Date Tags PrivateBin / Release

This is the first release of PrivateBin after renaming the ZeroBin fork. We decided to use the version number 1.0 for this release as we consider PrivateBin now very mature and feature complete. We recommend everyone to update as this version features many security improvements.

The renaming of ZeroBin to PrivateBin is done to highlight the huge developments (over 500 commits) which have happened since ZeroBin stopped being actively maintained by its original creator Sébastien Sauvage in 2014. By choosing to release version 1.0 we also want to emphasize the many feature changes - according to semantic versioning - and want to show that PrivateBin is now considered mature. Hence a version number smaller than 1.0 just does not seem suitable for PrivateBin anymore.

Update procedure

Make sure your system has some source for cryptographically safe random numbers! Either use PHP 7 or one of the supported fallbacks: libsodium, open_basedir access to /dev/urandom, mcrypt or com_dotnet. The previous workaround using mt_rand() was removed, as it leads to unsafe and predictable numbers.

Otherwise, as usual, only the files need to be updated. The tmp folder for the compiled RainTPL templates can be removed, since we switched to a more lightweight template approach due to RainTPL not being maintained anymore. Have a look at or template documentation to learn how to upgrade your custom template to the new system.

There are some new options in the configuration file. If you are updating from an older ZeroBin install and want to keep existing pastes accessible, make sure to enable the option zerobincompatibility. Otherwise more secure settings are used which break compatibility with ZeroBin.

Benefits of switching to the new release

As a user of a ZeroBin instance nothing changes. As soon as the server administrator upgrades to PrivateBin, you can continue using it. We took great efforts to ensure that existing pastes are still fully compatible with the current release.

Since version 0.22 we added a Slowene and Chinese translation, an (optional) URL shortener button, a preview tab to help you chose the right format for your content and many other small user interface improvements to make your life a bit more comfortable.

With this release we have improved the security of PrivateBin as we have now addressed most concerns raised in a security audit of the original ZeroBin in 2014.

Furthermore we switched to AES Galois/Counter mode, which is considered a stronger encryption mode then the previously used AES Counter mode with CBC-MAC authentication. The main benefit here is that the authentication (as the pastes/comments are sent over network you want to ensure that your content is not accidentally or maliciously manipulated) is done on the encrypted text instead of the plain text. The potential parallelization of CCM could not be implemented in the single threaded Javascript environment of webbrowsers, anyway.

We also make use of a new browser security feature called Content Security Policy, which prevents XSS attacks in an effective way. It blocks any third party scripts and resources to be executed in the context of the application.

Additionally we started using the new subresource integrity (SRI) browser feature to avoid loading manipulated scripts under man-in-the-middle attacks. Additionally this allows privacy aware users to easily check for manipulated scripts in the source code of the website and to compare them to the hashes of the official PrivateBin release of that version.

To ensure that PrivateBins code is of high quality we added various code quality checkers and subsequently improved the code. These analysers also helped us to find some potential vulnerabilities.

If you have further questions or issues have a look at the new FAQ.

Changes since version 0.22

  • ADDED: Translations for Slowene and Chinese
  • ADDED: re-introduced (optional) URL shortener support, which was removed back in version 0.16 for privacy concerns
  • ADDED: Preview tab, helpful for writing markdown code or check the source code rendering
  • ADDED: Automatic purging of expired pastes, done on paste creation
  • ADDED: Option to disable icons in discussions (will only affect newly created pastes)
  • ADDED: Composer support
  • CHANGED: Renamed the ZeroBin fork to PrivateBin
  • CHANGED: Removed unmaintained RainTPL template engine, replacing the templates with straight forward PHP files
  • CHANGED: New logo and favicons
  • CHANGED: Upgrading SJCL library to 1.0.4
  • CHANGED: Switched to GCM instead of CCM mode for AES encryption for newly created pastes
  • CHANGED: Use backported random bytes function from PHP7 for older PHP versions instead of mcrypt
  • CHANGED: Switched to a SHA256 HMAC of the IP in traffic limiter instead of storing it in plain text on the server
  • CHANGED: Introduced content security policy header to reduce cross site scripting (XSS) risks
  • CHANGED: Added SHA512 subresource integrity hashes for all javascript includes to reduce the risk of manipulated scripts and easier detection of such
  • CHANGED: Refactored PHP code to conform to PSR-4 and PSR-2 standards
  • CHANGED: Switched to Identicons as the default for comments with nicknames
  • CHANGED: Vizhash is now optional and based on (128 byte) SHA512 HMAC instead of (144 byte) combination of MD5, SHA1 and a reversal of that string
  • FIXED: Content-type negociation for HTML in certain uncommon browser configurations
  • FIXED: JavaScript error displayed before page is loaded or during attachment load
  • FIXED: Don't strip space characters at beginning or end of optional password
  • FIXED: Various UI glitches in mobile version or on smaller desktops with language menu, button spacing and long URLs
  • FIXED: Back button now works as expected after switching to raw text view of a paste
  • FIXED: Reactivated second error message above send comment button to ensure its visibility when the main error message is outside the viewport
  • FIXED: Raw text now displays original markdown instead of rendered HTML
  • FIXED: Removed unused code detected with the help of various code review tools
  • FIXED: Table format for PostgreSQL, making it possible to use PostgreSQL as backend in addition to MySQL, SQLite and flat files

We hope you will enjoy the new PrivateBin!