====== ZeroBin - Because ignorance is bliss ======

**//TL;DR//**: ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES. You can [[https://sebsauvage.net/paste/|test it online]].

//**Paste, share, discuss about it.**//

{{:php:zerobin:zerobin_present_textshare.png?nolink |}}  {{:php:zerobin:zerobin_present_discuss.png?nolink |}}

<html><hr style="clear:both; border:0;"></html>

===== Features =====

  * Easy to install (put the files, open the page)
  * No database required.
  * **//FAST//**
  * Brain-dead easy to use: Paste text, click "Send", share the URL.
  * Data compressed and encrypted **in the browser** //before// sending to server. Uses 256 bits AES.
  * Server has //zero knowledge// of data being stored. Your data is safe even in case of server breach or seizure.((In that even, only your //past// pastes will be protected, of course, because the hacker could implant crooked javascript libs to get your future pastes.))
  * Expiration: 5 minutes, 10 minutes, 1 hour, 1 day, 1 week, 1 month, 1 year or never.
  * "//Burn after reading//" option: The paste is destroyed when read.
  * Unique deletion URL generated for each paste.
  * Syntax coloring for 54 languages (using [[http://softwaremaniacs.org/soft/highlight/en/|highlight.js]]), supporting mixing (html/css/javascript).
  * Automatic conversion of URLs into clickable links (http, https, ftp and magnet).
  * Search engines are blind regarding paste content.
  * Single button to clone an existing paste.
  * Rate limiting: 10 seconds between each paste.
  * Size limiting: 2 Mb per paste (of compressed and encrypted data - cleartext data can be larger).
  * **Discussions**:
    * You can enable discussion on each paste.
    * Discussion is of course also encrypted/decrypted in the browser. 
    * Server cannot see comments content or nicknames.
    * VisualHash on each post to identify IP addresses without revealing them. Same image = same IP. ((No: It's not trivial to bruteforce because it's salted (each ZeroBin installation has its own random salt). You don't have to bruteforce the 32 bits IPv4 space, but a **536 bits** space. Good luck.))
    * With paste expiration, you can have ad-hoc short-lived discussion which will disappear in the void after expiration. This will leave no trace of your discussions in your email boxes.
    * Discussions cannot be indexed by search engines. Period.((Search engines may stumble upon the URL of a paste, but they will not index the content of the paste itself, because they never execute javascript code.))
    * Send a link by email to a friend for private discussions which will leave no trace in your email box, will not be indexed by searchengines, will not be read by robots and will never be archived.
  * Free software
  * [[https://github.com/sebsauvage/ZeroBin|GitHub]] access to source code.

<note important>Although ZeroBin works like a charm as it is, I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to **PrivateBin** (https://privatebin.info/) which is based on ZeroBin.</note>
===== Screenshot =====

See [[php:zerobin_screenshot|screenshot page]].

===== Requirements =====

  * **Server**:
    * php 5.2.6 or above.
    * GD
    * No database required.
  * **Client**:
    * A modern, javascript-capable browser (See [[php:zerobin_faq#supported_browsers|FAQ]] for list of supported browsers).
===== Pros/Cons =====

==== Benefits ====

  * Low server requirements, easy installation.
  * Benevolent server admins can provide a service which protects their users privacy: text sharing and discussions.
  * User data is protected even in case of server breach or seizure.
  * Server admins cannot pro-actively moderate documents and (hopefuly) be held liable because they have no knowledge of data being shared and there is no searchengine.
  * There is no public feed of google-indexable content (Google will not index documents except if you leak the URL).
  * Admins can still remove a document upon injunction or infringement notice... but have no way to tell if the same document has been posted again.
  * No advertising.


==== Drawbacks ====

  * Won't work if javascript is disabled.
  * **Users still have to trust the server regarding the respect of their privacy.** ZeroBin won't protect the users against malicious servers.
  * Won't protect against Man-in-the-middle attacks (eg. javascript substitution)
  * Shitty look in Internet Explorer (but who cares ?)

===== How does it work ? =====

When **pasting a text into ZeroBin**:

{{ :php:zerobin:zerobin_figure_encryption.png?nolink |}}

  * You paste your text in the browser and click the "Send" button.
  * A random 256 bits key is generated in the browser.
  * Data is compressed and encrypted with AES using specialized javascript libraries.
  * Encrypted data is sent to server and stored.
  * The browser displays the final URL with the key.
  * The key is never transmitted to the server, which therefore cannot decrypt data.

When **opening a ZeroBin URL**:

{{ :php:zerobin:zerobin_figure_decryption.png?nolink |}}

  * The browser requests encrypted data from the server
  * The decryption key is in the anchor part of the URL (#...) **which is never sent to server.**
  * Data is decrypted in the browser using the key and displayed.

===== Sample URL =====

https://sebsauvage.net/paste/?7a5dd0979f712164#QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg=

  * **7a5dd0979f712164** is the paste identifier.
  * **QdnCROuH9eb/UXv3oBjBw3eOdb3y9p5n+/EAkUJZBxg=** is the decryption key. It is never sent to the server ((If you don't trust me, **Wireshark the damn thing !**))

A test service is available at https://sebsauvage.net/paste/ \\ (Please note that this is a test service: Data may be deleted anytime and the service may be shut down. Please do not abuse this service.)

===== Source =====

<note important>I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to **PrivateBin** : https://privatebin.info/</note>

<note warning>Please note this is **ALPHA** software. It means "unfinished", "incomplete" software, not production-ready code. Use at your own risks. (Nevertheless, it's very solid and stable.)</note>

  * https://github.com/sebsauvage/ZeroBin/archive/master.zip

The zip file includes all necessary files (including the javascript libraries mentioned below). Just drop the files on your server and open the URL.


ZeroBin uses:
  * [[http://jquery.com|jQuery]]
  * [[https://github.com/dankogai/js-deflate|js-deflate]]
  * [[https://github.com/dankogai/js-base64|js-base64]]
  * [[http://crypto.stanford.edu/sjcl/|SJCL]] (Stanford Javascript Crypto Library)
  * [[http://softwaremaniacs.org/soft/highlight/en/|highlight.js]]

===== Licence =====

ZeroBin is under the [[http://www.opensource.org/licenses/zlib-license.php|zlib/libpng OSI licence]].

===== Installation =====

Unzip in a directory, open the page. Yes, that's all.

===== Upgrade =====

If you want to upgrade from a previous ZeroBin version, delete everything in your ZeroBin directory except the **data** directory, and unzip the new version.
===== Authors =====

  * sebsauvage (sebsauvage at sebsauvage dot net, webmaster of https://sebsauvage.net)
  * Discussion idea: PeaceCopathe.
  * and [[https://github.com/sebsauvage/ZeroBin/contributors|contributors]] (on GitHub)

===== Contributing =====

ZeroBin is on GitHub: https://github.com/sebsauvage/ZeroBin
===== Version history =====

Versions history is available in [[php:zerobin_history|this page]].
===== FAQ (Frequently Asked Questions) =====

The FAQ is in [[php:zerobin_faq|this page]].
===== ToDo list =====

The project todo/ideas list is in [[php:zerobin_todo|this page]].

===== Discussion =====

Your remarks, suggestion, critics, ideas, bug reports are welcome in the [[php:zerobin_discussion|ZeroBin discussion page]].

===== Links =====

After creating ZeroBin, I stumbled upon similar projects, but with different perspectives:

  * [[https://ezcrypt.it/|ezcrypt.it]]. 128 bits AES, and very similar. Closed source, but sources will be opened soon.
  * [[https://crypty.ch/|crypt.ch]]. 128 bits AES, and very similar. Closed source.
  * [[https://cryptobin.org/|cryptobin.org]]. 256 bits AES with password. Requires to type the password. Closed source. Google tracking javascript included in page.
  * [[http://securepastebin.com/go/index.action|securepastebin.com]]. 56 bits DES with password. Requires to type the password. Closed source. Google tracking javascript included in page.  (**Please note** that DES can be broken in 3 days and should not be used anymore.)
  * [[http://pastecrypt.com/|pastecrypt.com]]. 256 bits AES with password. Requires to type the password. Closed source. Nice password security estimation. Google tracking javascript included in page.
  * [[https://privnote.com/|privnote.com]], //burn-after-reading// note. Key in URL (like ZeroBin). Crypto unknown (AES ?). Keysize unknown. Close source. Google tracking javascript included in page. 
  * [[http://www.selinked.com/|selinked.com]]. 128 bits Twofish. To decode, you need to paste the Key and the message id. Google tracking javascript included in page. 
  * [[https://www.pastevault.com/|pastevault.com]]. SJCL (AES ?) with password. Google tracking javascript included in page. 


You can also have a look at:
  * [[http://mycryptochat.azurewebsites.net/|MyCryptoChat]], browser-based encrypted chat. Chatroom expire.
  * [[https://crypto.cat/|crypto.cat]], a browser-based encrypted chat. 256 bits AES. Requires a browser addon.
  * [[http://NoPlaintext.com/|NoPlaintext.com]], One-liner message, can only be read once.