mirror of
https://github.com/Tygs/0bin.git
synced 2023-08-10 21:13:00 +03:00
1a0426881a
Static files are compressed Mention of compress.sh in README Privilege is now an embeded dependancy.
122 lines
4.8 KiB
ReStructuredText
122 lines
4.8 KiB
ReStructuredText
0bin
|
|
====
|
|
|
|
0bin is a client side encrypted pastebin that can run without a database.
|
|
|
|
* Try it: `0bin.net <http://0bin.net>`_
|
|
* `Report a bug <https://github.com/sametmax/0bin/issues>`_
|
|
|
|
0bin allows anybody to host a pastebin while welcoming any type of content to
|
|
be pasted in it. The idea is that one can (probably...) not be legally entitled
|
|
to `moderate the pastebin content`_ as he/she has no way to decrypt it.
|
|
|
|
It's an Python implementation of the
|
|
`zerobin project`_ under the `WTF licence`_. It's easy to
|
|
install even if you know nothing about Python.
|
|
|
|
For now tested with IE9, and the last opera, safari, chrome and FF.
|
|
|
|
There is a `good doc <http://readthedocs.org/docs/0bin/en/latest/>`_,
|
|
but in short::
|
|
|
|
pip install zerobin
|
|
zerobin
|
|
|
|
For now, 0bin targets Python 2.7 only. Python 3 supports is planned.
|
|
|
|
How it works
|
|
=============
|
|
|
|
When creating the paste:
|
|
|
|
- the browser generates a random key;
|
|
- the pasted content is encrypted with this key using AES256;
|
|
- the encrypted pasted content is sent to the server;
|
|
- the browser receives the paste URL and adds the key in the URL hash (#).
|
|
|
|
When reading the paste:
|
|
|
|
- the browser makes the GET request to the paste URL;
|
|
- because the key is in the hash, the key is not part of the request;
|
|
- browser gets the encrypted content end decrypts it using the key;
|
|
- the pasted decrypted content is displayed and sourcecode is highlighted.
|
|
|
|
Key points:
|
|
|
|
- because the key is in the hash, the key is never sent to the server;
|
|
- therefore it won't appear in the server logs;
|
|
- all operations, including code coloration, happen on the client-side;
|
|
- the server is no more than a fancy recipient for the encrypted data.
|
|
|
|
Other features
|
|
======================
|
|
|
|
- automatic code coloration (no need to specify);
|
|
- pastebin expiration: 1 day, 1 month or never;
|
|
- burn after reading: the paste is destroyed after the first reading;
|
|
- clone paste: you can't edit a paste, but you can duplicate any of them;
|
|
- code upload: if a file is too big, you can upload it instead of using copy/paste;
|
|
- copy paste to clipboard in a click;
|
|
- get paste short URL in a click;
|
|
- own previous pastes history;
|
|
- visual hash of a paste to easily tell it apart from others in a list;
|
|
- optional command-line tool to encrypt and paste data from shell or scripts.
|
|
|
|
Technologies used
|
|
==================
|
|
|
|
- Python_
|
|
- `The Bottle Python Web microframework`_
|
|
- SJCL_ (js crypto tools)
|
|
- jQuery_
|
|
- Bootstrap_, the Twitter HTML5/CSS3 framework
|
|
- VizHash.js_ to create visual hashes from pastes
|
|
- Cherrypy_ (server only)
|
|
- `node.js`_ (for optional command-line tool only)
|
|
|
|
|
|
Known issues
|
|
============
|
|
|
|
- 0bin uses several HTML5/CSS3 features that are not widely supported. In that case we handle the degradation as gracefully as we can.
|
|
- The "copy to clipboard" feature is buggy under linux. It's flash, so we won't fix it. Better wait for the HTML5 clipboard API to be implemented in major browsers.
|
|
- The pasted content size limit check is not accurate. It's just a safety net, so we think it's ok.
|
|
- Some url shorteners and other services storing URLs break the encryption key. We will sanitize the URL as much as we can, but there is a limit to what we can do.
|
|
|
|
What does 0bin not implement?
|
|
=================================
|
|
|
|
* Request throttling. It would be inefficient to do it at the app level, and web servers have robust implementations for it.
|
|
* Hash collision prevention: the ratio "probability it happens/consequence seriousness" `is not worth it`_
|
|
* Comments: it was initially planed. But comes with a lot of issues so we chose to focus on lower hanging fruits.
|
|
|
|
|
|
.. _moderate the pastebin content: http://www.zdnet.com/blog/security/pastebin-to-hunt-for-hacker-pastes-anonymous-cries-censorship/11336
|
|
.. _zerobin project: https://github.com/sebsauvage/ZeroBin/
|
|
.. _Python: https://en.wikipedia.org/wiki/Python_(programming_language)
|
|
.. _The Bottle Python Web microframework: http://bottlepy.org/
|
|
.. _SJCL: http://crypto.stanford.edu/sjcl/
|
|
.. _jQuery: http://jquery.com/
|
|
.. _Bootstrap: http://twitter.github.com/bootstrap/
|
|
.. _VizHash.js: https://github.com/sametmax/VizHash.js
|
|
.. _Cherrypy: http://www.cherrypy.org/
|
|
.. _node.js: http://nodejs.org/
|
|
.. _is not worth it: http://stackoverflow.com/questions/201705/how-many-random-elements-before-md5-produces-collisions
|
|
.. _WTF licence: http://en.wikipedia.org/wiki/WTFPL
|
|
|
|
Contributing
|
|
=============
|
|
|
|
Please fork the project, clone your repository and add the original repo as an upstream remote to keep yours in sync.
|
|
|
|
For small fixes (typo and such), you can work on master.
|
|
|
|
For features, you should create a dedicated branch.
|
|
|
|
In any case, if you modify Javascript or CSS files, you shall run compress.sh afterward to provide the minified files. It requires your to have yui-compressor installed (apt-get install yui-compressor on the debian family).
|
|
|
|
We don't require you to rebase/merge, ordinary merging is alright.
|
|
|
|
Once it's ready, just request a PR.
|
|
|