<h1>Introduction<aclass="headerlink"href="#introduction"title="Permalink to this headline">¶</a></h1>
<p>0bin allows anybody to host a pastebin while welcoming any type of content to
be pasted in it. The idea is that one can (probably...) not be legally entitled
to <aclass="reference external"href="http://www.zdnet.com/blog/security/pastebin-to-hunt-for-hacker-pastes-anonymous-cries-censorship/11336">moderate the pastebin content</a> as he/she has no way to decrypt it.</p>
<p>It’s an Python implementation of the
<aclass="reference external"href="https://github.com/sebsauvage/ZeroBin/">zerobin project</a>. It’s easy to
install even if you know nothing about Python.</p>
<divclass="section"id="how-it-works">
<h2>How it works<aclass="headerlink"href="#how-it-works"title="Permalink to this headline">¶</a></h2>
<p>When creating the paste:</p>
<ulclass="simple">
<li>the browser generate a random key;</li>
<li>the pasted content is encrypted with this key using AES256;</li>
<li>the encrypted pasted content is sent to the server;</li>
<li>the browser receives the paste URL and add the key in the URL hash (#).</li>
</ul>
<p>When reading the paste:</p>
<ulclass="simple">
<li>the browser makes the GET request to the paste URL;</li>
<li>because the key is in the hash, the key is not part of the request;</li>
<li>browser gets the encrypted content et decrypt it using the key;</li>
<li>the pasted decrypted content is displayed and code is colored.</li>
</ul>
<p>Key points:</p>
<ulclass="simple">
<li>because the key is in the hash, the key is never sent to the server;</li>
<li>therefor it won’t appear in the server logs;</li>
<li>all operations, including code coloration, must happens on the client;</li>
<li>the server is no more than a fancy recipient for the encrypted data.</li>
</ul>
</div>
<divclass="section"id="other-features">
<h2>Other features<aclass="headerlink"href="#other-features"title="Permalink to this headline">¶</a></h2>
<ulclass="simple">
<li>automatic code coloration (no need to specify);</li>
<li>pastebin expiration: 1 day, 1 month or never;</li>
<li>burn after reading: the paste is destroyed after the first reading;</li>
<li>clone paste: you can’t edit a paste, but you can duplicate any of them;</li>
<li>code upload: if a file is too big, you can upload it instead of using copy/paste;</li>
<li>The “copy to clipboard” feature is buggy under linux. It’s flash, so we won’t fix it. Better wait for the HTML5 clipboard API to be implemented in major browsers.</li>
<li>The pasted content size limit check is not accurate. It’s just a safety net, so we thinks it’s ok.</li>
<li>Some url shorteners and other services storing URLs break the encryption key. We will sanitize the URL as much as we can, but there is a limit to what we can do.</li>
<li>Hash collision prevention: the ratio “probability it happens/consequence seriousness”<aclass="reference external"href="http://stackoverflow.com/questions/201705/how-many-random-elements-before-md5-produces-collisions">is not worth it</a></li>