HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

PGP LOGIN for Vanilla?

Hi, i am wondering how i could hide users ip from other users sending requests in messages with links etc to get another users ip, also, of course, PGP login for all users would be nice.

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    There is no way to hide them. That's why mail clients could be configured to block loading of external resources in mails. If you open a message that contains a picture hosted on my server, I can see your IP, browser, OS, etc.

    You would

    • either have to filter out all external links from your forum
    • change all inline content (like e.g. an image) to an external link that will open in a new window, so that a user can decide if he wants to load that content
    • load every linked content on your own server and serve it from there so that your users would always request resources from your server and not from a potentially "malicious" server

    PGP Login? Never heard of that. Do you have links for that? Not for PGP encryption, but for using PGP as a login possibility?

  • @R_J said:
    There is no way to hide them. That's why mail clients could be configured to block loading of external resources in mails. If you open a message that contains a picture hosted on my server, I can see your IP, browser, OS, etc.

    You would

    • either have to filter out all external links from your forum
    • change all inline content (like e.g. an image) to an external link that will open in a new window, so that a user can decide if he wants to load that content
    • load every linked content on your own server and serve it from there so that your users would always request resources from your server and not from a potentially "malicious" server

    PGP Login? Never heard of that. Do you have links for that? Not for PGP encryption, but for using PGP as a login possibility?

    Thanks for the reply, check this https://espenandersen.no/sign-a-web-page-with-pgp/ and maybe this https://www.webpg.org/ pgp login is used on mainly Tor sites, i am sure facebook has a pgp login option now also.

  • R_JR_J Ex-Fanboy Munich Admin

    @sz1hosting said:
    Thanks for the reply, check this https://espenandersen.no/sign-a-web-page-with-pgp/ and maybe this https://www.webpg.org/ pgp login is used on mainly Tor sites, i am sure facebook has a pgp login option now also.

    I'd bet they do not offer something like that.

    In the links I see only information about signing pages with PGP, but no account authentication/login with PGP. I did a quick search on GitHub to look for any such projects and didn't really find a lot: https://github.com/search?utf8=✓&q=gpg+login&type=
    Most of them aren't even about logging a user in.

  • @R_J said:

    @sz1hosting said:
    Thanks for the reply, check this https://espenandersen.no/sign-a-web-page-with-pgp/ and maybe this https://www.webpg.org/ pgp login is used on mainly Tor sites, i am sure facebook has a pgp login option now also.

    I'd bet they do not offer something like that.

    In the links I see only information about signing pages with PGP, but no account authentication/login with PGP. I did a quick search on GitHub to look for any such projects and didn't really find a lot: https://github.com/search?utf8=✓&q=gpg+login&type=
    Most of them aren't even about logging a user in.

    Thanks for your time, yeah most of my ideas always seem to be not available yet ^_^

  • Using script serving an "image" to sniff is classic technique. Unless you are goign to proxy the image content you can't avoid this.

    However once someone has clicked on a link there is nothing you can do, nor is it your responsibility, they have chosen to click on that link. Typically you can rewrite links to warn people, they are leaving the site but that is about it. I would do that a soft way such as javascript, in order to to risk messing up your site.

    If they are already using Tor, then this is moot. The best thing you can do is educate people about onion routing, and privacy in general and let them make up tier own minds.

    grep is your friend.

  • @x00 said:
    Using script serving an "image" to sniff is classic technique. Unless you are goign to proxy the image content you can't avoid this.

    However once someone has clicked on a link there is nothing you can do, nor is it your responsibility, they have chosen to click on that link. Typically you can rewrite links to warn people, they are leaving the site but that is about it. I would do that a soft way such as javascript, in order to to risk messing up your site.

    If they are already using Tor, then this is moot. The best thing you can do is educate people about onion routing, and privacy in general and let them make up tier own minds.

    Thanks, maybe 1 day someone will make a pgp login for vanilla forums ^_^

Sign In or Register to comment.