Home
SecureBin is a Google Chrome Extension that interfaces with PasteBin, a popular web-based clipboard. Users can type in text and have it automatically encrypted using an algorithm of their choice. Users can gain access to the ciphertext on another device by providing a decryption key and a PasteBin URL, which will then decrypt the plaintext to the user. In addition to typing text, a user can also choose to encrypt text locally by selecting it on their page and right-clicking.
The goal of secureBin is to provide an extra level of privacy with 3rd party services you may use. We have natively integrated the PasteBin api to allow users to quickly upload and share encrypted text. Users also have the ability to encrypt text to their clipboard and share it with other 3rd party services like WhatsApp, Email, Etc.
secureBin is not designed to protect against those with physical access to your computer. Due to the nature of extension storage in Chrome, any data that is stored in the extensions history or settings tab are stored unencrypted.
secureBin is build upon the open source Forge Crypto Library.
secureBin supports three modes of AES symmetric encryption:
- CBC (Default)
- CTR
- GCM
Supported key lengths are: 128, 192, 256
When encrypting to PasteBin or Clipboard, users can select to enter their own password or receive a randomly generated encryption key. If a user supplies a password, it will be used along with a randomly generated 128 byte salt to derived a key using PKCS5/PBKDF2.
After Encryptions, the following cipher text will be generated and displayed to the user.
What is public?
- Cipher Text
- Encryption Mode
- IV
- Tag (Only with GCM Mode)
- Salt (Only with Password Encryption)
- Key Length (Only with Password Encryption)
What Is private?
- Key
One of the issues with developing SecureBin was navigating how to achieve our goal of security without compromising the system with a poor implementation. This led us like most software engineers to Stack Overflow which was filled with conflicting opinions on the usefulness of JavaScript Cryptography.
There are two competing trains of thought on JavaScript cryptography. It is either useless or provides another way to tackle security.
The main argument against this is how to ensure that the JavaScript code being used is not modified in transit via a man-in-the-middle attack. In fact, a malicious actor would only need to insert a <Script> tag in order to compromise the security of the system [1]. Other arguments focus on a lack of native primitives for cryptography, although that is no longer the case with the development of Web Crypto [2].
While JavaScript Cryptographic will not provide security if the network or server is compromised, it does provide security for local services like extensions which do not need to worry about man-in-the-middle attacks [3].
To mitigate the issue of JS transmission we developed SecureBin as a local extension that uses open-source cryptography libraries to encrypt user data locally. SecureBin is open source and can be examined by anyone to validate the security of the system.
[1] https://web.archive.org/web/20160305004110/https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/
[2] https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
[3] https://vnhacker.blogspot.com/2014/06/why-javascript-crypto-is-useful.html
[4] https://rdist.root.org/2014/06/23/in-defense-of-javascript-crypto/
[5] https://developer.ibm.com/articles/secure-javascript-applications-with-web-crypto-api/