Secure Pastebin Secure PastebinA zero-knowledge client-side encryption Pastebin by Networkmaine
PasteSafe is a secure Pastebin service which allows secure sharing of information for Networkmaine users. It’s implemented using the Web Cryptography API supported by major browsers for client-side encryption.
This means that:
Encrypted pastes can be deleted at any time. And if you don't delete them, the server will automatically after 7 days. Optionally, you can set a paste to be deleted upon access using the Burn After Reading checkbox when creating a paste.
When you create a new paste, your browser generates a cryptographically random encryption key. This key is appended to the web address of the paste, but done so using a Fragment Identifier. The fragment identifier is the part of the web address following the # symbol and is commonly used to point to sections within a page. By design, the fragment identifier is never transmitted to the web server as part of a web request, so it can be shared to others as any normal link, but will only be known to the browser loading the link; not transmitted to this server.
The service makes use of AES256-CTR as its encryption method. One of the same methods used for modern SSH encryption.
The key remains consistent for a paste, but the CTR, short for counter, (Initialization Vector in cryptography terms) is a cryptographically random value generated each time data is encrypted. This is part of why encrypting the same paste multiple times will result in a different encryption result, and part of what helps keep data secure from dictionary attacks.
In short, this service makes use of strong client-side encryption. Networkmaine will never have access to your data.
This server also makes use of TLS (SSL) encryption for network connections, meaning even your encrypted paste is encrypted when being transmitted. But it’s important to keep in mind that anyone with the link has access to the data until it’s deleted. When possible share the link using encrypted communication. But if that’s not an option, deleting the paste quickly will significantly reduce the chance of exposure.
Another thing to keep in mind is that your web browser may cache data. We recommend using this service in a Private Browsing session.
Even the most experienced IT and security professionals will often resort to unsafe sharing of sensitive information for lack of a more convenient option. This can be anything from sharing a seemingly innocent code snipped or log data, to sharing login credentials.
Too often, sensitive information is placed in email or chat, and while the connection used by these applications can be reasonably secure, the data is often replicated across and unknown number of devices and archived in an unknown number of locations. Each instance a potential opportunity for future exposure. Simply put: Even if the connection is secure, the data management may not be.
By sharing a link to temporary data, instead of the data itself, only the link is archived. After the link has expired it can no longer be used to access the information.
While many Pastebin services are publically available, and some offer private paste (unlisted) or encryption (often server-side) of some kind, there is often no available method to verify the security of the solution or contact the author. Another problem is that many anonymous Pastebin services today are leveraged by malware, forcing network operators to restrict access to them. The result is that depending on the local filtering policy for a user, a Pastebin may or may not be reachable.
PasteSafe is our attempt to provide a solution to these problems. We hope you find it useful.
Feedback is not only welcome, but appreciated. PasteSafe is written and maintained by Ray Soucy, contact him at: rps@maine.edu.