Merge pull request #55 from iceTwy/master

Rewrite & add further info to the FAQ
2013-10-03 16:05:42 -07:00 · 2013-10-03 16:05:42 -07:00 · 6387eb170a
parent 1a99bde81c 706ad42098
commit 6387eb170a
1 changed files with 47 additions and 45 deletions
--- a/zerobin/views/faq.tpl
+++ b/zerobin/views/faq.tpl
@ -4,64 +4,66 @@

  <hr width="90%">

-  <dl>
-
-    <dt>How does it work?</dt>
+  <dl>  
+    <dt>How does 0bin work?</dt>
    <dd>
-        <p>We generate a random key, and encrypt the paste with it using
+        <p>A random key is generated and used to encrypt the paste, thanks to
           the <a href="http://crypto.stanford.edu/sjcl/">sjcl</a>
-           javascript library.</p>
-        <p>The content is sent encrypted to the server, which returns the
+           JavaScript library.</p>
+        <p>The encrypted content is then sent to the server, which returns the
           address of the newly created paste.</p>
-        <p>The javascript code then redirects to this address, but it adds the
+        <p>The JavaScript code redirects to this address, but it adds the
           encryption key in the URL hash (#).</p>
-        <p>When somebody want to read the paste, he usually just click on a link
-          with this URL. If the hash containing the key is part of it, Obin's
-          javascript will use it to decrypt the content sent by the server.</p>
-        <p>The browser never sends the hash to the server, so it does not
-           receives the key.</p>
+        <p>When somebody wants to read the paste, they will usually click on a link
+          with this URL. If the hash containing the key is a part of it, 0bin's
+          JavaScript will use it to decrypt the content sent by the server.</p>
+        <p>The browser never sends the hash to the server, so the latter does not
+           receives the key at any time.</p>
    </dd>

-    <dt>Javascript encryption is not secure!</dt>
+    <dt>But JavaScript encryption is not secure!</dt>
    <dd>
-        <p>No it's not.</p>
-        <p>The goal of 0bin is <strong>not</strong> to protect the users
-           or their secrets.</p>
-        <p>The goal is to make it hard to sue the host because of the
-           content users pasted in his service. The idea is that you can not
-           require somebody to moderate something he can't read</p>
+        <p>No, it isn't.</p>
+        <p>The goal of 0bin is <strong>not</strong> to protect the user and their data
+           (including, obviously, their secrets).</p>
+        <p>Instead, it aims to protect the host from being sued for the
+           content users pasted on the pastebin. The idea is that you cannot
+           require somebody to moderate something they cannot read - as such,
+           the host is granted plausible deniability.</p>
+
+        <p>Remember that as an user, you should use 0bin in the same way as unencrypted and
+           insecure pastebins - that is, with caution. The only difference with those is that if
+           you decide to host a 0bin server, the encryption feature hopefully be used as a defense.
+           This is not proven, though! :-)
+
    </dd>
-    <dt>What if the server changes the Javascript code? Or in the case of a man
-        in the middle attack?</dt>
+    <dt>What if the server changes the JavaScript code? And what happens in the case of a <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">MITM attack</a>?</dt>
    <dd>
      <p>Read above.</p>
-      <p>0bin the is not built to protect the users content. It is built to
-        protect the host. If the user content is compromised, 0bin still
-        provides the host with the main feature: ignorance of the hosted content.</p>
-      <p>The case where the host himself compromises the encryption process
-         to read the content makes no sense: in that case he wouldn't have
-         installed 0bin in the first place. 0bin is here to protect him.</p>
-      <p><strong>If you want to be sure nobody can read your content, you should
-           not use 0bin</strong>. Use
-         <a href="https://crypto.cat/">cryptocat</a> (but JS crypto warnings apply)
-         or <a href="http://www.cypherpunks.ca/otr/">OTR</a> for chatting,
-         <a href="http://gnupg.org/">GPG</a>/<a href="http://enigmail.mozdev.org/home/index.php.html">enignmail</a>
-         for emails and <a href="http://www.truecrypt.org/">TrueCrypt</a> for storage.</p>
+      <p>0bin is not built, and does not aim, to protect user data - but rather the host.
+	 If any user data is compromised, 0bin still provides the host with 
+	 plausible deniability (as they ignore the content of the pastes).</p>
+      <p>It would make no sense if the host was to compromise the encryption process
+         to read the data; in that case, they wouldn't have
+         installed 0bin in the first place, as 0bin is here to protect them.</p>
+      <p><strong>However, if you want to ensure your data is not read in anyway, you should
+		 not use 0bin</strong>. Use <a href="http://www.cypherpunks.ca/otr/">OTR</a> for chatting,
+		 <a href="https://gnupg.org/">GnuPG</a> for encrypted & verified data sharing, with <a href="https://www.enigmail.net/">EnigMail</a>
+		 for emails and <a href="http://www.truecrypt.org/">TrueCrypt</a> for storage.</p>
+      <p>It would be unlikely for those softwares to fail you. Errors will nearly always come from your side -  you ought to have a perfect <a href="https://en.wikipedia.org/wiki/Operations_security">operations security</a>
+	 if you do not want your data to be leaked. Remember to use your common sense.</p>
    </dd>
-    <dt>How did you come out with such a cool idea?</dt>
+    <dt>How did the idea of 0bin emerge?</dt>
    <dd>
-      <p>We didn't, we based 0bin on
-        <a href="http://sebsauvage.net/paste/">sebsauvage's work</a>.</p>
-
-    <p>It was a reaction to
-       <a href="https://www.zdnet.com/blog/security/pastebin-to-hunt-for-hacker-pastes-anonymous-cries-censorship/11336">Pastebin been forced to moderate its content</a>
-        because of so many illegal stuffed posted to it. 0bin should be used the
-         same way <a href="pastebin.com">Pastebin</a> is for users. The only
-         difference is that if you host it, we hope the encryption
-         feature can be used as a defense. This is not proven though :-)</p>
-
+      <p>0bin is based on <a href="http://sebsauvage.net/wiki/doku.php?id=php:zerobin">sebsauvage's work</a>.
+         The project sprang as a reaction to <a href="https://www.zdnet.com/blog/security/pastebin-to-hunt-for-hacker-pastes-anonymous-cries-censorship/11336">the implementation of a moderation system on Pastebin</a>,
+         due to the significant amount of illegal content pasted on it, or that it linked to.</p>
    </dd>
-
+   <dt>How can I get 0bin?</dt>
+   <dd>
+      <p>0bin is an open-source project, and the code is hosted on <a href="https://github.com/sametmax/0bin">GitHub</a>.
+         You can either download a tarball or clone the repository.</p>
+  </dd>
  </dl>

 </div>