Save private messages encrypted in the database

https://www.phpbb.com/ideas/
Post Reply
User avatar
wintstar
Registered User
Posts: 280
Joined: Sat Mar 07, 2009 12:39 pm

Save private messages encrypted in the database

Post by wintstar » Mon Aug 05, 2013 12:05 pm

Comeback from users repeatedly the allegations that private messages can be read by Admin. I think that should be stored in the database encrypted private messages.

----------

View idea at: Save private messages encrypted in the database

Posted by wintstar

User avatar
nickvergessen
Former Team Member
Posts: 4397
Joined: Mon Apr 30, 2007 5:33 pm
Location: Stuttgart, Germany
Name: Joas Schilling
Contact:

Re: Save private messages encrypted in the database

Post by nickvergessen » Mon Aug 05, 2013 12:43 pm

This means, that if a PM is send to multiple people we need to store it multiple times.

Also it gives a false feeling of security, because we need to store the key for decrypting in the db aswell (so admin can still hack to read them), or require the user to enter it everytime.
No Support via PM

User avatar
wintstar
Registered User
Posts: 280
Joined: Sat Mar 07, 2009 12:39 pm

Re: Save private messages encrypted in the database

Post by wintstar » Mon Aug 05, 2013 1:06 pm

It is and will always remain a vexed issue of the admin reads the PN or could read. Thus for me the issue would end when one encrypts the PN in the database, just like the passwords.

User avatar
Crizzo
Translations & International Support Teams Manager
Translations & International Support Teams Manager
Posts: 885
Joined: Thu Apr 23, 2009 1:20 pm
Location: Germany
Name: Christian
Contact:

Re: Save private messages encrypted in the database

Post by Crizzo » Tue Aug 06, 2013 5:00 pm

But you don't get the password back to readable text.

You just encrypted the inserted password and compare it with the "encrypted code" in the database.

But a PN has to be reconverted, if the receiver should be able to read them.

And anything what is needed to decode the pn, if it is within the phpbb-code/functions, will be abused to read the pn anyway.

So i think the only good solution is, that the user encrytes the pn before sending, the receiver gets the encryted message and decodes it with a secondtool and code from a 3rd party origin.
My extensions for phpBB: crizzo.de
German phpBB Support at www.phpbb.de

AlanSBradburn
Registered User
Posts: 3
Joined: Thu Aug 08, 2013 10:22 pm

Re: Save private messages encrypted in the database

Post by AlanSBradburn » Thu Aug 08, 2013 10:39 pm

You could generate a per user keypair and encrypt one half with the user's password used for decryption/signing, the other half used for encryption/verification.

Either enter password every time to view a pm or save in a cookie encrypted by a per board key.

FYI I voted no on this due to complexity, but it can be done. (cool idea for a plugin)

User avatar
AmigoJack
Registered User
Posts: 5605
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Save private messages encrypted in the database

Post by AmigoJack » Fri Aug 09, 2013 6:27 am

AlanSBradburn wrote:the user's password
What if that changes from today to tomorrow?

While there are always ways to manipulate the PHP code to bypass this I'm in for at storing it encrypted, because less skilled people would then not be able to simply read it. In that way, the system doesn't have to be changed (one text only, regardless of how many recipients): with each new PM a new encryption key is created and saved aswell, so you have to use phpBB in order to decrypt it.

Only downside is: you can't search PMs anymore (I've already implemented this since I store a lot of them).
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
callumacrae
Former Team Member
Posts: 2662
Joined: Tue Feb 12, 2008 12:28 pm
Location: London, UK
Name: Callum Macrae
Contact:

Re: Save private messages encrypted in the database

Post by callumacrae » Mon Aug 12, 2013 7:58 am

Someone would just make a mod to read PMs, though
macr.ae = my website. you probably won't like it.
Proud user ofProud user of

User avatar
Jessica
Former Team Member
Posts: 4342
Joined: Sun Jul 18, 2010 2:53 pm
Location: Pennsylvania, USA
Name: Jessica
Contact:

Re: Save private messages encrypted in the database

Post by Jessica » Mon Aug 12, 2013 8:11 pm

callumacrae wrote:Someone would just make a mod to read PMs, though
There's a mod in the MOD database that does that...
Pro-choice, Atheist, Pro-LGBT rights
Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. - Albert Einstein

Post Reply

Return to “phpBB Ideas”