Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

0bin, another popular Pastebin alternative, solved this problem by encrypting the paste on the client and embedding the key in the paste URL - so the server had no idea about the data being posted.


If the key is just in the URL, what's stopping them from simply obtaining the key out of their access logs and decrypting whatever they want?


Presumably they’re placing it in the # part of the url, which isn’t passed to servers by browsers. Now, of course, the client could still exfiltrate the key with client side JS, but that would be noticeable to anyone that wanted to check.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: