docs: sound less like a smart-ass sales person

2022-04-09 04:16:52 +02:00 · 2022-04-09 04:16:52 +02:00 · 89c1a67a47
commit 89c1a67a47
parent 0119bae329
5 changed files with 65 additions and 109 deletions
--- a/README.md
+++ b/README.md
@ -2,28 +2,40 @@

 ![](docs/_assets/images/favpng_parrot-royalty-free-cartoon.png)

-httpaste is a pastebin application for easily pasting and retrieving data over
-HTTP from shell environments and web browsers. It is inspired by [sprunge.us](http://sprunge.us)
-and [ix.io](http://ix.io/), but focuses on extendability, advanced security, with little to
-no trade-off to simplicity. It can be hosted through WSGI, CGI, Fast CGI, or
-as a standalone evaluation server. It offers multiple storage backends, such as
-a filesystem backend, SQLite backend, MySQL backend, or MongoDB backend.
+**NOTE**: httpaste is publicly hosted at [httpaste.it](http://httpaste.it) and as a hidden Tor service ([https://paste77ubkwxy4fqezffsmthxdh3xerwi72tlsw2mch7ecjhw2xn7iyd.onion](https://paste77ubkwxy4fqezffsmthxdh3xerwi72tlsw2mch7ecjhw2xn7iyd.onion)).
+Both services are to be considered evaluatory, as long as the source code
+is in pre-release. Regarding voidance of pre-release status, see [Open Issues](https://victorykit.atlassian.net/issues/?jql=project%20%3D%20HTTPASTE%20AND%20fixVersion%20in%20(1.1.0-beta%2C%201.2.0-beta%2C%201.3.0)), for more information.

-All pastes are being encrypted on the fly and can only be retrieved by an
-authorized user, either through knowing the paste id of a public paste, or
-having authentication credentials, as well as the paste id of a private paste.
-This makes httpaste ideal as a pastebin for sensitive environments such as the
-Tor network. Authentication credentials are created on-the-fly and don’t  require a sign-up process.
+This program offers an HTTP interface for storing public and private data
+(a.k.a. pastes), commonly referred to as a pastebin application. It is inspired by [sprunge.us](http://sprunge.us) and [ix.io](http://ix.io/). It can be hosted through WSGI, CGI, Fast
+CGI, or as a standalone evaluation server. It offers multiple storage backends,
+such as a filesystem backend, SQLite backend, or MySQL backend.

-httpaste supports output formatting for syntax highlighting (powered by
+Public data can be accessed through an URL, where as private pastes
+additionally require HTTP basic authentication. Creation of authentication
+credentials happens on the fly, there is no sign-up process. Public pastes can
+only be accessed by knowing their paste ids, they are not listed on any index,
+since it isn’t technically possible (by design).
+
+All pastes are symetrically encrypted server-side with an HMAC derived key and
+SHA-256 hashing, a server-side salt and a randomly generated password. Public
+paste’s passwords are derived from their ids. Private paste’s passwords are
+randomly generated and stored inside a symetrically encrypted personal
+database, with the encryption key also being derived through the same HMAC
+mechanism, where the HTTP basic authentication credentials act as the master
+password.
+
+Paste ids, usernames, and any other identifiable attributes are only stored
+inside storage backends as keyed and salted BLAKE2 hashes.
+
+The program supports output formatting for syntax highlighting (powered by
 [pygments](https://pygments.org/)), as well as MIME type output manipulation, and input encoding.
-Therefore httpaste can server as an anonymous object storage for small data.
+The program can therefore serve as a minimalist, anonymous object storage for
+small data.

-Minute-based and ‘burn-after-read’ paste expiration are supported.
+Minute-based and ‘burn-after-read’ paste expiration are also supported.

-httpaste focuses on security through cryptography, making it a computationally intensive application.
-
-# Get Started
+# Getting Started

 ## Install