From bba485ef6d1f51f4c69dbcd8e606f97a585ddac0 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 9 Nov 2015 20:43:24 +0100
Subject: [PATCH] adding remarks as discussed in #53

---
 README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ab78328..ea5581e 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# ZeroBin 0.21.1
+# ZeroBin 0.22
 
 ZeroBin is a minimalist, opensource online pastebin where the server has zero 
 knowledge of pasted data.
@@ -29,6 +29,15 @@ without loosing any data.
 
 - As a user you have to trust the server administrator, your internet provider 
   and any country the traffic passes not to inject any malicious javascript code.
+  Ideally, the ZeroBin installation used would provide HTTPS, secured by 
+  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and
+  [HKPH](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a 
+  certificate either validated by a trusted third party (check the certificate 
+  when first using a new ZeroBin instance) or self-signed by the server operator,
+  validated using a
+  [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) protected
+  [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
+  record.
 
 - The "key" used to encrypt the paste is part of the URL. If you publicly post
   the URL of a paste that is not password-protected, everybody can read it.