FAQ

---

How does it work?

We generate a random key, and encrypt the paste with it using the sjcl javascript library.

The content is sent encrypted to the server, which returns the address of the newly created paste.

The javascript code then redirects to this address, but it adds the encryption key in the URL hash (#).

When somebody want to read the paste, he usually just click on a link with this URL. If the hash containing the key is part of it, Obin's javascript will use it to decrypt the content sent by the server.

The browser never sends the hash to the server, so it does not receives the key.

Javascript encryption is not secure!

No it's not.

The goal of 0bin is not to protect the users or their secrets.

The goal is to make it hard to sue the host because of the content users pasted in his service. The idea is that you can not require somebody to moderate something he can't read

What if the server changes the Javascript code? Or in the case of a man in the middle attack?

Read above.

0bin the is not built to protect the users content. It is built to protect the host. If the user content is compromised, 0bin still provides the host with the main feature: ignorance of the hosted content.

The case where the host himself compromises the encryption process to read the content makes no sense: in that case he wouldn't have installed 0bin in the first place. 0bin is here to protect him.

If you want to be sure nobody can read your content, you should not use 0bin. Use cryptocat (but JS crypto warnings apply) or OTR for chatting, GPG/enignmail for emails and TrueCrypt for storage.

How did you come out with such a cool idea?

We didn't, we based 0bin on sebsauvage's work.

It was a reaction to Pastebin been forced to moderate its content because of so many illegal stuffed posted to it. 0bin should be used the same way Pastebin is for users. The only difference is that if you host it, we hope the encryption feature can be used as a defense. This is not proven though :-)