an encrypted pastebin
JavaScript Shell Perl
Switch branches/tags
Nothing to show
Latest commit 506b791 Jun 16, 2014 @dgl Flattr
Permalink
Failed to load latest commit information.
crypto-js
misc
.gitignore
README
TODO
app.psgi
favicon.ico
paste.html
paste.sh
run.sh
update-misc

README

                                  |               |     
                 __ \   _` |  __| __|  _ \    __| __ \  
                 |   | (   |\__ \ |    __/  \__ \ | | | 
                 .__/ \__,_|____/\__|\___|_)____/_| |_| 
                _|                                      


What?
=====

This is a simple paste site. It doesn't do syntax highlighting, or get in your
way. It gives you a textarea and you type in it.

However behind the scenes it is encrypting your data. It uses a recently
introduced browser feature (crypto.getRandomValues) to do this securely.

This does mean you need a modern browser. It seems to work best in Chrome,
Firefox also works well. Reading pastes should work in most browsers with
JavaScript.

However if you didn't guess from the name there is also a shell script
"paste.sh"; see https://paste.sh/client or run the following commands to
install it:

  cd ~/bin
  curl -O https://raw.github.com/dgl/paste.sh/master/paste.sh
  chmod +x paste.sh

Why?
====

OTR works well for keeping chat secure, but sharing larger amounts of text or
code over chat is not ideal. I wanted a simple way to share things with a low
barrier to entry but that is still relatively[1] secure.

I won't claim to be an expert on cryptography but I do think while JavaScript in
a browser is not a perfect environment it is not entirely useless (as claimed in
[2], although this is now slightly outdated).

How?
====

JavaScript running in your browser encrypts your data using AES-256 (via the
CryptoJS[3] library). The key is generated on the client side and the server is
never able to decrypt the data, this works because the URL fragment (the part of
the URL after the '#' symbol) is never sent to the server.

Beware that depending on how you share the URL with others the fragment part may
be stored by other systems.

You can edit the paste for some time after pasting; this uses a session cookie
in your browser. (Yes, if you deny cookies this site won't work, sorry[4]).

There is a limit of 640K of data once encrypted (should be enough for anybody)
per paste, go and use mega[5] if you want a file sharing site.

The server side is fairly simple. I wrote it using Perl, using Web::Simple for
the HTTP side and Tie::LevelDB for the key/value store with haproxy in front of
it all doing the SSL.

Where?
======

Here, https://paste.sh

Alternatively if you want to see the code or wish to host your own version, the
source code is available at https://github.com/dgl/paste.sh under the WTFPL:
https://dgl.cx/licence

There's also a command line client there; the comments in it are worth reading
if you care about the encryption scheme used (being compatible with the OpenSSL
command line tool limits the key derivation slightly).

Tips
====

The command line client can do public pastes by adding the -p option, these
don't use encryption but are useful for sharing where you don't need encryption
and the long URL is unwieldy.

Simple vim integration:

  command Paste w | !paste.sh %
  command PublicPaste w | !paste.sh -p %

Who?
====

David Leadbeater (@davidgl; https://dgl.cx/contact) wrote this. If you like this
thank me via Flattr (above).

Favicon from "Silk" by Mark James: http://www.famfamfam.com/lab/icons/silk/

-- 
[1]: It's not on the level of e.g. https://crypto.cat/, especially due to having
     to trust that the server is serving you the right JavaScript. Although:
     https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
[2]: http://www.matasano.com/articles/javascript-cryptography/
[3]: https://code.google.com/p/crypto-js/
[4]: The command line client will work, you just can't delete or change anything
     if you use it.
[5]: https://mega.co.nz