Paste.sh - client-side encrypted pastebin

The authorization cookie has neither the secure flag or http flag set.<p>i.e. If you could get the client to redirect to <a href="http://paste.sh" rel="nofollow">http:&#x2F;&#x2F;paste.sh</a> it would send the full auth cookie in the (now unencrypted) headers. (Man-in-the-middle can then use the cookie.)<p>Edit: For anyone checking, the cookie is only set upon the first edit.

See also: <a href="http://www.matasano.com/articles/javascript-cryptography/" rel="nofollow">http:&#x2F;&#x2F;www.matasano.com&#x2F;articles&#x2F;javascript-cryptography&#x2F;</a>

<a href="https://paste.sh/v03bdePB#O9LNWj3DJ2SKDKD2B8tdR0Oc" rel="nofollow">https:&#x2F;&#x2F;paste.sh&#x2F;v03bdePB#O9LNWj3DJ2SKDKD2B8tdR0Oc</a>

looks alot like <a href="https://ezcrypt.it/" rel="nofollow">https:&#x2F;&#x2F;ezcrypt.it&#x2F;</a> though I do like options..

so that is pasting the key within the url? so when you contact a page anyone sniffing the net knows the key? are you serious?