste service. No registration,​ no accounts, no logins. Once a paste is posted, you lose control on it (except deletion). If you lose the URL, you lose your past. If you lose the key, you lose the paste. 
- 
----- 
- 
-==== HTTP_REFERER ==== 
- 
-When you click a link, all browsers send the Referer. In other terms, they tell the //new page// where you came from. 
- 
-If you click a link in ZeroBin, the new website will know you came from a ZeroBin paste (and which one), but will not get the key, and thus will not be able to read the text. 
- 
-For example, if you click the link to Google in this paste: http://​sebsauvage.net/​paste/?​406cbf5e7a9c7e03#​0sDi6e4acQhaCTI9II/​aq4X+QiMAx6onhL3KczjpsVY= 
- 
-The only thing Google will see in the Referer is: http://​sebsauvage.net/​paste/?​406cbf5e7a9c7e03 
- 
-Which is unreadable without the key: 
- 
-{{:​php:​zerobin:​zerobin_google.png?​nolink|}} 
- 
-Your browser will not leak the key when you click a link. 
- 
----- 
-==== The URL is too long ! Can you add a shortening feature ? ==== 
- 
-No. 
- 
-The URL shortening feature was remove. Don't use URL shorteners: That's bad for your privacy (and it gives away the key !) and may break if the URL shortening service goes titsup. 
- 
----- 
- 
-===== Admin FAQ ===== 
- 
- 
- 
- 
-==== How can I edit a paste or a comment ? ==== 
- 
-You can't. You don't have the crypto key, so you can't edit the content. 
- 
----- 
- 
-==== How can I delete a paste ? ==== 
- 
-Get the paste identifier from the URL (eg. http://​sebsauvage.net/​paste/?​**abcdef0123456789**#​QdnCROuH9...) and look into your data subdirectory. 
- 
-If the paste identifier is ''​abcdef0123456789''​ you will find the file ''​data/​ab/​cd/​abcdef0123456789''​ which contains the paste. Just delete it. 
----- 
-==== How can I delete a comment in a discussion ? ==== 
- 
-Hover the cursor over a comment date: You will see a CommentID 
- 
-{{:​php:​zerobin:​zerobin_commentid.png?​nolink|}} 
- 
-Now go to the paste directory (see previous question), and look for the discussion directory corresponding to paste. 
- 
-eg. If the CommentID is ''​AAAAAAAAAAAAAAAA''​ and the pasteID is ''​abcdef0123456789'',​ the comment is stored in the file: 
- 
-''​data/​ab/​cd/​abcdef0123456789.discussion/​abcdef0123456789.AAAAAAAAAAAAAAAA.xxxxxxxxxxxxxxxx''​ 
- 
-(where xxxxxxxxxxxxxxxx is the identifier of the parent comment.) 
- 
-Just delete the file. 
- 
----- 
-==== ZeroBin does not work behind my reverse-proxy ==== 
- 
-ZeroBin limits the trafic: An IP address can only post every 10 seconds. Behind a reverse-proxy,​ ZeroBin sees only one IP address. This is a problem. 
- 
-You need to change: 
-<code php>if (!trafic_limiter_canPass($_SERVER['​REMOTE_ADDR'​]))</​code>​ 
-to  
-<code php>if (!trafic_limiter_canPass($_SERVER['​HTTP_X_FORWARDED_FOR'​]))</​code>​ 
- 
----- 
- 
-===== Technical FAQ ===== 
- 
-==== After installation,​ I get a blank page ==== 
- 
-The script probably does not have to write where it is installed. Manually create the subdirectories "​tmp"​ and "​data"​ where you have installed ZeroBin. Don't forget to add write rights to the user who runs the webserver (''​chmod a+w tmp''​ and ''​chmod a+w data''​). 
- 
----- 
- 
-==== How can I participate in ZeroBin development ? ==== 
- 
-ZeroBin is on GitHub: https://​github.com/​sebsauvage/​ZeroBin 
- 
-(Keep in mind that I want to avoid feature creep. Don't be upset if I reject a patch.) 
- 
----- 
- 
-==== I can brute force the Vizhash ==== 
- 
-No. It's not a simple IPv4 space. A 504 bits salt is added to the IP address before hashing and computing the Vizhash. And each ZeroBin installation has its own, random, salt. 
- 
-So if you want to bruteforce a Vizhash, that's not 32 bits you are going to have to explore, but 536 bits. Good luck with that. 
php/zerobin_faq.txt · Dernière modification: 2014/07/12 12:26 (modification externe)