Pages

Saturday, 25 September 2021

PrivateBin


A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

privatebin.info/

Current version: 1.3.5

PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data.

Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode.

This is a fork of ZeroBin, originally developed by Sébastien Sauvage. ZeroBin was refactored to allow easier and cleaner extensions. PrivateBin has many more features than the original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19 data storage scheme. Therefore, such installations can be upgraded to PrivateBin without losing any data.

What PrivateBin provides

  • As a server administrator you don't have to worry if your users post content that is considered illegal in your country. You have no knowledge of any of the pastes content. If requested or enforced, you can delete any paste from your system.

  • Pastebin-like system to store text documents, code samples, etc.

  • Encryption of data sent to server.

  • Possibility to set a password which is required to read the paste. It further protects a paste and prevents people stumbling upon your paste's link from being able to read it without the password.

What it doesn't provide

  • As a user you have to trust the server administrator not to inject any malicious javascript code. For basic security, the PrivateBin installation has to provide HTTPS! Otherwise you would also have to trust your internet provider, and any country the traffic passes through. Additionally the instance should be secured by HSTS. It can use traditional certificate authorities and/or use DNSSEC protected DANE record.

  • The "key" used to encrypt the paste is part of the URL. If you publicly post the URL of a paste that is not password-protected, anyone can read it. Use a password if you want your paste to be private. In this case, make sure to use a strong password and only share it privately and end-to-end-encrypted.

  • A server admin might be forced to hand over access logs to the authorities. PrivateBin encrypts your text and the discussion contents, but who accessed a paste (first) might still be disclosed via access logs.

  • In case of a server breach your data is secure as it is only stored encrypted on the server. However, the server could be misused or the server admin could be legally forced into sending malicious JavaScript to all web users, which grabs the decryption key and sends it to the server when a user accesses a PrivateBin.
    Therefore, do not access any PrivateBin instance if you think it has been compromised. As long as no user accesses this instance with a previously generated URL, the content can't be decrypted.

Options

Some features are optional and can be enabled or disabled in the configuration file:

  • Password protection

  • Discussions, anonymous or with nicknames and IP based identicons or vizhashes

  • Expiration times, including a "forever" and "burn after reading" option

  • Markdown format support for HTML formatted pastes, including preview function

  • Syntax highlighting for source code using prettify.js, including 4 prettify themes

  • File upload support, images get displayed (disabled by default, possibility to adjust size limit)

  • Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin" to choose from and it is easy to adapt these to your own websites layout or create your own.

  • Translation system and automatic browser language detection (if enabled in browser)

  • Language selection (disabled by default, as it uses a session cookie)

  • QR code generation of URL, to easily transfer pastes over to a mobile device

Further resources

Run into any issues? Have ideas for further developments? Please report them!


from https://github.com/PrivateBin/PrivateBin


demo website: https://paste.itefix.net/

基于开源项目PrivateBin搭建的在线粘贴板,并将粘贴内容数据在浏览器内进行AES-256加密,以确保传输数据不会被关键字识别侦测,也无法被审查!PrivateBin的安全性非常好。PrivateBin还支持md,密码、阅后即焚,支持时间从最短5分钟至最长1个月。由于天朝对个人隐私的窥探欲很强,所以PrivateBin在国内访问速度一般。由于PrivateBin服务器在国外,其附件功能可以忽略不计,可搭配免费文件存储分享服务汇总需要分享匿名的文件。如该网站服务已无法使用,您可以查看PrivateBin项目列表获取更多正在运行的PrivateBin项目。


-----


PBinCLI

PBinCLI is command line client for PrivateBin written on Python 3.

Installing

virtualenv --python=python3 venv
. venv/bin/activate
pip install pbincli

Usage

By default pbincli configured to use https://paste.i2pd.xyz/ for sending and receiving pastes. No proxy used by default.

You can create config file with variables server and proxy in ~/.config/pbincli/pbincli.conf to use different settings.

Example contents:

server=https://paste.i2pd.xyz/
proxy=http://127.0.0.1:3128

Run inside venv command:

pbincli send --text "Hello!"

Or use stdin input to read text for paste:

pbincli send - <<EOF
Hello! This is test paste!
EOF

It will send string Hello! This is test paste! to PrivateBin.

To send file use --file or -f with filename. Example:

pbincli send -c "My document" -f info.pdf

To retrieve paste from server, use get command with paste info.

It must be formated like pasteID#passphrase. Example:

pbincli get 49eeb1326cfa9491#vfeortoVWaYeJlviDdhxQBtj5e0I2kArpynrtu/tnGs=

More info you can find by typing

pbincli [-h] {send, get, delete}
from https://github.com/r4sas/PBinCLI

----------------------------------------------------

PrivateBin——搭建你的在线私密剪贴板(开源版PasteBin)

一.介绍

很多人应该都用过PasteBin(有Ubuntu PasteBin和一个就叫PasteBin的),作为一个用于临时分享文本(当然也有很多人拿来分享代码啥的)的网站,在有些时候还是挺方便的,比如你要在论坛上发帖或者要发推啥的,然后有一段代码要贴,但是因为太长了不方便直接放,那么这个时候你就可以用到这些服务。理论上和短链接是差不多是思路(缩短内容),只是它不是一个重定向而是直接存放你原始的内容。

好了,不说了,介绍下我们今天的主角,PrivateBin。PirvateBin是一个开源的极简风格的在线PasteBin程序,可以从Private看出其特性,那就是所有数据均是加密的,而且是在浏览器端加密,服务器对于保存的数据是无法知晓的,因而具有比较好的保密性。这个源码最早是一个ZeroBin(已经停止开发)的fork,在它的基础上PrivateBin增加了许多的功能与特性,目前已经是一个相当成熟的程序了。

在安装前,我们可以先去官网一睹为快——>传送门

看上去还是相当棒的,而且能够加密以及阅后即焚的特性也是比较有用的,此外,自带的代码高亮,能够渲染Markdown以及需要在配置文件中开启的图片上传也是非常实用的功能。

这个能对分享的内容进行讨论的功能也是蛮有意思的.

二.安装

好了,看完之后大概也有一个总体的印象了,那我们开始日常的安装流程吧
还是和往常一样,先来确认下环境要求

1. PHP版本 >= 5.4

2. 为保证加密的安全和随机性,需要满足以下条件之一:

PHP版本 >= 7(自带openssl扩展)
Libsodium和它的PHP扩展(php_libsodium)
open_basedir配置了能够有权限访问/dev/urandom(用于生成随机数据)
mcrypt扩展(PHP7用openssl取代了这个)
com_dotnet扩展

PS. Mcrypt需要有权限访问/dev/urandom(这意味着如果启用了open_basedir,就必须配置包含这个路径)

3. GD扩展(php_gd用于图像处理)

4. 一部分磁盘空间(默认存储数据直接用文件系统)或者一个被PDO支持的数据库(可选)

5. 有权限在安装目录以及在index.php中定义的PATH所指代的路径(额外指定路径以便提高安全性)创建文件和文件夹

6. 一个支持javascript的浏览器(加解密依赖JS,所以这是必须的)

安装的话比较简单,因为甚至可以不需要数据库,不过优化还是需要注意挺多的,后面我会提到,创建vhost我就不说了

这时候其实已经能用了,但是我们也可以做些安全方面的优化,也可以对配置做些修改

三.配置以及优化

1. 修改路径

这个是把你的PHP文件以及存储目录啥的全部移到网站目录外,然后在index.php中指定目录的位置,从而提高安全性,防止某些注入漏洞和文件上传提权

2. 使用HTTPS(这就不说了)

3. 正确的文件(夹)权限

这个的话跑一下命令就OK(自己确认路径)

4. 修改配置

请参考下方的配置文件翻译

5. 使用robots.txt与.htaccess

默认程序包含了robots.txt,而如果网站是Apache的话请将自带的.htaccess.disabled改名为.htaccess来启用,这个是屏蔽了一些爬虫和程序的网页预览功能啥的

6. 使用数据库代替默认的文件存储

这部分参考配置文件翻译

四.配置文件翻译

五.注意事项

1. 配合Cloudflare等CDN使用

  • 请关闭Email Obfuscation功能(邮箱混淆,防止爬虫抓取)
  • 请关闭Rocket Loader功能(加速静态资源加载)
  • 请取消勾选Auto Minify中的Javascript(压缩代码)

PS.如果网站在二级目录不想对根目录的其他网站关闭这些功能可以配置Page Rule

2. 在开启流量节省的安卓chrome等浏览器上使用

  • 请配置HTTPS或者关闭流量节省模式(会导致JS被压缩缓存然后功能失效)

3. 网站服务器开启了Selinux

  • 请配置Selinux规则,参考——>传送门

4. 网站服务器安装了Naxsi

  • 请配置Naxsi白名单,参考——>传送门(页面最下方)
  • 也可以针对程序的域名关闭WAF

我全部配完后测试了下上传图片的功能,图片是直接由js从后端抓取到浏览器的,直接是blob类型,所以这样的话如果上传的文件较大网络又不是很好的情况下可能容易出问题,还是请注意下.


No comments:

Post a Comment