This release fixes a low entropy key vulnerability in PrivateBin affecting legacy browsers
On 31st of July 2018, @cryptolok reported a cryptographic vulnerability in PrivateBin due to the incorrect use of SJCL when used on very old browsers. When creating a paste using any ZeroBin version or PrivateBin up to and including 1.1.1 on a browser without web crypto API support (Firefox<21, Chrome<15, Safari<5, IE<11) the key may have been generated without sufficient entropy. PrivateBin 1.2 was not affected, because the support for those browser versions got removed in the JS refactoring.
This release re-adds support for those legacy browsers and ensures they generate the key with sufficient entropy. In the next release of PrivateBin we will permanently drop legacy browser support and switch to the web crypto API exclusively. This release ensures that there is at least one release available that supports both legacy browsers and has the entropy issue fixed.
Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
Benefits of switching to the new release
If you are still using PrivateBin version 1.1.1 or ZeroBin, upgrading to this release will ensure that you retain legacy browser support and fix the low entropy key vulnerability in your current version. If you already upgraded to PrivateBin 1.2 and don't need to support these very old browser versions (released before October 2013) then you could consider skipping this release.
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
Note that this is the first release that is signed with the new signing key (fingerprint:
28CA 7C96 4938 EA5C 1481 D42A E11B 7950 E9E1 83DB). This key is intended to be used for signing releases from now on.
Changes since version 1.2
- ADDED: Add support for mega.nz links in pastes and comments (#331)
- CHANGED: Added some missing Russian translations (#348)
- CHANGED: Minor PHP refactoring: Rename PrivateBin class to Controller, improved logic of some persistence classes (#342)
- CHANGED: Upgrading DOMpurify library to 1.0.7
- FIXED: Ensure legacy browsers without webcrypto support can't create paste keys with insufficient entropy (#346)
- FIXED: Re-add support for old browsers (Firefox<21, Chrome<31, Safari<7, IE<11), broken in 1.2, will be removed again in 1.3