We generate a random encryption key in the browser and we use it to encrypt the paste using AES-256 through the awesome sjcl library.
We then send the encrypted paste to the server through an AJAX request which gives us a random address for the newly created paste (based on an UUID v4).
Thus, the address of a paste is of the pattern
https://temporar.io/paste/<some random id>#<encryption key>
When you copy the URL and send it to someone, they click or paste the link into the browser.
The browser retrieves the encrypted data from the server using the random id contained in the URL.
Whatever is after the hash symbol (#) is not sent to the server and remains in the browser.
Therefore, the server never receives the decryption key and everything is decrypted directly in the browser.
There are many
websites discussing the issues of cryptography in a browser
but it's getting better.
Be aware that the goal of encrypting the data directly in the browser is to prevent the server hosting
the data from knowing what it's hosting. You can't require someone to moderate content they cannot read.
In that way, the host is granted plausible deniabily. At least, we hope ;)
So our goal is not to protect the user, but the server which hosts the data.
Remember that as a user, you should use our service the same way as an unencrypted and insecure pastebin, meaning, with caution.
Even if we try our best to secure everything between our servers and your browser, stay cautious of what you paste.
Temporar.io is nothing new. There are many other websites providing the same service such as:
Temporar.io is just another approach to the same ideas using Phoenix/Elixir and a dead-simple interface.