[ABD] [DEV] Encrypted PMs

[spaceace]

If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.

as a board founder, you can always change that user's password and then log into their account to read them which i think should be the only way to read a user's private messages

[dingus33]

If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.

as a board founder, you can always change that user's password and then log into their account to read them which i think should be the only way to read a user's private messages

nope, that won't give you access

[dingus33]

I proposed encrypting PM's in the "Ideas" forum. The one thing I suggested was adding user option for recovery through admin key.

• Fully private, no recovery possible if you lose your password/key.
• Fully encrypted on the server. PM's can be recovered by admin in the event you lose your password but they are also readable by admin.

I realize this would require duplicate column for storing PM's encrypted using admin key and additional processing but that would really not be a concern for me.

That said since this in an extension my biggest concern would be support going forward. This is not something you can back out of if support is dropped.

just fyi, you wouldn't need a duplicate column and ~2x the storage requirements.
you could do it like in GPG for example.

first, generate an intermediate key, and encrypt the message with that.
next, for each recipient (probably the main recipient and the admin in this case), encrypt this intermediate key with his key. prepend the results to the encrypted message as a header so that any recipient has access to the intermediate key and therefore to the message.

imo, in this extension, the master (admin) key should be an optional feature, and there's no reason why you couldn't enable/disable it at any time for new messages going forward.

[Talk19Zehn]

Hello spaceace, it's from my assessment not good advice.

viewtopic.php?f=456&t=2515201&start=60#p15281191
as a board founder, you can always change that user's password and then log into their account to read them which i think should be the only way to read a user's private messages

Unbelievable but true: That some operators still go (find) the way or other ways, has been known for years. I generally refuse to read private messages and / or emails.
I will never touch passwords as an operator and commit a criminal offense I will never read conversations in the database.

If PMs are in plain text, the question does not arise for the authority (!). If I would be reported a crime, I must be able to respond.

Please we go back to my questions:

viewtopic.php?f=456&t=2515201&start=45#p15281096
Additional question: Scenario ...
How do the authorities decipher the data in the event of a crime? Is this function ensured?

viewtopic.php?f=456&t=2515201&start=45#p15281181
Hello thecoalman, I'm sorry, I did not understand your answer.
If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.

Many greetings

[Mannix_]

Hello thecoalman, I'm sorry, I did not understand your answer.
If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.

I don't think you are obligated to give them full access. Giving them the db should be enough it's their job to "crack" it imho

[david63]

The more that I see of this extension and the more I think about it I cannot ever see it being accepted into the CDB, if for no other reason that it could "cripple" a board.

[canonknipser]

David, I'm not sure about that. There is at least another validated extension, which "cripples" the board irevertable, see https://www.phpbb.com/customise/db/extension/phpbbasic/ which deletes the whole forum structure.

[thecoalman]

Hello thecoalman, I'm sorry, I did not understand your answer.
If I am forced to hand over the database to the authority because of a criminal complaint, it must be able to read the contents.

If that is the law in your country then you would need system that has master key. PM's would still be readable by you or anyone else that has possession of the key including law enforcement if you gave it to them. The one benefit this provides to the user is it would prevent those messages from being read if third party obtained that information such as hacking the server.

[Senky]

That does raise an interesting point. What happens if the extension is disabled? Can no PMs be read?

@EA117 - Technically when an extension is disabled AND the data deleted it should leave the board in the same state as it was before the extension was enabled.

Only encrypted PMs couldn't be read. Also, when you delete the extensions, you loose the messages. But what extension can provide is a way to decrypt all user PMs. So once admin decides to delete the extension, he can give users a grace period when they are able to decrypt all their PMs. Then he deletes the ext, no harm done.

How do the authorities decipher the data in the event of a crime? Is this function ensured?

This isn't possible without at least one user providing his password for the message. Or without "master key" owned by the admin.

[david63]

Only encrypted PMs couldn't be read.

Yes I appreciate that.

Also, when you delete the extensions, you loose the messages.

Presumably you are only referring to encrypted ones. Cannot see that being a good idea!

But what extension can provide is a way to decrypt all user PMs. So once admin decides to delete the extension, he can give users a grace period when they are able to decrypt all their PMs. Then he deletes the ext, no harm done.

And what happens after the "grace period" if they have not been decrypted?

I was more referring to a situation where the extension is disabled and not deleted. If,say, there was a change made to the core and the extension stopped working and so had to be disabled until a fix was found (or worse case scenario could not be fixed) no encrypted PMs would be able to be read.

[Senky]

Well, there just isn't a simple way to restore all encrypted messages with a single click. That would beat all the purpose of the ext.

[ivailo95]

where i can download it?

[Senky]

It is in an early stage, no download is provided, yet.

[thecoalman]

Senky, I know you are early on with this but how difficult would it be to extend this to admin selected custom profile fields? e.g admin creates a hidden phone number field and the data would only be accessible by the admin using a master key. The purpose of such a field for personal data would be for password recovery in the event they lose their email address.

[Senky]

...how difficult would it be to extend this to admin selected custom profile fields? e.g admin creates a hidden phone number field and the data would only be accessible by the admin using a master key...

Not very difficult, interesting use case.