0bin

wiki home: https://github.com/dimyme/0bin/wiki

0bin is a client-side-encrypted pastebin, so the server cannot and does not need to store the keys, which are contained in the URL behind the ‘’#’’ char , a part that does not transmit to the server.

see this example

https://0bin.net/paste/AqRPX4BkRi4EQjfs#tp6B5PBaFQfhN-Zb+qcjVpvrzMu7XexarFGjay7fB5H

#tp6B5PBaFQfhN-Zb+qcjVpvrzMu7XexarFGjay7fB5H
minus the # is the key, over which the user (“client side”), not the server, pretty much has control over.

the mere URL https://0bin.net/paste/AqRPX4BkRi4EQjfs without the key part does not get you far.

This is what “Get short url” and “Email this” gives you, albeit it is of little utility without key. Copy the full address with #KEY.KEY.KEY…. from the browser’s address bar instead.

To tell someone what you pasted, give them the full lengthy URL (contains the key after #), some URL.shorteners break the scheme, so don’t use those mindlessly.

0bin can run without a database. It is based on bottle.py, the single-file web-framework, aka function-library.

size limit of pastes is about 500 KByte. expiry time is settable and “burn after read” mode (broken?).

One use case may be an encrypted link list: save your bookmarks across machines, then export as bookmarks.html for safekeeping. you get the idea.

The pastes-counter resides with the paste content somewhere near …../lib/python3.7/site-packages/zerobin/static/content/counter where you see the timestamps too.

Try it on an example deployment at 0bin.net <http://0bin.net>_
Report a bug <https://github.com/sametmax/0bin/issues>_

0bin allows anybody to host a pastebin while welcoming any type of content to be pasted in it. The idea is that one can (probably…) not be legally entitled to moderate the pastebin content_ as they have no way to decrypt it.

It’s an Python implementation of the zerobin project_ under the WTF licence_. It’s easy to install even if you know nothing about Python.

For now tested with IE9, and the last opera, safari, chrome and FF.

There is a good doc <http://readthedocs.org/docs/0bin/en/latest/>_, but in short::

pip install zerobin
zerobin

0bin runs on Python 2.7 and Python 3.4.

How it works

When creating the paste:

the browser generates a random key;
the pasted content is encrypted with this key using AES256;
the encrypted pasted content is sent to the server;
the browser receives the paste URL and adds the key in the URL hash (#).

When reading the paste:

the browser makes the GET request to the paste URL;
because the key is in the hash, the key is not part of the request;
browser gets the encrypted content end decrypts it using the key;
the pasted decrypted content is displayed and sourcecode is highlighted.

Key points:

because the key is in the hash, the key is never sent to the server;
therefore it won’t appear in the server logs;
all operations, including code coloration, happen on the client-side;
the server is no more than a fancy recipient for the encrypted data.

Other features

automatic code coloration (no need to specify);
pastebin expiration: 1 day, 1 month or never;
burn after reading: the paste is destroyed after the first reading;
clone paste: you can’t edit a paste, but you can duplicate any of them;
code upload: if a file is too big, you can upload it instead of using copy/paste;
copy paste to clipboard in a click;
get paste short URL in a click;
own previous pastes history;
visual hash of a paste to easily tell it apart from others in a list;
optional command-line tool to encrypt and paste data from shell or scripts.

Technologies used

Python_
The Bottle Python Web microframework_
SJCL_ (js crypto tools)
jQuery_
Bootstrap_, the Twitter HTML5/CSS3 framework
VizHash.js_ to create visual hashes from pastes
Cherrypy_ (server only)
node.js_ (for optional command-line tool only)

Known issues

0bin uses several HTML5/CSS3 features that are not widely supported. In that case we handle the degradation as gracefully as we can.
The “copy to clipboard” feature is buggy under linux. It’s flash, so we won’t fix it. Better wait for the HTML5 clipboard API to be implemented in major browsers.
The pasted content size limit check is not accurate. It’s just a safety net, so we think it’s ok.
Some url shorteners and other services storing URLs break the encryption key. We will sanitize the URL as much as we can, but there is a limit to what we can do.

What does 0bin not implement?

Request throttling. It would be inefficient to do it at the app level, and web servers have robust implementations for it.
Hash collision prevention: the ratio “probability it happens/consequence seriousness” is not worth it_
Comments: it was initially planed. But comes with a lot of issues so we chose to focus on lower hanging fruits.

.. _moderate the pastebin content: http://www.zdnet.com/blog/security/pastebin-to-hunt-for-hacker-pastes-anonymous-cries-censorship/11336
.. _zerobin project: https://github.com/sebsauvage/ZeroBin/
.. _Python: https://en.wikipedia.org/wiki/Python_(programming_language)
.. _The Bottle Python Web microframework: http://bottlepy.org/
.. _SJCL: http://crypto.stanford.edu/sjcl/
.. _jQuery: http://jquery.com/
.. _Bootstrap: http://twitter.github.com/bootstrap/
.. _VizHash.js: https://github.com/sametmax/VizHash.js
.. _Cherrypy: http://www.cherrypy.org/
.. _node.js: http://nodejs.org/
.. _is not worth it: http://stackoverflow.com/questions/201705/how-many-random-elements-before-md5-produces-collisions
.. _WTF licence: http://en.wikipedia.org/wiki/WTFPL

Contributing

Please fork the project, clone your repository and add the original repo as an upstream remote to keep yours in sync.

For small fixes (typo and such), you can work on master.

For features, you should create a dedicated branch.

In any case, if you modify Javascript or CSS files, you shall run compress.sh afterward to provide the minified files. It requires your to have yui-compressor installed (apt-get install yui-compressor on the debian family).

We don’t require you to rebase/merge, ordinary merging is alright.

Once it’s ready, just request a PR.