0bin vs zerobin

[kewde]

https://0bin.net/ and https://zerobin.net/ both use the same source code, yet zerobin.net provides an onion domain (http://zerobinqmdqd236y.onion).

Perhaps we should consider swapping them?

[ghost]

Some facts for comparison. Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.

https://0bin.net

• uses outdated nginx 1.1.19 (released on Apr 12, 2012) which contains at least 3 security vulnerabilities, jQuery, Bootstrap
• Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy)
• FTP uses outdated vsftpd 2.3.5 (released in December 2011), maybe vulnerable to CVE-2015-1419, and allows anonymous login
• SSH uses outdated OpenSSH 5.9p1 (released in September 2011) which contains at least 4 security vulnerabilities
• DNS uses outdated BIND 9.8.1-P1 (released in November 2011) which contains about 20 security vulnerabilities
• Let's Encrypt RSA cert (2048 bits), expires in August 2018
• supports TLSv1.0, TLSv1.1, TLSv1.2
• weak DH parameter (1024 bits) for key exchange
• no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
• not listed on hstspreload.org
• no DNSSEC

https://zerobin.net

• uses CloudFlare's WAF, jQuery
• Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
• COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days
• supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
• sets 1 Cookies (missing SameSite flag)
• no OCSP Must-Staple
• not listed on hstspreload.org
• no DNSSEC

https://ghostbin.com

• uses outdated Apache 2.4.18 (released in December 2015) which contains about 14 security vulnerabilities, jQuery, Ubuntu
• Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS)
• SSH used outdated OpenSSH 7.2p2 which contains about 6 security vulnerabilities when checked on May 10, 2018. There was no version information disclosed on May 27, 2018.
• offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)
• Let's Encrypt RSA cert (2048 bits), expires in 44 days
• supports TLSv1.0, TLSv1.1, TLSv1.2, allows weak cipher suites with RC4 encryption
• no OCSP Must-Staple, no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
• not listed on hstspreload.org
• no DNSSEC

https://privatebin.info

• uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie
• Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP)
• SSH uses OpenSSH 7.4p1 which may contain 1 security vulnerability
• DNS uses outdated BIND 9.9.5 which contains 11 security vulnerabilities
• Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018
• RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019
• web server supports only TLSv1.2 (this is recommended nowadays)
• sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies
• SRI for JS is implemented which is recommended
• no OCSP Must-Staple, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
• listed on hstspreload.org, however, it no longer meets the requirements
• Please note: privatebin.net sends everything but referrer header, while privatebin.info doesn't send most security-relevant HTTP headers. Moreover, privatebin.net doesn't set any cookies and doesn't connect to third parties.
• no DNSSEC

https://hastebin.com

• uses cloudflare, jQuery
• Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
• COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days
• supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
• sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com
• loads JS from Google but doesn't implement Subresource Integrity (SRI)
• no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
• not listed on hstspreload.org
• no DNSSEC

Edit (May 26, 2018): Updated findings. Edit (May 27, 2018): Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

[kewde]

@Shifterovich

[kewde]

@infosec-handbook

Please run the same analytics for the following websites, their results will determine the order of the section. https://ghostbin.com/ https://privatebin.info

I'm currently going to propose a replacement of 0bin with zerobin.net. Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture). https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

[ghost]

@kewde

Please run the same analytics for the following websites

I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too.

zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins.

In a nutshell:

1. zerobin.net: seems to be most secure according to the results (in terms of general web server security)
2. privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective.
3. ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all
4. 0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all
5. hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all

[ghost]

Create a PR changing the order and adding some information. Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

[kewde]

@infosec-handbook

I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections. The actual pastebin website is the .net domain https://privatebin.net/ It's a bit unclear from your comment on which domain these third party connections are present.

Changing the privatebin url on the website to the .net domain.

[kewde]

Also out of curiosity - what tools are you using for the analysis? It could perhaps be a standard procedure for analyzing websites we recommend.

Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

[ghost]

@kewde

I believe the 10 third-party connections are related to the .info website (privatebin.info)?

Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies.

what tools are you using for the analysis?

I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

[Vincevrp]

Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

I think we shouldn't recommend it then. (#408)

[privacytoolsIO]

hi guys, i've removed zerobin recently because of this message from the dev:

I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to PrivateBin : https://privatebin.info/

Source: https://sebsauvage.net/wiki/doku.php?id=php:zerobin

Seems like PrivateBin is the only choice at the moment? I've decided to link to our installation, too. https://www.privacytools.io/providers/paste/

Should we remove Ghostbin? Replace it with something or just leave PrivateBin as the only choice?

[jingofett]

Ghostbin now displays a message that it will be shutting down this month.

I guess PrivateBin is the only choice. Is there a way to integrate it with ShareX?

[Spydar007]

Ghostbin removed via #931

[blacklight447]

as we now list privatebin, this issue seems outdated, closing.