Skip to content

dgl/paste.sh

Repository files navigation


                                  |               |     
                 __ \   _` |  __| __|  _ \    __| __ \  
                 |   | (   |\__ \ |    __/  \__ \ | | | 
                 .__/ \__,_|____/\__|\___|_)____/_| |_| 
                _|                                      


What?
=====

This is a simple paste site. It doesn't do syntax highlighting, or get in your
way. It gives you a textarea and you type in it.

However behind the scenes it is encrypting your data on the client side.
This does mean you need a browser that supports JavaScript and the Crypto APIs.

However if you didn't guess from the name there is also a shell script
"paste.sh"; see https://paste.sh/paste.sh or run the following commands
to install it:

  mkdir -p ~/bin
  cd ~/bin && curl -OJ https://paste.sh && chmod +x paste.sh

Why?
====

Signal or similar works well for keeping chat secure, but sharing larger amounts of
text or code over chat is not ideal. I wanted a simple way to share things with
a low barrier to entry but that is still relatively secure.

Privacy and Abuse
=================

Sadly some people abuse things like this. We like to have nice things, but that
doesn't include illegal content, content we consider abusive (e.g. personal
data such as "doxxing") or data that may threaten the stability of the
site. Because the majority of data is encrypted we can't automatically remove
content or scan it.

Please report any content that you consider abusive to https://paste.sh/abuse.

As a result of abuse we store some information about pastes:
- When they were created or updated
- The source IP address
- The HTTP User-Agent
- The 'pasteauth' cookie we assigned (needed to update pastes)

The cookie is essential to the functioning of the web site version of paste.sh.
If you wish to opt-out of using cookies, please use the command line client.

How?
====

JavaScript running in your browser encrypts your data using AES-256 (via the
CryptoJS library). The key is generated on the client side and the server is
never able to decrypt the data, this works because the URL fragment (the part of
the URL after the '#' symbol) is never sent to the server.

Beware that depending on how you share the URL with others the fragment part may
be stored by other systems.

You can edit the paste for some time after pasting; this uses a session cookie
in your browser. (Yes, if you deny cookies this site won't work very well,
sorry, try the command line client).

There is a limit of 1 MB of data once encrypted per paste, for other purposes
you'll need to use a file sharing site.

Where?
======

Here, https://paste.sh

Alternatively if you want to see the code or wish to host your own version, the
source code is available at https://github.com/dgl/paste.sh under 0BSD.

As mentioned there's also a command line client there; the comments in it are
worth reading if you care about the encryption scheme used (being compatible
with the OpenSSL command line tool limits the key derivation slightly).

Tips
====

The command line client can do public pastes by adding the -p option, these
don't use encryption but are useful for sharing where you don't need encryption
and the long URL is unwieldy.

Simple vim integration:


  command! -nargs=* Paste w | !paste.sh <args> % | tee /dev/stderr | tail -n1 | (xsel -i 2>/dev/null || pbcopy)
  command! PublicPaste Paste -p


Who?
====

David Leadbeater (@dgl@infosec.exchange; https://dgl.cx/contact) wrote this.

🔴 🔵

If this isn't for you, there's some notes on alternatives.