-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathpastebin.html
More file actions
executable file
·174 lines (150 loc) · 6.15 KB
/
pastebin.html
File metadata and controls
executable file
·174 lines (150 loc) · 6.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
<?php
Upvote::render_arrows(
"pastebin",
"defuse_pages",
"PIE Bin",
"An pastebin with both client-side and server-side encryption.",
"https://defuse.ca/pastebin.htm"
);
?>
<center><img style="margin-bottom: 10px;" src="/images/secure_pastebin.png" alt="Secure, Encrypted, Anonymous Pastebin. PIE - Pre Internet Encryption" /></center>
<div style="text-align:center; font-size: 20px;"><b><u>P</u></b>re-<b><u>I</u></b>nternet <b><u>E</u></b>ncryption for Text</div>
<form id="pasteform" name="pasteform" action="/bin/add.php" method="post">
<input id="jscrypt" type="hidden" name="jscrypt" value="no" />
<br />
<textarea id="paste" style="color:black; background-color:white; border:dashed 1px black; width:100%;" rows="30" cols="40" name="paste" spellcheck="false"></textarea>
<br />
<p><b>All posts are automatically deleted after 10 days.</b></p>
<input style="width:300px;" type="submit" name="submitpaste" value="Post Without Password Encryption" /> <input type="checkbox" name="shorturl" value="yes" /> Use shorter URL.
Expire in
<select name="lifetime">
<option value="15552000">6 Months</option>
<option value="2592000">30 Days</option>
<option value="864000" selected="selected">10 Days</option>
<option value="86400">1 Day</option>
<option value="3600">60 Minutes</option>
<option value="600">10 Minutes</option>
</select>
</form>
<!--Client-side encryption options-->
<noscript><p style="color: #550000;"><b>JavaScript is required to use client-side encryption.</b></p></noscript>
<div id="encinfo" style="margin-top: 10px;">
Client-Side Password:
<input type="password" id="pass1" value="" />
Verify: <input type="password" id="pass2" value="" />
<input type="button" value="Encrypt & Post" onclick="encryptPaste()" />
</div> <!-- /enc -->
<!--end of client-side encryption options-->
<!-- Scripts for client-side encryption -->
<script type="text/javascript" src="/js/sjcl.js"></script>
<script type="text/javascript" src="/js/encrypt.js"></script>
<script type="text/javascript">
<!--
/* Use server-side code to fill this with a random 256 bit hex string. */
var entropy = "<?php echo bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); ?>";
sjcl.random.addEntropy(entropy, entropy.length * 4, "server");
/* Collect entropy from mouse movements and key-presses */
try {
sjcl.random.startCollectors();
} catch (e) {
/* Ignore it -- server entropy is good enough. */
}
function encryptPaste()
{
var pass1 = document.getElementById("pass1").value;
var pass2 = document.getElementById("pass2").value;
if(pass1 == pass2 && pass1 != "")
{
var plain = document.getElementById("paste").value;
var ct = encrypt.encrypt(pass1, plain);
document.getElementById("paste").value = ct;
document.getElementById("jscrypt").value = "yes";
document.pasteform.submit();
}
else if(pass1 != pass2)
{
alert("Passwords do not match.");
}
else if(pass1 == "")
{
alert("You must provide a password.");
}
}
-->
</script>
<!-- End of scripts for client-side encryption -->
<a name="security"></a>
<h2>Security & Encryption Details</h2>
<p>
Pastebins are useful for sending text over Twitter or instant messaging, but the
most popular ones do not provide any security. Posts on "pastebin.com" are
indexed by search engines. You can
<a href="https://encrypted.google.com/search?q=%22BEGIN%2bRSA%2bPRIVATE%2bKEY%22%2b%2bsite%3Apastebin.com" rel="nofollow">search for private keys</a>.
This pastebin aims to protect your data as much as possible while being as easy
to use as other pastebin services.
</p>
<p>
The text you submit here will be encrypted and sent over an SSL/TLS connection
so that it should never be seen by anyone unless they know the URL and, if one
was used, the client-side password. For maximum security, use a strong
client-side password and transmit it through a secure channel (such as
OTR-encrypted chat or PGP-encrypted email).
</p>
<p>
<b>Important Security Note:</b> Someone with access to the web server will not be able to
decrypt the posts already stored in the database, but they <em>can</em>:
</p>
<ul>
<li>Modify the JavaScript encryption code to make it save your password.</li>
<li>View your post as it is being submitted.</li>
<li>View your post as it is being viewed.</li>
</ul>
<p>
This means that you must trust the operator of the server hosting this website.
You must trust that law enforcement has not compelled the operator to provide
the decrypted posts. So far, that has not happened (check often to see if this
text has been removed).
</p>
<p>
We have a <a href="/robots.txt">robots.txt</a> entry to stop search engines from
indexing the posts. Search engines can ignore the robots.txt file, so this is
not guaranteed.
</p>
<p>
If logging were enabled on the server, then the pastebin URLs would be written
to the log file and the system administrator could see the posts. For this
reason, access logging is disabled on the server. If access logging must be
enabled for some reason, there are rules in place to ensure requests with
pastebin URLs or Referers are not logged.
</p>
<p>
Here's how the encryption works:
</p>
<center>
<b><u>PIE BIN Encryption Process:</u></b>
<br /><br />
<img src="/images/pastebin-diagram.png" alt="Secure Pastebin Data Flow Diagram" title="Secure Pastebin Crypto" />
</center>
<a name="commandline"></a>
<h2>Command-Line Script</h2>
<p>
This bash script reads standard input, encrypts it, then uploads it to the
pastebin. It then prints the command to download and decrypt the post.
</p>
<p>
<b>Warning:</b> The download-and-decrypt command contains the encryption
password. It will be visible to other users via the process list (ps aux), and
will be saved in your shell history. For maximum security, omit the --passphrase
option and paste the password separately.
</p>
<div style="text-align: center;">
<b><a href="/source/makepaste.sh">Download makepaste.sh</a></b>
</div>
<?php
printSourceFile("source/makepaste.sh");
?>
<p>
Tip: To send the command over Twitter, put an "$x" between the slashes in
"https://", like "https:/$x/". Doing so stops Twitter from transforming it into
a link.
</p>