News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Suit up!

Started by Dragooon, June 03, 2014, 11:00:17 AM

Previous topic - Next topic

Dragooon

Hello! Time for another update regarding our progress with 2.1.

Change in password hash
Passwords stored in the database are hashed. In the unlikely event that your database gets stolen and the passwords are leaked, the thief cannot see the actual password without cracking the hash. The hash protects the user's password being in plain sight to the attacker and helps protect their online identity on that site, as well as, potentially, other sites.

SMF has been using SHA-1 hash for its passwords from 1.1 to 2.0 and while SHA-1 still has no known weakness, it's a weak hash by today's standard and is susceptible to being cracked via brute force attacks. While this is still a hard task and would probably require GPU farms to be effective on a large scale, it's definitely a threat especially to passwords which are weak, commonly used and/or based on common dictionary words.

With 2.1 the entire hash has been switched to bcrypt. It's a far more secure and strong hash than SHA-1 and is a lot less susceptible to brute force attacks unlike SHA-1. Any forum upgrading from 2.0/1.1 will have their users' passwords upgraded to this hash once they login for the first time on the 2.1 forum and new users will automatically get the bcrypt password.

Likes and Mentions
SMF now has support for grabbing a user's attention simply by mentioning their name using the @username syntax, similar to popular social networking sites such as Facebook and Twitter. This action will send an alert and/or an e-mail depending upon the receiving user's preferences.

Likes also receive some additional features and improvements, with the ability to like a post via AJAX without having to refresh the page as well as permissions for membergroups to allow liking posts or not.

Minimum PHP version bump
With the additional improvements in password hashing as well as other improvements and advancements requiring the use of features such as closures, we've decided to bump the minimum version of PHP to 5.3.8 with 2.1.   SMF 2.1 will not work with versions below that.

Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.

BoardIndex optimisation
The BoardIndex receives some love with improvements in the way it's queried, breaking the previously monstrous query into three smaller queries. Also, boards are now explicitly sorted by using a sort cache for all the DB types instead of using a rather inefficient ORDER BY clause for Postgres, SQLite. This also fixes random board ordering in MySQL 5.6+ without impacting the performance.

Karma's gone!
As decided in a poll before, we've completely removed karma which will in turn be made into a separate optional modification for SMF 2.1.

But wait! We've even more!

  • Multiple improvements to the WIP Curve2 theme and its responsive aspect.
  • Linktree automatically hides parent boards if they cannot be seen by the visiting member.
  • jQuery has been updated to 1.11.
  • Multiple bugfixes regarding undefined indexes, unexpected behaviours etc.
  • And several other things I'm probably forgetting here...

That's it for now :), thank you for reading. With every commit, we're nearing a Beta release with the hopes to get one out as soon as possible. As always, all the latest changes, everything I've listed here and more can be seen on our GitHub repository but please be careful, as it's in Alpha stages for now. Feel free to give it a spin but do not use it in a live/production environment, there may be bugs or we may unexpectedly change something which might put your forum into an unusable state.

Regards

Matthew K.

Upgrader and installer also now have RTL :P

kat

Thanks for the update dragooooooooooooooooooooooooooooooooooooon! :)

Dragooon

Quote from: Labradoodle-360 on June 03, 2014, 11:17:36 AM
Upgrader and installer also now have RTL :P
Well I was bound to miss a few :P, one can always check Github's commit logs to know exactly what went down.

radu81

great news, thanks for the updates!
sorry for my bad english

CountryLady


Fantastic News~! Many "Thanks" to ALL involved. This is really exciting.

Those with the know-how 8) to do this, please keep up this awesome work.

Thanks for posting this Dragooon. :D

LiroyvH

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

vbgamer45

Thanks for the update! I really enjoy the mentions system and use it on my boards.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Antechinus

Nice work. Question: is it possible for a user to completely switch off the likes and mentions notifications?* I know some people like them, but others just find them a nuisance.

*Meaning so they never show up on the forum interface at all.

Arantor

I believe likes can be turned off, not so sure about mentions. Given that they tie into the alerts system and a bunch of other stuff also ties into the alerts system...
Holder of controversial views, all of which my own.


Antechinus

K. Well my 2c is that it'd be cool to have a user option to mindlessly clear all mentions with one click. I find it a PITA when I have to manually go through and deal with each one.

Arantor

You should be able to turn off getting alerts for mentions if you don't care :P
Holder of controversial views, all of which my own.


Antechinus

Oh goody. Elk didn't have that last I checked. :D

Arantor

That's because Elk's system is totally different from SMF's.
Holder of controversial views, all of which my own.


Antechinus

Well since they're determined to be better, I expect they'll have to put it on their to-do list now.

Arantor

Yeah, I chose to stop development before I finished building it. Long story. Dragooon is doing awesome work now though.
Holder of controversial views, all of which my own.


NanoSector

Quote from: Arantor on June 03, 2014, 06:18:27 PM
You should be able to turn off getting alerts for mentions if you don't care :P
Wouldn't that kind of defeat the entire point? :P

Nice work, thanks for the update.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Antechinus

Yeah, I want it to defeat the whole point. :D

Antes

Thanks for the update! :)

4Kstore

Nice update! thanks for all

¡¡NEW MOD: Sparkles User Names!!!

Advertisement: