use ZeroBin for dead-simple, client-side, usable encryption

[jancborchardt]

The project I mentioned to you is ZeroBin. (more info, source code (BSD 3-clause I think), made by @sebsauvage)

Short explanation (taken from kcima on Hacker News): »The genius of this is the realization that browsers do not send the named anchor (technically "fragment identifier"[1]) to the server. Using the named anchor as the cryptographic key enables users to pass around simple URLs to encrypted data. Data is stored on the server, but the server never has access to the complete URL with the key, so it cannot decrypt it.«

So I give you this address http://sebsauvage.net/paste/?44e120bde8118ab1#9iZAutp/KfJA7UbhwBHyL9wdJFyOwHfzLT+l9b8nTOw= And you open it, see »Hey Privly« without even knowing it is stored encrypted. Super nice!

Since Priv.ly is based on sending around links anyway, I think this fits perfectly.

[smcgregor]

It does fit perfectly! Do you know if he is still working on it? There have been no commits for two months.

[jancborchardt]

No, no idea. It mainly seemed like a proof-of-concept. But I sure think that it will probably spark more excitement when another project picks it up. You should mail & ask him. :)

[sebsauvage]

Hi there. ZeroBin author here.

ZeroBin is not dead. It's just that I have too many things to do and too little time, but the project is not dead. Next step will be syntax coloring and password protection.

[smcgregor]

Hi there!

I am looking at your ZeroBin implementation now. You might be seeing pull requests from me :). I am working on Privly (https://priv.ly), which has similar considerations.

I understand "too many things to do"/"too little time" all too well. +1 encouragement for ZeroBin.

-Sean

[JesseMarkowitz]

Quick question for you Sean. Any concerns about US crypto export laws?

[smcgregor]

Annoyingly yes. The state of crypto export law is somewhat ridiculous, but we need to figure it out. There was an issue for that on the Drupal site (http://www.privly.org/content/export-cryptography-software), but since we are moving that functionality onto GitHub, I need to make an "Org" repository and move the issue there. One possibility is that we aren't really exporting the software, since Mozilla, Google, and GitHub are actually distributing it.

[smcgregor]

@sebsauvage

I am working on integrating your ZeroBin application into a set of extensions known as Privly (for more information, see: news article). The only substantive change I made to ZeroBin is to move the cipher-text URL onto the anchor (https://zerobin.net?1#key => https://zerobin.net#key&https://zerobin?1). Instead of rendering the application with the json pre-populated, it makes a jsonp request to the URL found in the anchor. This removed the need for any templating of the client-side application. You can see the changes I made in this fork: https://github.com/smcgregor/ZeroBin

There is tremendous overlap in what Privly and ZeroBin need to implement. I am hoping that we can contribute back to the ZeroBin project as Privly development proceeds. Should I make changes to my fork so it is worthy of a pull request?

I have the development version of the extension available for installation here: dev.privly.org/PrivlyFirefoxExtension.xpi

It works by right-clicking on a form element and selecting "Post Encrypted+Anonymous Content to Privly (destroyed in 24 hours)". My modified ZeroBin application then pops up in the bottom of the browser. When you submit the ZeroBin form, the generated URL is dropped into the form element you selected. Note: you have to change the extension to target the development server, dev.privly.org, otherwise the ZeroBin application won't be found. Go to AddOns >> Preferences >> Content Server.

Best,

-Sean

[sebsauvage]

Le jeu. 26 juil. 2012, à 23:24, Sean McGregor a écrit :

@sebsauvage

I am working on integrating your ZeroBin application into a set of extensions known as Privly (for more information, see: news article). The only substantive change I made to ZeroBin is to move the cipher-text URL onto the anchor (https://zerobin.net?1#key => https://zerobin.net#key&https://zerobin?1). Instead of rendering the application with the json pre-populated, it makes a jsonp request to the URL found in the anchor. This removed the need for any templating of the client-side application. You can see the changes I made in this fork: https://github.com/smcgregor/ZeroBin

There is tremendous overlap in what Privly and ZeroBin need to implement. I am hoping that we can contribute back to the ZeroBin project as Privly development proceeds. Should I make changes to my fork so it is worthy of a pull request?

It's nice to see ZeroBin beeing reused in other projects.

Although I do not have time right now to work on ZeroBin, I think it's worth to push the changes to your git.

Sébastien SAUVAGE sebsauvage at sebsauvage dot net http://sebsauvage.net OpenPGP ID: 0x6C73DA99

[smcgregor]

Ok, I'll maintain a pull request in the fork for you to review whenever is convenient.

Thanks, Sean

[sebsauvage]

Thanks.

Le sam. 28 juil. 2012, à 21:49, Sean McGregor a écrit :

Ok, I'll maintain a pull request in the fork for you to review whenever is convenient.

Thanks, Sean

---

Reply to this email directly or view it on GitHub: https://github.com/privly/privly-web/issues/60#issuecomment-7336799

Sébastien SAUVAGE sebsauvage at sebsauvage dot net http://sebsauvage.net OpenPGP ID: 0x6C73DA99

[jancborchardt]

Yeah, cool to see the collaboration!