Hi,
I just had a small discussion on IRC regarding trustworthiness and code integrity.
Entrusting ZeroBin with my ciphertext is a good step regarding improved confidentiality. This step revokes ZeroBin the authority to read my plain texts. That's good.
However, ZeroBin hosters are still involved as a party that delivers me the code to decrypt the ciphertext. This means they are still empowered to intercept my private data, by hooking in the decryption function.
There are several possible steps to go on from here:
Extreme Paranoia: Use my own client to encrypt and decrypt data. ZeroBin is degraded to nothing but a storage provider, making all your nice UI work useless :(
Moderade Paranoia: The maintainer of ZeroBin is a pretty trustworthy guy, being nice about releasing cool software into the open source community, yadda yadda. I want to trust the maintainer, but not any random domain/server owner who hosts an installation of ZeroBin.
For Extreme Paranoia, I suggest using something completely different :P
For Moderate Paranoia I have written a simple JavaScript snippet (bookmarklet).
The snippet retrieves the JavaScript source codes which are linked from the ZeroBin page and computes a SHA256 sum.
If some external JavaScript is added or the existing JavaScript is modified, the bookmarklet will give a warning.
You can find the minified version here (for use in a bookmarklet, just add a new bookmark, enter 'javascript:' into URL and paste the rest afterwards.).
Here's an uncompressed version for code reviews/patching etc.
P.S.: Obviously, the SHA256 sum has to be changed for each version. Storing multiple hashes across versions is left as an exercise for the reader ;)