Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Are private messages secure enough?

edited November 2015 in Vanilla 2.0 - 2.8

There is a former member of a different Vanilla forum community than my own who has told me that they are reluctant to sign up because they say the private messages were stolen and publically published from the Vanilla forum they used to participate on. I was just wondering what assurances I can offer this person that such is hopefully not (or no longer) possible?

Comments

  • peregrineperegrine MVP
    edited November 2015

    No Assurances whatsoever. Assume whatever you do on the internet can be made public either through hacking or some other means.

    private messages (if not hacked or read by admin) are between the private parties.

    whoever receives a private message from someone else can in turn publish it on the forum.

    with regards pm's, whatever roles have permission to read them can read them. if you are not an admin you should not have the ability to read private messages if they are not sent to you. Although, reprehensible, there are probably admins who do read others private messages.

    Some people mistakenly think wall messages (as opposed to pm's) are private.

    If a person posts private info about another person (without the other person's permission), a good admin and/or moderator would remove the info, pronto.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @gratiafide

    This isn't really a Vanilla issue, this a web host issue.

    How secures is your webserver?

    PM's are stored in the db. Anyone with access to the db can read PM's, or export them.

    If your db can't be accessed, then the only way for someone to see PM's is, as peregrine says, a matter of permissions.

    By default, Vanilla only allows admins the possibility, should they adopt the feature, of being able to read PM's, and that has to be a conscious decision.

    Can you assure users your database won't be hacked? Probably not. But you can promise to take all steps to try to make your site secure, and vouch for the integrity of your Admins.

  • hgtonighthgtonight ∞ · New Moderator

    Data is like a secret.

    The only way to keep it secret is to not share it with anyone.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Two people can keep a secret if one of them is dead...

  • Thanks for the feedback. I'm surprised that the "private" messages can be read by an admin - does that not take away from them being truly "private" messages? Can anything be done about that? I hate telling people with privacy concerns that "we could read your private messages, even though we won't."

  • hgtonighthgtonight ∞ · New Moderator

    @gratiafide said:
    Thanks for the feedback. I'm surprised that the "private" messages can be read by an admin - does that not take away from them being truly "private" messages? Can anything be done about that? I hate telling people with privacy concerns that "we could read your private messages, even though we won't."

    You can prevent "normal" admins from reading the PMs. It is permission based. However, someone is running the forum. That person always has access to all data. They need access to fix issues.

    I can't see a way around it unless you stored the data encrypted, render it encrypted, decrypt it on the client side, and render it again. Seems like a lot of effort when the person they are talking could just as easily share it with someone.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • peregrineperegrine MVP
    edited November 2015

    @gratiafide said:
    Thanks for the feedback. I'm surprised that the "private" messages can be read by an admin - does that not take away from them being truly "private" messages? Can anything be done about that? I hate telling people with privacy concerns that "we could read your private messages, even though we won't."

    You are not the first person surprised at this. if you search the forum, you will see a few discussions relating to your very same question, and similar responses.

    yep. and all your email can be read by the admin on your mail server and it can also be read on every step along the way. all you need is a packet sniffer. (unless an encryption method effectively works).

    absolutely nothing is secure on the internet or on computer.

    anyone with access to the database can read anything as well. At some point you have to have trust, and/or don't share private info.

    I don't know if pgp is still used with e-mail. But have them use e-mail and turn off private messaging. problem solved at least its out of your hands.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited November 2015

    @gratiafide

    If no one could potentially read PM's, how would the site deal with claims of harassment or other improper behaviour?

    Since the super admin (whoever installed Vanilla, and has access to the db) can read the PMs directly in the db, there's not much point in fiddling with Vanilla to remove the option for Admins to view PMs.

    It's a trust issue.

    Separately, why would people use a forum's PM system to share private or sensitive information?

    I certainly discourage our users from doing it.

    For me, PM's are for personal messages (not relevant on a thread) rather than private or confidential information.

  • R_JR_J Ex-Fanboy Munich Admin

    I once sat together with a few people and we talked about replacing a community we all used with something better. One of the concerns we received as a feedback has indeed been: "do you really think people would use your PM function, if you are the admins?" Leaving aside what that means about our behaviour in that community, I think it is feature which would be great to have.

    And I already have thought about creating a plugin for that. It would need a public/private key encryption in JavaScript. Creating keys a) take some time and b) forces the user to keep his private key somewhere since when it is lost, PMs are not accessible any more. That's why I think a plugin should look like that:

    1. Let user register without the need to create keys. Maybe give a hint "Configure private messaging", but nothing more.
    2. Add a dismissable note to PM creation screen: "Do you know that you can secure your PMs?" leading to an info screen where a user can create his keys. Message will not appear once keys are created or user has dismissed the hint.
    3. Generation is done with some js library (e.g. https://github.com/travist/jsencrypt). The public key is stored in User table and private key must be kept by the user himself. Since it is generated on the client side, it must never be sent to the server.
    4. Next time the user writes a PM and the receiver already has created a key pair, user has two options: [Send unencrypted PM] [Send secure PM]. When there is one or more receiver in the list without a key, encrypting is not available, since it is useless if message is stored unencrypted in the db anyway.
    5. The receiver of an encrypted message is prompted for his key with which the js library can decrypt the message and replace the encrypted message with the decrypted results.

    Voilà.

    Some features which would be nice:
    Add per user setting (always send encrypted if possible)
    Enable send buttons with ajax call once the receipients field loses focus and also change css class
    Add "Lost public key" which disallows others to send encrypted PMs temporarily (better than deleting the public key, since that key might only be temporarily forgotten/lost)

    Just if anyone was bored and only waited for a plugin inspiration...

  • @gratiafide said:
    Thanks for the feedback. I'm surprised that the "private" messages can be read by an admin - does that not take away from them being truly "private" messages? Can anything be done about that? I hate telling people with privacy concerns that "we could read your private messages, even though we won't."

    I never liked the term private messages anyway, they are called Conversations by vanilla.

    At the end of the data the messages are held centrally, so who ever has access could read them it up to you the host to set your privacy policy.

    grep is your friend.

  • x00x00 MVP
    edited November 2015

    @R_J if you are going to go tot hose lengths why not skip the site altogether and simply communicate directly?

    You are better off with proper client that browser to make sending an receiving encrypted messages easier. There is little benefit in an average forum taking the liability for that.

    grep is your friend.

  • peregrineperegrine MVP
    edited November 2015

    @whu606 said:
    @gratiafide

    If no one could potentially read PM's, how would the site deal with claims of harassment or other improper behaviour?

    I think you hit the nail on the head. Encryption might be a bad idea (your forum could be used for nefarious purposes and you would never know and might not be able to find out either if you did suspect it.).

    Forum = I thought that was a public meeting place.

    @x00 said:

    I never liked the term private messages anyway, they are called Conversations by vanilla.

    At the end of the data the messages are held centrally, so who ever has access could read them it up to you the host to set your privacy policy.

    Yes. maybe the word private should be change to personal with out the assurances as well.

    applications/conversations/views/modules/inbox.php:67:      echo Wrap(T('Your private conversations with other members.'), 'div', array('cla
    ss' => 'P'));
    applications/conversations/controllers/class.conversationscontroller.php:50:      // You've got to be signed in to send private messages.
    applications/conversations/settings/class.hooks.php:133:      $Sender->Preferences['Notifications']['Email.ConversationMessage'] = T('Notify
     me of private messages.');
    applications/conversations/settings/class.hooks.php:134:      $Sender->Preferences['Notifications']['Popup.ConversationMessage'] = T('Notify
     me of private messages.');
    applications/conversations/settings/about.php:6:   'Description' => "An improvement upon existing private messaging tools, Conversations all
    ows multiple users to take part in private conversations.",
    applications/conversations/settings/stub.php:16:$ConversationBody = "Pssst. Hey. A conversation is a private chat between two or more member
    s. No one can see it except the members added. You can delete this one since I’m just a bot and know better than to talk back.";
    

    Some definitions of forum

    Best described as a torrent of little children running around in a minefield (users), some armed with weapons (moderators), forums are the flagship of internet discussion, spam, and flame wars.
    Smaller forums tend to be more habitable, but the larger ones have many distinct and similar features. For example, within approximately seven seconds of the creation of a topic, you will have at least one reply, garunteed. Large forums also tend to spawn makeshift caste systems within themselves, and you're automatically a malefactor in the forum until you have a 4-digit post count.
    A forum can sometimes be helpful, but normally they become a time consuming and frustrating thing if you pay too much attention to them.
    I got banned from that forum for being a n00b.

    http://www.urbandictionary.com/define.php?term=forums&defid=1882601

    http://www.urbandictionary.com/define.php?term=forum&defid=1381614

    http://www.urbandictionary.com/define.php?term=Forum&defid=7202063

    1
    a : the marketplace or public place of an ancient Roman city forming the center of judicial and public business
    b : a public meeting place for open discussion
    c : a medium (as a newspaper or online service) of open discussion or expression of ideas
    2
    : a judicial body or assembly : court
    3
    a : a public meeting or lecture involving audience discussion
    b : a program (as on radio or television) involving discussion of a problem usually by several authorities

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • R_JR_J Ex-Fanboy Munich Admin

    There's always a use case for anything, nor? ;)

    I do not say it should be a core feature, I only believe it would make a nice plugin.
    But I certainly will not start a nothing-to-hide-discussion.

  • I just think that if you are going to have centralised messaging service, everything has to be secure, the server has to be secure, etc.

    People put a lot of false confidence in sites.

    grep is your friend.

  • hgtonighthgtonight ∞ · New Moderator

    I like the idea of "secure PM" system.

    I just don't see the point as anyone that is actually concerned will be communicating another way.

    Let's dev jam it!

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • LincLinc Detroit Admin

    What I'd really like is for there to be a notification on the inbox page when the config setting to allow admins to view PMs is enabled.

    @gratiafide Even if the software absolutely forbade it (and btw, it's off by default - you have to manually enable it in the config to be able to do so) the person running the site can always just open the database manually. So either you trust the person with the data or you don't - just like email.

  • x00x00 MVP
    edited November 2015

    The difference with email it is federated not centralised. it is passing though multiple routes and is often transient. Although email encryption is far from full proof, email clients can handle that for you without having anything to do with the servers. So there can be a degree of separation. Of course with webmail to trust them to sandbox the client.

    grep is your friend.

Sign In or Register to comment.