From bba485ef6d1f51f4c69dbcd8e606f97a585ddac0 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 9 Nov 2015 20:43:24 +0100 Subject: [PATCH] adding remarks as discussed in #53 --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ab78328b..ea5581ec 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ZeroBin 0.21.1 +# ZeroBin 0.22 ZeroBin is a minimalist, opensource online pastebin where the server has zero knowledge of pasted data. @@ -29,6 +29,15 @@ without loosing any data. - As a user you have to trust the server administrator, your internet provider and any country the traffic passes not to inject any malicious javascript code. + Ideally, the ZeroBin installation used would provide HTTPS, secured by + [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and + [HKPH](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a + certificate either validated by a trusted third party (check the certificate + when first using a new ZeroBin instance) or self-signed by the server operator, + validated using a + [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) protected + [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) + record. - The "key" used to encrypt the paste is part of the URL. If you publicly post the URL of a paste that is not password-protected, everybody can read it.