[DEV] Encrypted PMs

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Anti-Spam Guide
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
User avatar
Dugi
Registered User
Posts: 1386
Joined: Sun May 25, 2008 5:36 pm
Location: Mainz, Germany
Name: Dukagjin Surdulli
Contact:

Re: [DEV] Encrypted PMs

Post by Dugi » Tue Jul 09, 2019 7:27 am

I'm looking forward to this. Thanks!
PM me for custom extension pricing / My validated MODs / My MODs in development

User avatar
FredQ
Registered User
Posts: 136
Joined: Sat Nov 01, 2014 10:48 am
Location: Northeast Scotland
Name: Fred Q
Contact:

Re: [DEV] Encrypted PMs

Post by FredQ » Sat Jul 13, 2019 6:20 pm

Overall it does sound like a a good idea.

Someone mentioned PGP and I think it's a valid case, but we can go even further.
To make it secure: I can imagine a system where you can store your private key into your browser local storage, and the browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending.

The keys will need to be generated inside the browser as well, as the OP could intercept them if generated by phpBB.

It is technically possible, but a little more challenging ;)
My board (converted from vBulletin)

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Mon Jul 15, 2019 5:43 am

FredQ wrote:
Sat Jul 13, 2019 6:20 pm
...browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending...
This is already part of the specs.

User avatar
FredQ
Registered User
Posts: 136
Joined: Sat Nov 01, 2014 10:48 am
Location: Northeast Scotland
Name: Fred Q
Contact:

Re: [DEV] Encrypted PMs

Post by FredQ » Mon Jul 15, 2019 10:03 pm

Senky wrote:
Mon Jul 15, 2019 5:43 am

This is already part of the specs.
My bad... My brain was melting or I was drunk, or maybe I was thinking about something else. It's all in the specs indeed :roll:
My board (converted from vBulletin)

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3261
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [DEV] Encrypted PMs

Post by thecoalman » Tue Jul 16, 2019 11:05 am

Senky wrote:
Mon Jul 15, 2019 5:43 am
This is already part of the specs.
I realize this gets difficult not using the password but if someone hacks the server and could edit the script they could capture the password on login, yes? Obviously that compromises the entire account including anything encrypted but I think you need to be careful about giving people a false sense of security.

You could generate a key client side and leave it to them to store it but that requires JS also susceptible to being modified by someone that has access to the server.

Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Tue Jul 16, 2019 11:42 am

thecoalman wrote:
Tue Jul 16, 2019 11:05 am
Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.
Even browser extension can be compromised. The only 100% secure way is when you encrypt the PM on your (secure) PC, then paste encrypted contents to the PM message field. The receiver then needs to copy the contents and decrypt it on a secure location. Such a procedure is obviously extremely unusable, while browser extension is amusing as well. The way I plan to do it makes it theoretically vulnerable (everything is vulnerable when it comes to encryption) but requires no browser extension, no PC/mobile app, just tick one checkbox and it is done.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3261
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [DEV] Encrypted PMs

Post by thecoalman » Tue Jul 16, 2019 11:51 am

Senky wrote:
Tue Jul 16, 2019 11:42 am
Even browser extension can be compromised.
That's why I said "compromised server", if the extension was only made available through official browser services it would be more secure.

I realize this is probably way beyond the scope of your intentions. Anything is better than nothing.

Senky
Extension Customisations
Extension Customisations
Posts: 2124
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky » Wed Jul 17, 2019 5:54 am

thecoalman wrote:
Tue Jul 16, 2019 11:51 am
I realize this is probably way beyond the scope of your intentions.
On the contrary, this is very interesting idea!

Post Reply

Return to “Extensions in Development”