Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Are private messages secure enough?
There is a former member of a different Vanilla forum community than my own who has told me that they are reluctant to sign up because they say the private messages were stolen and publically published from the Vanilla forum they used to participate on. I was just wondering what assurances I can offer this person that such is hopefully not (or no longer) possible?
0
Comments
No Assurances whatsoever. Assume whatever you do on the internet can be made public either through hacking or some other means.
private messages (if not hacked or read by admin) are between the private parties.
whoever receives a private message from someone else can in turn publish it on the forum.
with regards pm's, whatever roles have permission to read them can read them. if you are not an admin you should not have the ability to read private messages if they are not sent to you. Although, reprehensible, there are probably admins who do read others private messages.
Some people mistakenly think wall messages (as opposed to pm's) are private.
If a person posts private info about another person (without the other person's permission), a good admin and/or moderator would remove the info, pronto.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@gratiafide
This isn't really a Vanilla issue, this a web host issue.
How secures is your webserver?
PM's are stored in the db. Anyone with access to the db can read PM's, or export them.
If your db can't be accessed, then the only way for someone to see PM's is, as peregrine says, a matter of permissions.
By default, Vanilla only allows admins the possibility, should they adopt the feature, of being able to read PM's, and that has to be a conscious decision.
Can you assure users your database won't be hacked? Probably not. But you can promise to take all steps to try to make your site secure, and vouch for the integrity of your Admins.
Data is like a secret.
The only way to keep it secret is to not share it with anyone.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Two people can keep a secret if one of them is dead...
Thanks for the feedback. I'm surprised that the "private" messages can be read by an admin - does that not take away from them being truly "private" messages? Can anything be done about that? I hate telling people with privacy concerns that "we could read your private messages, even though we won't."
You can prevent "normal" admins from reading the PMs. It is permission based. However, someone is running the forum. That person always has access to all data. They need access to fix issues.
I can't see a way around it unless you stored the data encrypted, render it encrypted, decrypt it on the client side, and render it again. Seems like a lot of effort when the person they are talking could just as easily share it with someone.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
You are not the first person surprised at this. if you search the forum, you will see a few discussions relating to your very same question, and similar responses.
yep. and all your email can be read by the admin on your mail server and it can also be read on every step along the way. all you need is a packet sniffer. (unless an encryption method effectively works).
absolutely nothing is secure on the internet or on computer.
anyone with access to the database can read anything as well. At some point you have to have trust, and/or don't share private info.
I don't know if pgp is still used with e-mail. But have them use e-mail and turn off private messaging. problem solved at least its out of your hands.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@gratiafide
If no one could potentially read PM's, how would the site deal with claims of harassment or other improper behaviour?
Since the super admin (whoever installed Vanilla, and has access to the db) can read the PMs directly in the db, there's not much point in fiddling with Vanilla to remove the option for Admins to view PMs.
It's a trust issue.
Separately, why would people use a forum's PM system to share private or sensitive information?
I certainly discourage our users from doing it.
For me, PM's are for personal messages (not relevant on a thread) rather than private or confidential information.
I once sat together with a few people and we talked about replacing a community we all used with something better. One of the concerns we received as a feedback has indeed been: "do you really think people would use your PM function, if you are the admins?" Leaving aside what that means about our behaviour in that community, I think it is feature which would be great to have.
And I already have thought about creating a plugin for that. It would need a public/private key encryption in JavaScript. Creating keys a) take some time and b) forces the user to keep his private key somewhere since when it is lost, PMs are not accessible any more. That's why I think a plugin should look like that:
Voilà.
Some features which would be nice:
Add per user setting (always send encrypted if possible)
Enable send buttons with ajax call once the receipients field loses focus and also change css class
Add "Lost public key" which disallows others to send encrypted PMs temporarily (better than deleting the public key, since that key might only be temporarily forgotten/lost)
Just if anyone was bored and only waited for a plugin inspiration...
I never liked the term private messages anyway, they are called Conversations by vanilla.
At the end of the data the messages are held centrally, so who ever has access could read them it up to you the host to set your privacy policy.
grep is your friend.
@R_J if you are going to go tot hose lengths why not skip the site altogether and simply communicate directly?
You are better off with proper client that browser to make sending an receiving encrypted messages easier. There is little benefit in an average forum taking the liability for that.
grep is your friend.
I think you hit the nail on the head. Encryption might be a bad idea (your forum could be used for nefarious purposes and you would never know and might not be able to find out either if you did suspect it.).
Forum = I thought that was a public meeting place.
Yes. maybe the word private should be change to personal with out the assurances as well.
Some definitions of forum
http://www.urbandictionary.com/define.php?term=forums&defid=1882601
http://www.urbandictionary.com/define.php?term=forum&defid=1381614
http://www.urbandictionary.com/define.php?term=Forum&defid=7202063
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
There's always a use case for anything, nor?
I do not say it should be a core feature, I only believe it would make a nice plugin.
But I certainly will not start a nothing-to-hide-discussion.
I just think that if you are going to have centralised messaging service, everything has to be secure, the server has to be secure, etc.
People put a lot of false confidence in sites.
grep is your friend.
I like the idea of "secure PM" system.
I just don't see the point as anyone that is actually concerned will be communicating another way.
Let's dev jam it!
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
What I'd really like is for there to be a notification on the inbox page when the config setting to allow admins to view PMs is enabled.
@gratiafide Even if the software absolutely forbade it (and btw, it's off by default - you have to manually enable it in the config to be able to do so) the person running the site can always just open the database manually. So either you trust the person with the data or you don't - just like email.
The difference with email it is federated not centralised. it is passing though multiple routes and is often transient. Although email encryption is far from full proof, email clients can handle that for you without having anything to do with the servers. So there can be a degree of separation. Of course with webmail to trust them to sandbox the client.
grep is your friend.