This is the first release of PrivateBin after renaming the ZeroBin fork. We decided to use the version number 1.0 for this release as we consider PrivateBin now very mature and feature complete. We recommend everyone to update as this version features many security improvements.
The renaming of ZeroBin to PrivateBin is done to highlight the huge developments (over 500 commits) which have happened since ZeroBin stopped being actively maintained by its original creator Sébastien Sauvage in 2014. By choosing to release version 1.0 we also want to emphasize the many feature changes - according to semantic versioning - and want to show that PrivateBin is now considered mature. Hence a version number smaller than 1.0 just does not seem suitable for PrivateBin anymore.
Make sure your system has some source for cryptographically safe random numbers! Either use PHP 7 or one of the supported fallbacks: libsodium, open_basedir access to
/dev/urandom, mcrypt or com_dotnet. The previous workaround using
mt_rand() was removed, as it leads to unsafe and predictable numbers.
Otherwise, as usual, only the files need to be updated. The
tmp folder for the compiled RainTPL templates can be removed, since we switched to a more lightweight template approach due to RainTPL not being maintained anymore. Have a look at or template documentation to learn how to upgrade your custom template to the new system.
There are some new options in the configuration file. If you are updating from an older ZeroBin install and want to keep existing pastes accessible, make sure to enable the option
zerobincompatibility. Otherwise more secure settings are used which break compatibility with ZeroBin.
Benefits of switching to the new release
As a user of a ZeroBin instance nothing changes. As soon as the server administrator upgrades to PrivateBin, you can continue using it. We took great efforts to ensure that existing pastes are still fully compatible with the current release.
Since version 0.22 we added a Slowene and Chinese translation, an (optional) URL shortener button, a preview tab to help you chose the right format for your content and many other small user interface improvements to make your life a bit more comfortable.
With this release we have improved the security of PrivateBin as we have now addressed most concerns raised in a security audit of the original ZeroBin in 2014.
We also make use of a new browser security feature called Content Security Policy, which prevents XSS attacks in an effective way. It blocks any third party scripts and resources to be executed in the context of the application.
Additionally we started using the new subresource integrity (SRI) browser feature to avoid loading manipulated scripts under man-in-the-middle attacks. Additionally this allows privacy aware users to easily check for manipulated scripts in the source code of the website and to compare them to the hashes of the official PrivateBin release of that version.
If you have further questions or issues have a look at the new FAQ.
Changes since version 0.22
- ADDED: Translations for Slowene and Chinese
- ADDED: re-introduced (optional) URL shortener support, which was removed back in version 0.16 for privacy concerns
- ADDED: Preview tab, helpful for writing markdown code or check the source code rendering
- ADDED: Automatic purging of expired pastes, done on paste creation
- ADDED: Option to disable icons in discussions (will only affect newly created pastes)
- ADDED: Composer support
- CHANGED: Renamed the ZeroBin fork to PrivateBin
- CHANGED: Removed unmaintained RainTPL template engine, replacing the templates with straight forward PHP files
- CHANGED: New logo and favicons
- CHANGED: Upgrading SJCL library to 1.0.4
- CHANGED: Switched to GCM instead of CCM mode for AES encryption for newly created pastes
- CHANGED: Use backported random bytes function from PHP7 for older PHP versions instead of mcrypt
- CHANGED: Switched to a SHA256 HMAC of the IP in traffic limiter instead of storing it in plain text on the server
- CHANGED: Introduced content security policy header to reduce cross site scripting (XSS) risks
- CHANGED: Refactored PHP code to conform to PSR-4 and PSR-2 standards
- CHANGED: Switched to Identicons as the default for comments with nicknames
- CHANGED: Vizhash is now optional and based on (128 byte) SHA512 HMAC instead of (144 byte) combination of MD5, SHA1 and a reversal of that string
- FIXED: Content-type negociation for HTML in certain uncommon browser configurations
- FIXED: Don't strip space characters at beginning or end of optional password
- FIXED: Various UI glitches in mobile version or on smaller desktops with language menu, button spacing and long URLs
- FIXED: Back button now works as expected after switching to raw text view of a paste
- FIXED: Reactivated second error message above send comment button to ensure its visibility when the main error message is outside the viewport
- FIXED: Raw text now displays original markdown instead of rendered HTML
- FIXED: Removed unused code detected with the help of various code review tools
- FIXED: Table format for PostgreSQL, making it possible to use PostgreSQL as backend in addition to MySQL, SQLite and flat files
We hope you will enjoy the new PrivateBin!