In association with heise online

17 April 2012, 09:51

ZeroBin provides an encrypted alternative to Pastebin - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The ZeroBin test installation on

Developer Seb Sauvage has released the first public version of ZeroBin, an open source alternative to Pastebin. ZeroBin allows users to post text snippets anonymously and then send a link to the pasted file to other users. In contrast to Pastebin, it supports client side encryption of posted files (using 256-bit AES) which means the server retains no knowledge of the information being stored. Users can also easily clone existing "pastes" on the site.

Installing ZeroBin doesn't require a database and the system can store content up to 2MB per snippet. The developer is currently working to add user authentication and syntax highlighting. ZeroBin runs on PHP 5.2.6 or above and needs JavaScript enabled at the client end to work correctly.

Sauvage says that server administrators cannot moderate the snippets being stored and should "hopefully" be legally protected by the client-side encryption as they have no way of knowing what is being stored by the system. He provides an instance of the software for interested parties to test, but warns that any content stored on that site will be regularly deleted.

ZeroBin is currently at version 0.11 alpha and can be downloadedDirect download from the developer's web site. The software is licensed under the zlib/libpng licence.

Update 18-04-12: ZeroBin works by creating a new 256-bit AES key for every code snippet. When a user posts a snippet, the text is encrypted on the client side and is then sent to the server. The server then creates a URL that makes the snippet accessible on the internet. On the client, this URL is displayed in the format:<ID>#<Key>

When the data is sent to the server, the anchor with the attached secret key is omitted. Other users can only access the pasted text if the original uploader gives them the full URL including the key. With the full URL, other browsers can again decrypt the stored message locally.

Preliminary tests by The H's associates at heise Security have shown that the developer's claims are correct and that the system works as intended. The pasted text is sent encrypted and enclosed by <div id="cipherdata">...</div> tags. A possible problem with this approach is the fact that badly written search engine crawlers could follow ZeroBin links that have been posted publicly and therefore log the complete URL including the encryption key.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit