0bin is a client side encrypted pastebin that can run without a database.
0bin allows anybody to host a pastebin while welcoming any type of content to be pasted in it. The idea is that one can (probably...) not be legally entitled to moderate the pastebin content as he/she has no way to decrypt it.
For now tested with IE9, and the last opera, safari, chrome and FF.
There is a good doc, but in short:
pip install zerobin zerobin
For now, 0bin targets Python 2.7 only. Python 3 supports is planned.
When creating the paste:
- the browser generates a random key;
- the pasted content is encrypted with this key using AES256;
- the encrypted pasted content is sent to the server;
- the browser receives the paste URL and adds the key in the URL hash (#).
When reading the paste:
- the browser makes the GET request to the paste URL;
- because the key is in the hash, the key is not part of the request;
- browser gets the encrypted content end decrypts it using the key;
- the pasted decrypted content is displayed and sourcecode is highlighted.
- because the key is in the hash, the key is never sent to the server;
- therefore it won't appear in the server logs;
- all operations, including code coloration, happen on the client-side;
- the server is no more than a fancy recipient for the encrypted data.
- automatic code coloration (no need to specify);
- pastebin expiration: 1 day, 1 month or never;
- burn after reading: the paste is destroyed after the first reading;
- clone paste: you can't edit a paste, but you can duplicate any of them;
- code upload: if a file is too big, you can upload it instead of using copy/paste;
- copy paste to clipboard in a click;
- get paste short URL in a click;
- own previous pastes history;
- visual hash of a paste to easily tell it apart from others in a list;
- optional command-line tool to encrypt and paste data from shell or scripts.
- The Bottle Python Web microframework
- SJCL (js crypto tools)
- Bootstrap, the Twitter HTML5/CSS3 framework
- VizHash.js to create visual hashes from pastes
- Cherrypy (server only)
- node.js (for optional command-line tool only)
- 0bin uses several HTML5/CSS3 features that are not widely supported. In that case we handle the degradation as gracefully as we can.
- The "copy to clipboard" feature is buggy under linux. It's flash, so we won't fix it. Better wait for the HTML5 clipboard API to be implemented in major browsers.
- The pasted content size limit check is not accurate. It's just a safety net, so we think it's ok.
- Some url shorteners and other services storing URLs break the encryption key. We will sanitize the URL as much as we can, but there is a limit to what we can do.
- Request throttling. It would be inefficient to do it at the app level, and web servers have robust implementations for it.
- Hash collision prevention: the ratio "probability it happens/consequence seriousness" is not worth it
- Comments: it was initially planed. But comes with a lot of issues so we chose to focus on lower hanging fruits.