[DEV] Encrypted PMs

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
User avatar
Dugi
Registered User
Posts: 1386
Joined: Sun May 25, 2008 5:36 pm

Re: [DEV] Encrypted PMs

Post by Dugi »

I'm looking forward to this. Thanks!
PM me for custom extension pricing / My validated MODs / My MODs in development
User avatar
FredQ
Registered User
Posts: 138
Joined: Sat Nov 01, 2014 10:48 am
Location: Northeast Scotland
Name: Fred Q
Contact:

Re: [DEV] Encrypted PMs

Post by FredQ »

Overall it does sound like a a good idea.

Someone mentioned PGP and I think it's a valid case, but we can go even further.
To make it secure: I can imagine a system where you can store your private key into your browser local storage, and the browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending.

The keys will need to be generated inside the browser as well, as the OP could intercept them if generated by phpBB.

It is technically possible, but a little more challenging ;)
My board (converted from vBulletin)
Senky
Extension Customisations
Extension Customisations
Posts: 2228
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky »

FredQ wrote:
Sat Jul 13, 2019 6:20 pm
...browser will decrypt the message for you - not phpBB at that stage. Same for the encryption, the message is encrypted by the browser before sending...
This is already part of the specs.
User avatar
FredQ
Registered User
Posts: 138
Joined: Sat Nov 01, 2014 10:48 am
Location: Northeast Scotland
Name: Fred Q
Contact:

Re: [DEV] Encrypted PMs

Post by FredQ »

Senky wrote:
Mon Jul 15, 2019 5:43 am

This is already part of the specs.
My bad... My brain was melting or I was drunk, or maybe I was thinking about something else. It's all in the specs indeed :roll:
My board (converted from vBulletin)
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3895
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [DEV] Encrypted PMs

Post by thecoalman »

Senky wrote:
Mon Jul 15, 2019 5:43 am
This is already part of the specs.
I realize this gets difficult not using the password but if someone hacks the server and could edit the script they could capture the password on login, yes? Obviously that compromises the entire account including anything encrypted but I think you need to be careful about giving people a false sense of security.

You could generate a key client side and leave it to them to store it but that requires JS also susceptible to being modified by someone that has access to the server.

Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Senky
Extension Customisations
Extension Customisations
Posts: 2228
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky »

thecoalman wrote:
Tue Jul 16, 2019 11:05 am
Correct me if I'm wrong but the only way I see to secure this against a a compromised server is with a browser extension.
Even browser extension can be compromised. The only 100% secure way is when you encrypt the PM on your (secure) PC, then paste encrypted contents to the PM message field. The receiver then needs to copy the contents and decrypt it on a secure location. Such a procedure is obviously extremely unusable, while browser extension is amusing as well. The way I plan to do it makes it theoretically vulnerable (everything is vulnerable when it comes to encryption) but requires no browser extension, no PC/mobile app, just tick one checkbox and it is done.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3895
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [DEV] Encrypted PMs

Post by thecoalman »

Senky wrote:
Tue Jul 16, 2019 11:42 am
Even browser extension can be compromised.
That's why I said "compromised server", if the extension was only made available through official browser services it would be more secure.

I realize this is probably way beyond the scope of your intentions. Anything is better than nothing.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Senky
Extension Customisations
Extension Customisations
Posts: 2228
Joined: Thu Apr 30, 2009 8:49 pm
Name: Jakub
Contact:

Re: [DEV] Encrypted PMs

Post by Senky »

thecoalman wrote:
Tue Jul 16, 2019 11:51 am
I realize this is probably way beyond the scope of your intentions.
On the contrary, this is very interesting idea!
Post Reply

Return to “Extensions in Development”

cron