ybin – paste data privately

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
-Edward Snowden

You access the service at ybin.me.

Intro

Everybody has a right to privacy. Ybin has been created with a simple idea in mind. It’s a simple pastebin where you can paste anything privately with a simple to use, purely minimalistic user interface and no complicated options.

Basis

Ybin is based on the work of wonderful developer(s) behind an open-source encrypted pastebin project called ZeroBin (thank you). Most of the encryption algorithms used on ybin are taken directly from ZeroBin without modifications.

The code

I can talk all I want about how private the service is, and how it works, but without the source code, those are just words with no meaning. Ybin is, of course, open-source and you can check out the full code on my github repository. Contributions are also more than welcome.

Encryption

All data you paste through ybin is encrypted with AES256, which is borderline impossible to crack by bruteforcing. Check the following link to get a better idea. In short, exhausting half of the AES256 keyspace using resources we don’t yet have would take more time than the age of our beloved Universe.

Encryption is done solely on the client side, using an open-source sjcl JavaScript encryption library. When you submit a paste, sjcl generates a random encryption key and encrypts pasted data with AES256 using that key. Then, it send the cipher to the server and redirects you to the paste page and appends the key to the URL, after the # symbol. Since everything is done on the client side, your data is only transmitted to the server in encrypted form (pure cipher), meaning both the original data you’ve pasted, and the generated key are completely private. The server only stores cipher data. So, reading or decrypting your data is completely impossible on my side, since I have no way to find out the key. This grants ybin plausible deniability (in theory), since I can’t moderate data I can’t read or decrypt.

Privacy

  • Information provided by your browser (including your IP address) is never stored on the server. All server logs are configured to go directly to /dev/null. Take a look at the following snippet from the nginx configuration file:
    server_name ybin.me;
    access_log /dev/null main;
    error_log /dev/null;
  • No metadata is stored when you submit a paste (including timestamps).
  • Ybin has no tracking JavaScript code from Google and/or other services. Also, it has no ads that could track you.
  • Robots.txt disallows search engine crawlers to crawl and index pastes. Of course, this guarantees nothing since most of them ignore robots.txt anyway.
  • It's only accessible through SSL. (thanks for the feedback, reddit)

Safety

Now, this is the main question. Is this service completely safe? Well, I have to disappoint you, it’s not. Since all of the encryption is done by a JavaScript library, modifying the library from the outside can weaken or annul the encryption (like in MITM attacks). JavaScript is not safe, period. But, it’s a lot safer then transmitting raw data or keys to the server, nonetheless.

Example

Let's take a look at the following link: http://ybin.me/p/4eed1e530abe8348#aWImxYyjpqd62atEr1T9AP6rvHnO0vB1cvYvgifGmyM=.
First of all, you can see that the key is aWImxYyjpqd62atEr1T9AP6rvHnO0vB1cvYvgifGmyM=, extracted from the URL.
When you visit the link, you'll see the following pasted data:

Hello to zx readers from ybin!

But, the only data on the server of this paste is this:
{"data":"{"iv":"WrwCmvLidI4XFuIegejGjg==","v":1,"iter":1000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"+0C2wdjPPDo=","ct":"kP6sLss/j08mmDbe36mpdhvXgxXm8ifspuL/T5RYGfu4qMzGW6Pce0DmP9CVQtcKiG6YLA=="}"}

Outro

Ybin does not, in any way, guarantee complete privacy and absolutely unbreakable encryption (as stated in Safety paragraph) while using the service. But, it tries to achieve the best possible privacy by using best practices.