LibreBin - Share any text securely

22 respostas [Última entrada]
aliasbody
Desconectado
Joined: 09/14/2012

Hello Everyone !

I want to present my first official LibreTrend project. It is something I've been working on my spair time (a few minutes a day) so the result isn't perfect at all.

The concept is quite simple, it is Pastebin-like service, but with security in it, like this you can share any text you want being sure that only you and the receiver can read it. This is a simple scheme to show the concept

I hope it will be useful for the community !

Info : The source code will be released tomorwo (I am trying to setup my own git server, but I am very limited with my actual server, so if I can't achieve this I'll simply put it on github and provide the link for it in the projects webpage (it is Free Software as always :D ).

LibreBin --> https://www.libretrend.com/librebin/

AnexoTamaño
LibreBin - Schematic.png53.81 KB
Alexander Stephen Thomas Ross
Desconectado
Joined: 09/17/2012

btw I believe libre wise github is not preferable, I believe
http://gitorious.org/ is preferable.

aliasbody
Desconectado
Joined: 09/14/2012

Hello Alexander Stephen Thomas Ross,

You are absolutely right. I've just mentioned github because it was the one I was using until now (for school projects). I was trying to make gitweb work, but I have a small server with small tools so I ended being very limited (if gitweb was made with php I wouldn't have a problem, but since it is with perl I need to upgrade the server...). Until everything works as I expect I will be using gitorious then :D

onpon4
Desconectado
Joined: 05/30/2012

If the key is included in the URL, doesn't that reveal it to the server? Surely using something like GnuPG to encrypt the files manually would work better?

jxself
Desconectado
Joined: 09/13/2010

GnuPG probably would be better, yes. As it is, it appears that the LibreBin server has access to the key and so would have the technical capability to decrypt any messages the server operator wanted.

aliasbody
Desconectado
Joined: 09/14/2012

Hello jxself and onpon4,

You are right, the problem with this system is the fact that the key is sent to the server and the possibility (if the main code is changed) to a third party to use that key to decrypt the message using the server (or an external function).

Has I said it is just a prototype, the final idea is to provide a lot of different encryptions until the v1.0 release, because people have different necessities (and diferent machines and browsers).

I was planning on doing this method as the normal one, and then offer the same but with a typed passed (the person who writes the text also writes himself the password), this way the key (password) isn't sended to the server, and when the other user opens the link, he needs to type the password in order for it to be decrypted on his own computer (without the need of the server).

Another idea is the GnuPG as well, but I would need to learn more about it (and how to make it work with javascript).

I would also need to think of a way to do it without javascript, as I already know that a lot of people chose to not use Javascript (for security reasons), of course something like that wouldn't be as secure but in that area the GnuPG could be the solution.

onpon4
Desconectado
Joined: 05/30/2012

Even if you do make a good JavaScript program that does the job properly, I think it's a flawed idea to begin with. It's not how it should be, but people tend to just trust hundreds of JavaScript programs that get silently installed into their web browser.

Perhaps a better idea, if you want some sort of browser-based encryption solution, would be to develop a user script that works with any text (e.g. maybe you select some text and say "encrypt", and it encrypts the highlighted text with GnuPG). As a side effect, this would make the work more useful since it could be used anywhere.

aliasbody
Desconectado
Joined: 09/14/2012

Hello onpon4,

I understand, but the goal of the project was to create something secure for internet text sharing, it isn't mean to replace a Instant Messaging software or anything similair. The goal is just to provide a more secure browser service based on the PasteBin idea. You are right about the security not being optimal but it can be solved, either way for this projects to works it needs to be places on the browser itself otherwise it wouldn't be what I am trying to make it be.

Now the GnuPG idea is quite good and I am already looking at it, I just need to see an easy way to make things work. Another idea I want to make happen is the password one.

My final goal is to have a browser platform where anyone could just share any text (and files in the future) in an encrypted way. If the server only serves for one purpose and then the file/text is removed then it is also perfect. The idea is, for the user, to be able to choose between the technology that fits him best. If he wants plaintext than it is okay, otherwise he can use GnuPG, the actual key encryption, the password based encryption and the server encryption (virtually not secure at all but not dependable of javascript), or even something to install in the computer in order to protect it from here. A mixture of DropBox and Pastebin but more secure.

Anyways, what you say is absolutely right, and I will work on that matter as soon as I uploaded everything to Gitorious as I want to make it easy for anyone to install it on his server if needed).

onpon4
Desconectado
Joined: 05/30/2012

I get what the goal is, but wouldn't it be better for users to choose themselves to install a user script that lets them encrypt and decrypt text anywhere on the internet, than to have one website that automatically does this for them? By making this a user script that works on any text, people can easily encrypt text and put it on e.g. Pastebin.

Actually, the whole idea doesn't make much sense to begin with, honestly (why would you want to publish a text file in such a manner if you want only certain people to be able to see it? Why not just send an encrypted email?), but it seems to me something that can work with any text on the Web would be more likely to be useful than a single website.

aliasbody
Desconectado
Joined: 09/14/2012

Well I wanted to avoid having the user to install something, but it is true that this could be a good idea indeed. The question here is, many people don't know how to encrypt text, they don't even know that encryption exists at all, by providing a simple way to do it (without having the worry to install anything) could be a good start... At least it is better than plaintext.

The question here is not just a message from One to One, it is a message from One to Many, like a group that could have the text.

When you are talking about something that could be put on PasteBin you are talking about an already encrypted text or an API that could be used by pastebin ?

onpon4
Desconectado
Joined: 05/30/2012

Putting something already encrypted on PasteBin.

Here's what I'm imagining: in any spaces where you can have text, adding a right-click menu entry for selected text that changes it into its encrypted form (after asking you what key to use). Then you could put encrypted text anywhere you want with any OpenPGP key you have, and it would be very easy.

aliasbody
Desconectado
Joined: 09/14/2012

Like a Abrowser plugin or something like that ? Or something external that would be done directly on the OS and then copied pasted ? Or even better an application which would encrypt every copied text (or just allowed the "Paste as Encrypted" option ?)

Is it even possible with just an application without going root to create a "Paste as encrypted" button on the OS button menu ?

onpon4
Desconectado
Joined: 05/30/2012

I'm thinking of a user script. If it's not possible in user scripts, maybe a Firefox extension.

aliasbody
Desconectado
Joined: 09/14/2012

A firefox extension would be better in my opinion but it would only work on Firefox based browsers.... I need to see how a user script could really help on doing this and how it could be easily done to the final user.

Michał Masłowski

I am a member!

I am a translator!

Desconectado
Joined: 05/15/2010

It should have used a https://en.wikipedia.org/wiki/Fragment_identifier
for keys.

Do you know img.bi? Are there existing similar text hosting services?

Do you know that git can access repos via HTTP? You need just to run
git update-server-info on the server and publish the HTTP URL.

aliasbody
Desconectado
Joined: 09/14/2012

Hello Michał Masłowski,

I didn't knew about Fragment Identifier, I'll have a look at it, thank you ;D

I didn't knew about img.bi but it seems like a good project, I was planning on doing something similair with my project in the future adding documents, pictures, musics etc...

I don't know of any similar project, I just had the idea and started it on my spare time, nothing big (long time I didn't wrote code in PHP so it was good to return to that language).

I didn't knew that git could access repos via HTTP, the problem is that I only have a gandi instance of a server (almost similar as a normal web hosting but working on a private server), and so I don't have access to the OS functions (and git itself) at all, so for now I will use gitorious (but I am planning on changing to a normal private server in the future).

Legimet
Desconectado
Joined: 12/10/2013

It looks like a fragment identifier is the part beginning with a # at the end of a URL that doesn't send a request to the server when you add or change it.

aliasbody
Desconectado
Joined: 09/14/2012

It may be interesting indeed, I need to see if this can be useful in order to avoid sending the key to the server itself. Thank you !

Legimet
Desconectado
Joined: 12/10/2013

"In JavaScript, the fragment identifier of the current HTML or XHTML page can be accessed in the "hash" property location.hash"

That sounds like what you want :)

aliasbody
Desconectado
Joined: 09/14/2012

I just need to be sure that the server doesn't receive anything, but once again if it comes from the hash... I already saw something like that on a lot of websites but didn't found any useful information about it. If it is was I think it is based on the wikipedia page than it can really be usefull :D I'll try to implement it on the next days to see how to goes !

Thank you once again :D

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

The user should be warned about the shortcomings of the tool. If the key is sent to the server, the attacker only needs to sniff the traffic at the entrance of the server and nothing actually is secret to her.

If the key is not send, the attacker could still see what IP is sending the text and then sniff the traffic going out of it. The user who sends the key unencrypted via Internet (in an email, via XMPP without OTR, etc.) is screwed as well.

But, then, if the user sends the key in an encrypted way (or give it in person) then she could have send the message instead! I guess the user could use Tor so that the attacker cannot know her IP... but she is not a lambda user anymore!

In the end, and unless I missed something, I do not see a use-case for this service.

What about helping existent projects to make their tools (email encryption via GPG, OTR, etc.) more user-friendly?

aliasbody
Desconectado
Joined: 09/14/2012

The existance of this project was just to make some encryption possible using a PasteBin like service. I understand that the key shared with the URL may not be perfect (or secure at all), but I still think that it is possible to create protection from here, even if the password if written by the user itself.

The idea of helping existing projects could also be good and it is something I need to have a look at, this is was just a prototype project and because of that I am still trying to make it better, and this even if at the end there would be not "pratical use" for it.

The final idea is to provide a set of security tools to make the message go from one person to another in a easy way, so I will have a look at other projects because adapting their work to LibreBin could be a good idea into providing an easy tool for text (and file) encryption and sharing.

Anyways thank you for your explanation and the advice, I'll keep that in mind in order to perfect LibreBin :)

onetechbuddy
Desconectado
Joined: 05/26/2014

I have sent a url generated from LibreBin to my friend and suggested using it. For small jobs we do LibreBin is the perfect tool. Hopefully you will implement the suggestions. All the best.