====== ZeroBin - Because ignorance is bliss ======
**//TL;DR//**: ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES. You can [[https://sebsauvage.net/paste/|test it online]].
//**Paste, share, discuss about it.**//
{{:php:zerobin:zerobin_present_textshare.png?nolink |}} {{:php:zerobin:zerobin_present_discuss.png?nolink |}}
===== Features =====
* Easy to install (put the files, open the page)
* No database required.
* **//FAST//**
* Brain-dead easy to use: Paste text, click "Send", share the URL.
* Data compressed and encrypted **in the browser** //before// sending to server. Uses 256 bits AES.
* Server has //zero knowledge// of data being stored. Your data is safe even in case of server breach or seizure.((In that even, only your //past// pastes will be protected, of course, because the hacker could implant crooked javascript libs to get your future pastes.))
* Expiration: 5 minutes, 10 minutes, 1 hour, 1 day, 1 week, 1 month, 1 year or never.
* "//Burn after reading//" option: The paste is destroyed when read.
* Unique deletion URL generated for each paste.
* Syntax coloring for 54 languages (using [[http://softwaremaniacs.org/soft/highlight/en/|highlight.js]]), supporting mixing (html/css/javascript).
* Automatic conversion of URLs into clickable links (http, https, ftp and magnet).
* Search engines are blind regarding paste content.
* Single button to clone an existing paste.
* Rate limiting: 10 seconds between each paste.
* Size limiting: 2 Mb per paste (of compressed and encrypted data - cleartext data can be larger).
* **Discussions**:
* You can enable discussion on each paste.
* Discussion is of course also encrypted/decrypted in the browser.
* Server cannot see comments content or nicknames.
* VisualHash on each post to identify IP addresses without revealing them. Same image = same IP. ((No: It's not trivial to bruteforce because it's salted (each ZeroBin installation has its own random salt). You don't have to bruteforce the 32 bits IPv4 space, but a **536 bits** space. Good luck.))
* With paste expiration, you can have ad-hoc short-lived discussion which will disappear in the void after expiration. This will leave no trace of your discussions in your email boxes.
* Discussions cannot be indexed by search engines. Period.((Search engines may stumble upon the URL of a paste, but they will not index the content of the paste itself, because they never execute javascript code.))
* Send a link by email to a friend for private discussions which will leave no trace in your email box, will not be indexed by searchengines, will not be read by robots and will never be archived.
* Free software
* [[https://github.com/sebsauvage/ZeroBin|GitHub]] access to source code.
Although ZeroBin works like a charm as it is, I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to **PrivateBin** (https://privatebin.info/) which is based on ZeroBin.
===== Screenshot =====
See [[php:zerobin_screenshot|screenshot page]].
===== Requirements =====
* **Server**:
* php 5.2.6 or above.
* GD
* No database required.
* **Client**:
* A modern, javascript-capable browser (See [[php:zerobin_faq#supported_browsers|FAQ]] for list of supported browsers).
===== Pros/Cons =====
==== Benefits ====
* Low server requirements, easy installation.
* Benevolent server admins can provide a service which protects their users privacy: text sharing and discussions.
* User data is protected even in case of server breach or seizure.
* Server admins cannot pro-actively moderate documents and (hopefuly) be held liable because they have no knowledge of data being shared and there is no searchengine.
* There is no public feed of google-indexable content (Google will not index documents except if you leak the URL).
* Admins can still remove a document upon injunction or infringement notice... but have no way to tell if the same document has been posted again.
* No advertising.
==== Drawbacks ====
* Won't work if javascript is disabled.
* **Users still have to trust the server regarding the respect of their privacy.** ZeroBin won't protect the users against malicious servers.
* Won't protect against Man-in-the-middle attacks (eg. javascript substitution)
* Shitty look in Internet Explorer (but who cares ?)
===== How does it work ? =====
When **pasting a text into ZeroBin**:
{{ :php:zerobin:zerobin_figure_encryption.png?nolink |}}
* You paste your text in the browser and click the "Send" button.
* A random 256 bits key is generated in the browser.
* Data is compressed and encrypted with AES using specialized javascript libraries.
* Encrypted data is sent to server and stored.
* The browser displays the final URL with the key.
* The key is never transmitted to the server, which therefore cannot decrypt data.
When **opening a ZeroBin URL**:
{{ :php:zerobin:zerobin_figure_decryption.png?nolink |}}
* The browser requests encrypted data from the server
* The decryption key is in the anchor part of the URL (#...) **which is never sent to server.**
* Data is decrypted in the browser using the key and displayed.
===== Sample URL =====
https://sebsauvage.net/paste/?7a5dd0979f712164#QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg=
* **7a5dd0979f712164** is the paste identifier.
* **QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg=** is the decryption key. It is never sent to the server ((If you don't trust me, **Wireshark the damn thing !**))
A test service is available at https://sebsauvage.net/paste/ \\ (Please note that this is a test service: Data may be deleted anytime and the service may be shut down. Please do not abuse this service.)
===== Source =====
I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to **PrivateBin** : https://privatebin.info/
Please note this is **ALPHA** software. It means "unfinished", "incomplete" software, not production-ready code. Use at your own risks. (Nevertheless, it's very solid and stable.)
* https://github.com/sebsauvage/ZeroBin/archive/master.zip
The zip file includes all necessary files (including the javascript libraries mentioned below). Just drop the files on your server and open the URL.
ZeroBin uses:
* [[http://jquery.com|jQuery]]
* [[https://github.com/dankogai/js-deflate|js-deflate]]
* [[https://github.com/dankogai/js-base64|js-base64]]
* [[http://crypto.stanford.edu/sjcl/|SJCL]] (Stanford Javascript Crypto Library)
* [[http://softwaremaniacs.org/soft/highlight/en/|highlight.js]]
===== Licence =====
ZeroBin is under the [[http://www.opensource.org/licenses/zlib-license.php|zlib/libpng OSI licence]].
===== Installation =====
Unzip in a directory, open the page. Yes, that's all.
===== Upgrade =====
If you want to upgrade from a previous ZeroBin version, delete everything in your ZeroBin directory except the **data** directory, and unzip the new version.
===== Authors =====
* sebsauvage (sebsauvage at sebsauvage dot net, webmaster of https://sebsauvage.net)
* Discussion idea: PeaceCopathe.
* and [[https://github.com/sebsauvage/ZeroBin/contributors|contributors]] (on GitHub)
===== Contributing =====
ZeroBin is on GitHub: https://github.com/sebsauvage/ZeroBin
===== Version history =====
Versions history is available in [[php:zerobin_history|this page]].
===== FAQ (Frequently Asked Questions) =====
The FAQ is in [[php:zerobin_faq|this page]].
===== ToDo list =====
The project todo/ideas list is in [[php:zerobin_todo|this page]].
===== Discussion =====
Your remarks, suggestion, critics, ideas, bug reports are welcome in the [[php:zerobin_discussion|ZeroBin discussion page]].
===== Links =====
After creating ZeroBin, I stumbled upon similar projects, but with different perspectives:
* [[https://ezcrypt.it/|ezcrypt.it]]. 128 bits AES, and very similar. Closed source, but sources will be opened soon.
* [[https://crypty.ch/|crypt.ch]]. 128 bits AES, and very similar. Closed source.
* [[https://cryptobin.org/|cryptobin.org]]. 256 bits AES with password. Requires to type the password. Closed source. Google tracking javascript included in page.
* [[http://securepastebin.com/go/index.action|securepastebin.com]]. 56 bits DES with password. Requires to type the password. Closed source. Google tracking javascript included in page. (**Please note** that DES can be broken in 3 days and should not be used anymore.)
* [[http://pastecrypt.com/|pastecrypt.com]]. 256 bits AES with password. Requires to type the password. Closed source. Nice password security estimation. Google tracking javascript included in page.
* [[https://privnote.com/|privnote.com]], //burn-after-reading// note. Key in URL (like ZeroBin). Crypto unknown (AES ?). Keysize unknown. Close source. Google tracking javascript included in page.
* [[http://www.selinked.com/|selinked.com]]. 128 bits Twofish. To decode, you need to paste the Key and the message id. Google tracking javascript included in page.
* [[https://www.pastevault.com/|pastevault.com]]. SJCL (AES ?) with password. Google tracking javascript included in page.
You can also have a look at:
* [[http://mycryptochat.azurewebsites.net/|MyCryptoChat]], browser-based encrypted chat. Chatroom expire.
* [[https://crypto.cat/|crypto.cat]], a browser-based encrypted chat. 256 bits AES. Requires a browser addon.
* [[http://NoPlaintext.com/|NoPlaintext.com]], One-liner message, can only be read once.