Hacker News new | ask | show | jobs
Paaster – Secure by default end to end encrypted pastebin (github.com)
49 points by wardpearce 1555 days ago
6 comments
dane-pgp 1554 days ago
> Can I trust a instance of paaster not hosted by me?

> No. Anyone could modify the functionality of paaster to expose your secret key to the server. We recommend using a instance you host or trust.

That's refreshingly honest, but I hope that some day a technology like WhatsApp / Cloudflare's recently released "Code Verify" extension helps to solve this.

https://inside.com/campaigns/inside-dev-2022-03-11-31674/sec...

link
derefr 1554 days ago
AFAICT you could permanently trust a webapp loaded from an IPFS-scheme URI (as e.g. Brave can do), after it’s been audited once.
link
fastball 1554 days ago
But then if you're using an IPFS gateway instead of hosting your own instance then the gateway could serve you different content, no?
link
fwtf 1554 days ago
Since you request data by a hash, and your software should verify the downloaded data has the same hash, no.
link
stavros 1554 days ago
If you're using a gateway, you have to trust the gateway.
link
arlort 1554 days ago
You could probably have a pretty light wrapper around the gateway which verifies the hash.

It wouldn't be as easy as simply using a gateway but still much easier than hosting/implementing an IPFS node locally

link
jimsi 1554 days ago
I think that providing API to be used by standalone clients is far more better approach
link
Biganon 1554 days ago
https://0bin.net/ has existed for quite some time now
link
amir734jj 1554 days ago
I wish there was a way to create a link which doesn't contain the password so I can send the password separately.
link
bennyp101 1554 days ago
Looking at https://github.com/WardPearce/paaster/blob/Development/paast... the link is just concatenated with # - navigate(`/${pasteId}#${paste.clientSecret}`)}

So you could just copy the link as everything before the # and send the rest as the password separately

link
fastball 1554 days ago
Yep, that's exactly how it works.

It's the same concept as how mega.nz do their E2EE.

link
bts4 1554 days ago
Pinterest open sourced a similar tool a few years back - Snappass: https://github.com/pinterest/snappass
link
est 1554 days ago
Might as well use WebRTC to establish realtime e2e p2p pasting.
link
indigodaddy 1554 days ago
Text input seems to be broken on mobile? (iOS Chrome)
link