[ABD] [DEV] Encrypted PMs

[david63]

Why are they called PRIVATE messages when phpbb knows there not private at all ? thats another balls up from phpbb lets call them private messages knowing there not private and can be read straight out of the database they should be renamed to just Messages.

In fairness I suspect that it is historic - that was the name used at the time phpBB was developed. But as I have said elsewhere over time it has become misinterpreted.

[Mick]

I would expect any software offering PM’s will store the messages in a dB and can therefore be read if you feel the need.

[martti]

I think this is a great idea but it would be better in the core and UCP selectable. In fact it should be on by default IMHO.

I'm actually for moving the whole private messaging out of the core to extensions. People keep adding features to the core and this way the whole core became heavy, complex (not only code but also configuration options for everyone), inflexible and difficult to maintain. It would be far better if there was a general focus on how move features out of the core to extensions. Anything that is not bulletin board, like: PM, birthdays, polls, and so on. In the past this flexibility and compartmentation was not possible. That's why this we-should-add-something-new-to-core culture came to life. But with the introduction of extensions another approach could be considered.

[Senky]

I can't allow moderators to look at them. If every moderator owned a key for every message, it beats the whole purpose.

But moderators would only be able to read them if they were reported to them. Reporting of messages MUST remain as a feature.

This could potentially be done by adding all moderator keys to the message keyset after it was reported. Kind of a good idea. Or there is other way as proposed by Ger:

Why not simply offer the option to decrypt the PM and report it at that point? You would need a clear info message stating the PM won't be encrypted anymore once reported though.

[thecoalman]

There is a basic flaw in that logic. If the Admin is reading the PMs then they are not going to be installing this extension.

There is no flaw. If I have this deployed I can state without question I cannot read your PM's instead of having to rely on "trust me".

[thecoalman]

That is not ideal. The "problem" with the encrypted PMs is that when you forget your password, you won't get them back. You loose them all. So personally, I would keep most of my PMs unencrypted, but in some special cases (like sending credentials) encrypt them.

I proposed encrypting PM's in the "Ideas" forum. The one thing I suggested was adding user option for recovery through admin key.

• Fully private, no recovery possible if you lose your password/key.
• Fully encrypted on the server. PM's can be recovered by admin in the event you lose your password but they are also readable by admin.

I realize this would require duplicate column for storing PM's encrypted using admin key and additional processing but that would really not be a concern for me.

That said since this in an extension my biggest concern would be support going forward. This is not something you can back out of if support is dropped.

[nou nou]

That said since this in an extension my biggest concern would be support going forward. This is not something you can back out of if support is dropped.

That's an excellent point, but one that is also valid for every single extension out there. Granted this one has the potential to be particularly problematic in that sense.

I do think it's also a matter of responsibility on whoever runs the forum. You wish to offer certain functionality, you make sure it works and gets support. Even if at a point this requires hiring an external developer, just to state an example...

Open source does not always mean free, but at least it's open...

[thecoalman]

That's an excellent point, but one that is also valid for every single extension out there.

Depends on what it does, if it's just added feature typically no big deal. You just disable it and lose the feature. Some could be more difficult than others, an SEO extension for example that is rewriting URL's. Not impossible to go back but largely a PITA if you want to do it right. You need to reveres the .htaccess rewrites and write script to handle reverting posted URL's.

Granted this one has the potential to be particularly problematic in that sense.

This is altering the way data is stored and would require a substantial amount of work to revert if it's possible at all.

I do think it's also a matter of responsibility on whoever runs the forum. You wish to offer certain functionality, you make sure it works and gets support. Even if at a point this requires hiring an external developer, just to state an example...

Keep in mind if there is no support for it here you need to support it yourself forever.

[nou nou]

Keep in mind if there is no support for it here you need to support it yourself forever.

For sure, but that's my point - you may have to consider that responsibility at some point in time.

Of course, you're always free to share whatever support you've secured privately, in order to continue the community support here

[EA117]

This is altering the way data is stored and would require a substantial amount of work to revert if it's possible at all.

Sounds like potentially an additional reason to advocate for the "master key" concept; such that the extension "uninstall" action actually has a pathway to unencrypt "on its way out." i.e. If there is an unsupported scenario in the future, you can remove the extension and be back to unencrypted messages for everything that was encrypted before, before updating to whatever the non-compatible or unsupported scenario is.

Not saying we necessarily like or want the master key for other reasons; but that if it existed, it could offer a solution to this aspect.

[david63]

Sounds like potentially an additional reason to advocate for the "master key" concept; such that the extension "uninstall" action actually has a pathway to unencrypt "on its way out.

That does raise an interesting point. What happens if the extension is disabled? Can no PMs be read?

@EA117 - Technically when an extension is disabled AND the data deleted it should leave the board in the same state as it was before the extension was enabled.

[thecoalman]

Sounds like potentially an additional reason to advocate for the "master key" concept;

This should be user option or at least the admin should be able to make it user option.

[Talk19Zehn]

Hello, I agree: Implementation by default(!) is welcome.

Additional question: Scenario ...
How do the authorities decipher the data in the event of a crime? Is this function ensured?



Best Regards

[thecoalman]

Additional question: Scenario ...
How do the authorities decipher the data in the event of a crime? Is this function ensured?

Unless there was "master" key they would either need to obtain the password from the user or be left with the option to try and crack it.

Passwords are typically short and since there is no control over the rate of attempts brute forcing it is not out of the question.

[Talk19Zehn]

Hello thecoalman, I'm sorry, I did not understand your answer.
If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.