Anonymous, People's Liberation Front Build Anonymous Data-Sharing Site 137
suraj.sun writes with these snippets from an article at Ars Technica: "Hacker group Anonymous and the People's Liberation Front have created a data-sharing site called AnonPaste.tk, meant to host pastes of code and other messages without any moderation or censorship of the information posted. The new site, which uses a free .tk web address, allows users to set a time for the paste to expire. It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn't see any of the information included in the paste.The site says it's taking donations in the form of WePay or BitCoins. ... AnonPaste is built using open-source software called ZeroBin, created by French developer Sebastien Sauvage. According to Infoweek Sauvage has experience in creating online authentication systems for French banks, suggesting the creator knows a thing or two about encryption of data. Still, on the software's information page, Sauvage reminds potential users that ZeroBin software can not protect against potential Javascript attacks. 'Users still have to trust the server regarding the respect of their privacy,' he says. 'ZeroBin won't protect the users against malicious servers.'"
Re:Server cannot see the data? (Score:4, Informative)
Okay, I take it back. It seems that the reading URL contains the decryption key. That's actually quite nice.
The key seems to be stored in the in-page bookmark (the part after the "#"), so there is even a chance it won't be available through the server's logs. I have not checked whether it is the client or the server that produces the URL for reference. That might mean a trip to the server after all, but given the design of the rest, there is hope it was done properly after all.
Shachar
Re:Major Fail: ZeroBin requires the JavaScript (Score:4, Informative)
you can have only one of them:
- no client side scripting
- client side crypting/decrypting
but do not worry, javascript is sandboxed to the site's context.
Re:Major Fail: ZeroBin requires the JavaScript (Score:4, Informative)
Javascript isn't half as evil as you make it.
It's main failing is that it sucks for crypto. A quick reference I could dig out:
http://www.matasano.com/articles/javascript-cryptography/ [matasano.com]
Basically, it has several problems, the main one being that where they write "random key" in the "browser" box in their little flowchart it should honestly say "weak pseudo-random key".
Re:There are some problems with it (Score:5, Informative)
It runs on ZeroBin [sebsauvage.net], which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.
It uses the Stanford Javascript Crypto Library [stanford.edu] for its AES code, and its codebase is available on github [github.com].
The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content
Woao. (Score:3, Informative)
If you don't trust AnonPaste, you can just install ZeroBin [sebsauvage.net] (the opensource software AnonPaste is based on) on your own website.