Page 6 of 6

Re: [DEV] Encrypted PMs

Posted: Tue Jul 09, 2019 7:27 am
by Dugi
I'm looking forward to this. Thanks!

Re: [DEV] Encrypted PMs

Posted: Sat Jul 13, 2019 6:20 pm
by FredQ
Overall it does sound like a a good idea.

Someone mentioned PGP and I think it's a valid case, but we can go even further.
To make it secure: I can imagine a system where you can store your private key into your browser local storage, and the browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending.

The keys will need to be generated inside the browser as well, as the OP could intercept them if generated by phpBB.

It is technically possible, but a little more challenging ;)

Re: [DEV] Encrypted PMs

Posted: Mon Jul 15, 2019 5:43 am
by Senky
FredQ wrote:
Sat Jul 13, 2019 6:20 pm
...browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending...
This is already part of the specs.

Re: [DEV] Encrypted PMs

Posted: Mon Jul 15, 2019 10:03 pm
by FredQ
Senky wrote:
Mon Jul 15, 2019 5:43 am

This is already part of the specs.
My bad... My brain was melting or I was drunk, or maybe I was thinking about something else. It's all in the specs indeed :roll:

Re: [DEV] Encrypted PMs

Posted: Tue Jul 16, 2019 11:05 am
by thecoalman
Senky wrote:
Mon Jul 15, 2019 5:43 am
This is already part of the specs.
I realize this gets difficult not using the password but if someone hacks the server and could edit the script they could capture the password on login, yes? Obviously that compromises the entire account including anything encrypted but I think you need to be careful about giving people a false sense of security.

You could generate a key client side and leave it to them to store it but that requires JS also susceptible to being modified by someone that has access to the server.

Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.

Re: [DEV] Encrypted PMs

Posted: Tue Jul 16, 2019 11:42 am
by Senky
thecoalman wrote:
Tue Jul 16, 2019 11:05 am
Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.
Even browser extension can be compromised. The only 100% secure way is when you encrypt the PM on your (secure) PC, then paste encrypted contents to the PM message field. The receiver then needs to copy the contents and decrypt it on a secure location. Such a procedure is obviously extremely unusable, while browser extension is amusing as well. The way I plan to do it makes it theoretically vulnerable (everything is vulnerable when it comes to encryption) but requires no browser extension, no PC/mobile app, just tick one checkbox and it is done.

Re: [DEV] Encrypted PMs

Posted: Tue Jul 16, 2019 11:51 am
by thecoalman
Senky wrote:
Tue Jul 16, 2019 11:42 am
Even browser extension can be compromised.
That's why I said "compromised server", if the extension was only made available through official browser services it would be more secure.

I realize this is probably way beyond the scope of your intentions. Anything is better than nothing.

Re: [DEV] Encrypted PMs

Posted: Wed Jul 17, 2019 5:54 am
by Senky
thecoalman wrote:
Tue Jul 16, 2019 11:51 am
I realize this is probably way beyond the scope of your intentions.
On the contrary, this is very interesting idea!