Skip to content
an encrypted pastebin
JavaScript HTML Shell Perl
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
crypto-js
misc
.gitignore
README
TODO
app.psgi
favicon.ico
paste.html
paste.sh
run.sh
update-misc

README

                                  |               |     
                 __ \   _` |  __| __|  _ \    __| __ \  
                 |   | (   |\__ \ |    __/  \__ \ | | | 
                 .__/ \__,_|____/\__|\___|_)____/_| |_| 
                _|                                      


What?
=====

This is a simple paste site. It doesn't do syntax highlighting, or get in your
way. It gives you a textarea and you type in it.

However behind the scenes it is encrypting your data. It uses a recently
introduced browser feature (crypto.getRandomValues) to do this securely.

This does mean you need a modern browser. It seems to work best in Chrome,
Firefox also works well. Reading pastes should work in most browsers with
JavaScript.

However if you didn't guess from the name there is also a shell script
"paste.sh"; see https://paste.sh/client or run the following commands to
install it:

  cd ~/bin
  curl -O https://raw.github.com/dgl/paste.sh/master/paste.sh
  chmod +x paste.sh

Why?
====

OTR or Signal works well for keeping chat secure, but sharing larger amounts of
text or code over chat is not ideal. I wanted a simple way to share things with
a low barrier to entry but that is still relatively[1] secure.

I won't claim to be an expert on cryptography but I do think while JavaScript in
a browser is not a perfect environment it is not entirely useless (as claimed in
[2], although this is now slightly outdated).

How?
====

JavaScript running in your browser encrypts your data using AES-256 (via the
CryptoJS[3] library). The key is generated on the client side and the server is
never able to decrypt the data, this works because the URL fragment (the part of
the URL after the '#' symbol) is never sent to the server.

Beware that depending on how you share the URL with others the fragment part may
be stored by other systems.

You can edit the paste for some time after pasting; this uses a session cookie
in your browser. (Yes, if you deny cookies this site won't work, sorry[4]).

There is a limit of 640K of data once encrypted (should be enough for anybody)
per paste, go and use mega[5] if you want a file sharing site.

The server side is fairly simple. I wrote it using Perl, using Web::Simple for
the HTTP side and Tie::LevelDB for the key/value store with haproxy in front of
it all doing the SSL.

Where?
======

Here, https://paste.sh

Alternatively if you want to see the code or wish to host your own version, the
source code is available at https://github.com/dgl/paste.sh under the WTFPL:
https://dgl.cx/licence

There's also a command line client there; the comments in it are worth reading
if you care about the encryption scheme used (being compatible with the OpenSSL
command line tool limits the key derivation slightly).

Tips
====

The command line client can do public pastes by adding the -p option, these
don't use encryption but are useful for sharing where you don't need encryption
and the long URL is unwieldy.

Simple vim integration:

  command Paste w | !paste.sh %
  command PublicPaste w | !paste.sh -p %

Who?
====

David Leadbeater (@davidgl; https://dgl.cx/contact) wrote this.

Favicon from "Silk" by Mark James: http://www.famfamfam.com/lab/icons/silk/

-- 
[1]: You have to trust that the server is serving you the right JavaScript.
[2]: http://www.matasano.com/articles/javascript-cryptography/
[3]: https://code.google.com/p/crypto-js/
[4]: The command line client will work, you just can't delete or change anything
     if you use it.
[5]: https://mega.co.nz
You can’t perform that action at this time.