[DEV] Encrypted PMs

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Scam Warning
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
dingus33
Registered User
Posts: 82
Joined: Fri Sep 29, 2017 11:11 am

Re: [DEV] Encrypted PMs

Post by dingus33 » Wed Jun 26, 2019 3:43 pm

yup, only way users can protect themselves from admin is to use GPG or something in PMs and handle crypto and keysharing outside of the forum.

dingus33
Registered User
Posts: 82
Joined: Fri Sep 29, 2017 11:11 am

Re: [DEV] Encrypted PMs

Post by dingus33 » Wed Jun 26, 2019 3:50 pm

EA117 wrote:
Wed Jun 26, 2019 3:41 pm
Okay. Something about that seems "impossible", since having access to the DB and the file system gives the site owner(s) access to everything the extension has access to, and the extension is able to decrypt them. But perhaps there is still a piece that is not described or not being taken into account.
if i understand correctly, the user's pw would need to be entered both at the time of key generation and also every time a PM is decrypted.
EA117 wrote:
Wed Jun 26, 2019 3:41 pm
Which is how we landed on the assertion "someone viewing only the database information" is who is now locked out of viewing the stored private messages, as opposed to "the site owner(s) were prevented from seeing your message." The site owner(s) have all the same abilities the extension itself has, and is not something the extension can unilaterally protect against.
yes, i think that the extension as-described would only mitigate risks from db and fs theft (of backups perhaps). it would not mitigate risks from the server getting pwned and a bad actor having access to the live site (and certainly would not protect against a malicious admin). they could capture passwords that way easily.

User avatar
canonknipser
Registered User
Posts: 2024
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [DEV] Encrypted PMs

Post by canonknipser » Wed Jun 26, 2019 6:18 pm

dingus33 wrote:
Wed Jun 26, 2019 3:43 pm
yup, only way users can protect themselves from admin is to use GPG or something in PMs and handle crypto and keysharing outside of the forum.
Much easier:
Just share mail addy or some messenger contact data and communicate outside the board instead of only sharing krypto information outside
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Toxyy
Registered User
Posts: 697
Joined: Mon Oct 24, 2016 3:22 pm
Location: Namek
Contact:

Re: [DEV] Encrypted PMs

Post by Toxyy » Wed Jun 26, 2019 7:02 pm

canonknipser wrote:
Wed Jun 26, 2019 6:18 pm
Just share mail addy or some messenger contact data and communicate outside the board instead of only sharing krypto information outside
Again I must advocate for a use case for this extension or such things.

There are forums out there right now that rely on PGP/GPG communication on site, despite users having to decrypt it themselves. Saying that it is easier to do X is a little moot.

And I was going to respond saying that GPG is a better alternative than relying on a password/master password (master password really kind of defeats the purpose of this, doesn't it?). Your public key could be stored on your profile and you could "auto encrypt" messages send to others who have their GPG keys on their respective profiles. That's about the best you could get for encrypting messages, unless there's some new development I'm unaware of.

I do appreciate the extension. I'm not sure why there are a few here who ignore the potential of it. That said, Senky, having them encrypted via a password or what not only makes it slightly harder for admins to read PMs not impossible. There are established ways of encrypted communication which avoid MITM attacks entirely, assuming no super computer tries to crack it, and you're using at least 2048 bit. Again I'm assuming there's no replacement for PGP/GPG that I know of anyways, but that is the only end-all for this that I can see.
Senky wrote:
Wed Jun 26, 2019 7:14 am
But it looks like everyone is missing the point here. You as admin can offer your users a real secured channel. Heck, even CIA can't break that one. It is not about users, it is about admins to behave responsible and value user privacy.
As it's built now its kind of trying to recreate the conditions for pgp and is not secure, as others have pointed out. Anyone with malicious intent and admin level access, you can assume, can also change the files to echo out the user password before it's put into the db and hashed itself, must not forget. You can't rely on user passwords.

EDIT: I realized I talked myself into a little bit of a hole on this one. I realized that, if someone did indeed have file level access, nothing would prevent them from altering this extension to output messages before they are encrypted with the public key, no? Same methodology as echoing the password.

Hmm... feels like I'm forgetting something.
Last edited by Toxyy on Wed Jun 26, 2019 7:19 pm, edited 4 times in total.
I am a web developer/administrator, specializing in forums. If you have work you need done or are too lazy to do, pm me!

My extensions:
[3.2][BETA] Anonymous Posts || [3.2][BETA] Sticky Ad || [3.2][RC] Show User Activity ||
[3.2][DEV] User Delete Topics

fagbutlil
I've Been Banned!
Posts: 77
Joined: Wed Mar 07, 2018 10:56 pm

Re: [DEV] Encrypted PMs

Post by fagbutlil » Wed Jun 26, 2019 7:06 pm

Mannix_ wrote:
Wed Jun 26, 2019 10:57 am
I would honestly suggest for this to be added to the core of phpbb
Would not take 3 minutes to remove it.

User avatar
martti
Registered User
Posts: 752
Joined: Thu Jul 31, 2014 8:23 am
Location: Belgium

Re: [DEV] Encrypted PMs

Post by martti » Wed Jun 26, 2019 9:33 pm

Providing a false feeling of security is worse than insecurity.

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Thu Jun 27, 2019 7:48 am

EA117 wrote:
Wed Jun 26, 2019 3:41 pm
Okay. Something about that seems "impossible", since having access to the DB and the file system gives the site owner(s) access to everything the extension has access to, and the extension is able to decrypt them. But perhaps there is still a piece that is not described or not being taken into account.
Technically you are right, but there are cases when an attacker can access files but cannot modify them. In that case he is unable to pull password out of the request.


EA117 wrote:
Wed Jun 26, 2019 3:41 pm
Presuming the private key for the user needs to be decrypted and then re-encrypted during a password change (so that the key is encrypted with the new user password), adding some UI to the "password reset" actions available to both users and administrators could be important. Meaning additional warning text for admin password reset, and for user forgotten password reset, that declares what the ramifications will be for changing the user's password without knowing their existing password. Bonus points for the message to be repeated or more insistent if the user actually has sent one or more encrypted messages, and data loss would occur.
That is an excellent idea!


EA117 wrote:
Wed Jun 26, 2019 3:41 pm
Although the benefit of being "entirely transparent" is clear, the users trust in the site owner & the extension might be improved by being able to see "this message is actually encrypted." Meaning, although they might eventually leave the checkbox checked to "always decrypt by default", giving the reader a checkbox to let them see what the message looks like without applying decryption could improve their confidence that "something is being protected" now.
The checkbox will be present all the time. UCP option would just check it by default.


Toxyy wrote:
Wed Jun 26, 2019 7:02 pm
Anyone with malicious intent and admin level access, you can assume, can also change the files to echo out the user password before it's put into the db and hashed itself, must not forget. You can't rely on user passwords.
That leads me to an idea of hashing password client-side. Opponents might say that again, someone with access to files can output a small JS code that will track user keyboard and send it over to the server. But such an extreme case can apply to any end-to-end encrypting messenger: Is protonmail secure? Anyone who can access their filesystem can obtain your password and decrypt the mails. Do we consider protonmail insecure now? Any browser extension can potentially read your password as you type it. Is any browser-based messenger insecure now?

Don't get me wrong. I will happily implement any security measurements which are possible.

User avatar
canonknipser
Registered User
Posts: 2024
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [DEV] Encrypted PMs

Post by canonknipser » Thu Jun 27, 2019 9:48 am

What about reporting a encrypted PM? Do the moderators handling the report need the keys as well?
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Thu Jun 27, 2019 10:33 am

canonknipser wrote:
Thu Jun 27, 2019 9:48 am
What about reporting a encrypted PM? Do the moderators handling the report need the keys as well?
You won't be able to report the PM directly. You can, however, forward it to the moderator in decrypted form.

User avatar
canonknipser
Registered User
Posts: 2024
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [DEV] Encrypted PMs

Post by canonknipser » Thu Jun 27, 2019 11:18 am

This is a step back, I think.
Forwarding means you either need to know in advance which moderator handles your case or you need a group pm permission (and a lot of people don't know how to send messages to groups)
Other disadvantage is during forwarding a message you can manipulate it, with reporting you can't.
And reporting is a three-click-action ...
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21333
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: [DEV] Encrypted PMs

Post by Mick » Thu Jun 27, 2019 11:27 am

I think this is a great idea but it would be better in the core and UCP selectable. In fact it should be on by default IMHO.
"The more connected we get the more alone we become" - Kyle Broflovski

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Thu Jun 27, 2019 1:47 pm

canonknipser wrote:
Thu Jun 27, 2019 11:18 am
This is a step back, I think.
I understand your points, it really is much simpler with using reporting button. But in order for messages to be truly encrypted, I can't allow moderators to look at them. If every moderator owned a key for every message, it beats the whole purpose.

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: [DEV] Encrypted PMs

Post by david63 » Thu Jun 27, 2019 2:00 pm

Senky wrote:
Thu Jun 27, 2019 1:47 pm
I can't allow moderators to look at them. If every moderator owned a key for every message, it beats the whole purpose.
But moderators would only be able to read them if they were reported to them. Reporting of messages MUST remain as a feature.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Ger
Recognised Extension Developer
Posts: 1853
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: [DEV] Encrypted PMs

Post by Ger » Thu Jun 27, 2019 2:06 pm

Senky wrote:
Thu Jun 27, 2019 1:47 pm
I understand your points, it really is much simpler with using reporting button. But in order for messages to be truly encrypted, I can't allow moderators to look at them. If every moderator owned a key for every message, it beats the whole purpose.
Why not simply offer the option to decrypt the PM and report it at that point? You would need a clear info message stating the PM won't be encrypted anymore once reported though.

Anyway, I agree with Mick though:
Mick wrote:
Thu Jun 27, 2019 11:27 am
I think this is a great idea but it would be better in the core and UCP selectable. In fact it should be on by default IMHO.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:
-Available for custom work-

fagbutlil
I've Been Banned!
Posts: 77
Joined: Wed Mar 07, 2018 10:56 pm

Re: [DEV] Encrypted PMs

Post by fagbutlil » Thu Jun 27, 2019 2:17 pm

Why are they called PRIVATE messages when phpbb knows there not private at all ? thats another balls up from phpbb lets call them private messages knowing there not private and can be read straight out of the database :lol: they should be renamed to just Messages.

Post Reply

Return to “Extensions in Development”