phpBB has this Mod available for add-on. It isn't something I use, but members SWEAR by it on a few "alternative" discussion boards out there.
This is something that would probably rank #1 on my forum users' wishlist.
I've been trying to get an encrypted board in one way or another for a while now, but I can't seem to find any kind of software that encrypts all messages. Personal Messages would be very good as well though.
Well, you never walk into a party and tell guests about another one.
That being said , forum software that has it. I don't want to get banned and dont really know the rules, but either way it wouldnt be worth switching to that other bb software.
On the other hand I would be happy to provide the code to a dev that wants to port it over.
PS- What type of forum is it? PM me if you'd like, or tell me to mind my own biz! ;)
I don't see how encrypted messages can possibly work? I mean the ONLY way you can read someones PM is by having access to the database. If you have access to the database you almost certainly have ftp access too. Even if SMF encrypted personal messages through some magical way that meant only the user it was intended for could decrypt it (Which doesn't exist unless you're going to make people type in personal encryption keys for each message) - then it would be so easy for a snooping admin to bypass it isn't worth it.
Yeah, they do type in keys for each message. The keys are exchanged off-site. Alot of the times, I goet messages with the subject line: password is HELLO or something like that ,that totally defeats the purpose. Here is what the creator has to say about it:
**************************************
This will allow you to encrypt private messages to other users. The user will then be able to decrypt the message if they know the password that you used. This prevents any sensitive message from being read by somebody looking at the raw database records.
Decryption happens onscreen - not within the database. So, even if you "decrypt" a message (and read it) it is still stored on the server in its encrypted form.
If you've decrypted a message and quote it back to the sender, it will be the decrypted text that is quoted back. The quote must, itself, be manually encrypted or else it will be sent back to the original sender in plain text.
Once a message is encrypted and submitted and in the sender's Outbox, it may be viewed and deleted, but it cannot be edited.
This hack encrypts private messages using a 256-bit Rijndael block cipher.
NOTE: In order to use this hack, you must have PHP compiled with libmcrypt2.4.x or higher!
Why would users trust this feature? The password could be saved in the database along with the unencrypted message... And unless you're using SSL, it's not very secure to begin with.
Honestly I dont trust this feature, and said the first time I don't use it. The passwords are exchanged off site, but still my issue is this:
They claim it creates a key , but you never are asked to make a key for the pair. I am not an expert on cripto but the only type I trust is the type that uses two keys perferably random, Like hushmail and other PGP-typed.
Regardless of that, I think this would be a good feature and one that my users would like ,and I see another member in this thread would like to see it as well.
LainaaAnd unless you're using SSL, it's not very secure to begin with.
Agreed, SSL is more secure than not having SSL. But SSL just ensures "protection" from the hops/nodes that would normally be in path to and from the site. The concern I have seen is members dont want the admin of the site reading the messages. The also have this notion that if they use the encrypted pm and the site gets shut down the messages will be unreadable.
*semi-off topic Hushmail spin-off*
This is a foolish one, as I think even Hushmail is breakable. I just think that the govt wont let that be known unless it's a huge thing. If they knew about a plan to kill 6000 people and didn't thwart it, they sure as heck aren't going to reveal that hush is breakable over anything less than someone planning on blowing the world up.
LainaaThe concern I have seen is members dont want the admin of the site reading the messages.
There's absolutely no way to prevent against that. The webserver could automatically log the messages in another unencrypted file, for example, or just pretend to encrypt it, or sniff network traffic. Without having some sort of Java applet that encrypts the message before sending it to the server, or some sort of javascript encryption, it is absoultely impossible. Why not just have the members get gpg, and encrypt messages before they send them?
Agreed, gnupg and pgp are very very secure. It looks like we are agreeing on the points you are bringing up.
and.
LainaaWhy not just have the members get gpg, and encrypt messages before they send them?
They would rather click "encrypt" and use the encryption (that we both have agreed twice is not truly secure).
I guess in other words, I don't give a crap if it's encrypted or not. If it will make them happy having this feature it's one I want to add.
OK. Then it's fairly straightforward to implement. Just include a box for the key, and a button that says encrypt. Then just store the message in the database along with the encryption key. If the wrong key was typed, then just send back the message base64 encoded and then xored with the key. If the correct key was entered, just send the real message.
Hmm, I don't know how to do that.
How is this done step by step? Is there a mod you can write for this for us to download/
Now I found the phpBB mod. I'll port it to SMF.
What's the point?
LainaaWhat's the point?
I hope this isn't a serious question.
If it is the answer is :
because then, smf users will be able to use it.
Lainaus käyttäjältä: claygucci - kesäkuu 30, 2005, 08:48:15 IP
LainaaWhat's the point?
I hope this isn't a serious question.
If it is the answer is :
because then, smf users will be able to use it.
Who are you trying to hide the PM from? That's what I'm getting at.
It doesn't matter who ever they would like. I guess the only two possibilities would be anyone, or everyone. I'm looking at this thing from a different view.
I think a good analogy is this your son sees a commercial for sneakers. They are flashy and honestly look like a piece of crap. In the commercial the kid runs fast and fire is trailing behind the sneakers. It's a no name brand and you know it's just a marketing ploy to get him to want it. Of coarse the conservative plain rebook classics that are half the price and will last twice as long. But if you don't he will cry and "wont be able to run as fast as the rest" or "tommy's parents bought him a pair!" or he might Even throw a temper tantrum
WHAAAA!!!!
:'(
Now, of coarse you should teach your kids value and how things really work, whether they like it or not. And you have to discipline them if they throw a temper tantrum (if it happens in Wilmar, that's yo 4SS!).
There was something very relevant and smart I was going to say , but I had to take a leak and walk the dog.
Id still like some weak encryption so you cant just read everyones pms in the backup file. Either that or is there a way to remove the backup file thing from the admin area and make it so admins have to download backups via cpanel?
Honestly, I agree, just add something which stores the key and the message. No need to actually encrypt it, just make sure they know the key to read it. Honestly, it is worthless to encrypt it at all. I mean, even if they added it as a built-in feature, what is to stop the untrusted admin from creating a mod to steal the messages? Really, if you can't trust the admin, then you shouldn't be sending PMs you don't want them to see.
Actually the admins dont need a mod they can easily save a forum backup in maintainance and read everyones PMs as clear as day. Im just asking for some sort of soft encryption so you cant just read it as clear as day :)
This should be a priority, ******in admins have total view of member PMs at all times.
Hey I like the stars to cover my swear, censorship is healthy here.......hope pm encryption isnt ignored tho.........privacy is teh key.
If privacy is the key then the only true way to protect privacy is, as already mentioned, for users to post messages encrypted with PGP or similar.