Hello,

The list of benefits of the main page claims:

User data is protected even in case of server breach or seizure.

However, we can read a conflicting statement in the drawbacks section of the same page, i.e.:

Users still have to trust the server regarding the respect of their privacy. ZeroBin won't protect the users against malicious servers.

Also, the FAQ clearly state that ZeroBin cannot protect the user from a malicious server.

Since a breached server can clearly be a malicious server, I strongly recommend removing this misleading claim and adding something corresponding to the drawbacks section, e.g., breach or seizure of the server can result in access to user's data.

Technically, we're talking about a malicious user or police agency having access to the server and modifying the code to retrieve the encryption key. At that moment, whenever you access your encrypted information, some javascript (or any other client side code) could send back your key to the server, i.e. the portion after the # character.

I believe a potential solution might be provided by the new Web Crypto API but I'm really not sure. Maybe a browser plugin could to the trick but again, I'm really not sure. It's not my area of research. I'm simply giving hint.

regards,

For reference: http://sebsauvage.net/wiki/doku.php?id=php:zerobin_discussion&#comment_1dbe75ab3779b5dbd09f9f88210f89c9