(engineer attention) message security

Zephyn

Zephyn

Bluelighter
Joined
Oct 31, 2020
Messages
2,054
it would be good if upon creating an account, PGP (or better) keys are generated for the user encrypted with their password, all you store in your db is their password hash, and pgp encrypted messages, which are on the fly decrypted with their password, which you could store in the session, have no session logs/route them to /dev/null

obviously not perfect, but better security.

this would protect your users in the event your db is ever hacked or seized, and wouldn't require any special effort from the end user.
 
Are you talking about for PMs? There is nothing stopping you from using pgp correspondence with other users, BL just doesn’t offer that itself
 
There’s a lot of other things that will probably happen before that (unless there are workings going on that I’m unaware of) so if you’re that concerned I would just ask all your PMs to use a different messenger that you feel secure with
 
Maybe just go off-channel if you want to discuss anything incriminating or self-identifying? That's what I used to do. What you describe is a huge project for the staff to say the least and probably wouldn't be secure enough, for want of actual end-to-end encryption, to actually forestall a determined adversary. Getting heavy duty encryption would also encourage drug dealing on the board which would hopefully at least not happen right on these servers if people aren't totally morons.
 
SKL said:
Maybe just go off-channel if you want to discuss anything incriminating or self-identifying? That's what I used to do. What you describe is a huge project for the staff to say the least and probably wouldn't be secure enough, for want of actual end-to-end encryption, to actually forestall a determined adversary. Getting heavy duty encryption would also encourage drug dealing on the board which would hopefully at least not happen right on these servers if people aren't totally morons.
Click to expand...
Huge project of a couple hours/days, but I feel you, it's *almost* pointless. Would probably be easier to implement a secondary OTR messenger component
 
I think because there is never anything illegal on BL having personal encryption would create all sorts of issues with BL staff and admins not being able to control their own site. For all they know some huge drug ring could use BL as their front. This isn't the dark net, we are the opitome of clear net. We want people to see things posted here.

It would create more problems and attention than BL wants or needs IMO.

In the end all we do here is harm reduction which is the opposite of illegal. The main purpose at least.
 
Zephyn said:
Would probably be easier to implement a secondary OTR messenger component
Click to expand...
Which is just as well served by exchanging OTR info and a confirmation phrase on-site. That is what I used to do.
 
SnafuInTheVoid said:
I think because there is never anything illegal on BL having personal encryption would create all sorts of issues with BL staff and admins not being able to control their own site. For all they know some huge drug ring could use BL as their front. This isn't the dark net, we are the opitome of clear net. We want people to see things posted here.

It would create more problems and attention than BL wants or needs IMO.

In the end all we do here is harm reduction which is the opposite of illegal. The main purpose at least.
Click to expand...
Yeah, cops are not the only concern as far as encryption goes though, and im only talking about PMs which staff shouldn't have access to anyway, but do, considering xenforo stores the messages unencrypted in a sql database, for all people know they have created a custom module for it that allows allows to pull up a thread on demand lol
 
Yeah. But that's just me, what about all the users who don't know how to use pgp?
 
Zephyn said:
Yeah. But that's just me, what about all the users who don't know how to use pgp?
Click to expand...

We have users that can’t work out how to delete posts or use the in-line quote function. How will they work out PGP? Maybe it’s worth making a thread explaining how it works and giving a step-by-step guide about how to do it using a 3rd party key generator like PGPtools, and see what kind of interest there is from people in it? That would be an interesting little project.
 
No, I mean there's a way to reasonably do it without teaching teaching pgp, just as normal messages
 
Passwords would still have to be temporarily kept server-side in plaintext.
As a general rule this is a big no-no
 
My PM's could be made public. They are just chit chat and stuff you wouldn't want to put out there like real life info and stuff.

If one isn't selling ( or sourcing ) drugs I wouldn't think one has anything to worry about. If anyone is doing it then stop now.

I don't think the mods are getting popcorn and reading peoples PM's all night. They, and the owners, have enough work to do just keeping this site running properly.

This is a social and harm reduction forum and PM's were made to get to know people better without the whole forum knowing their business. Just keep them within the BLUA and one has nothing to worry about.
 
Built-in encryption would be a surefire way to attract the suspicions of law enforcement because it would look like we are facilitating underground activities.

If you want PGP then just make your own encrypted messages.
 
Foreigner said:
Built-in encryption would be a surefire way to attract the suspicions of law enforcement because it would look like we are facilitating underground activities.

If you want PGP then just make your own encrypted messages.
Click to expand...
Nonsense. We have a right to privacy.
 
Buzz Lightbeer said:
Passwords would still have to be temporarily kept server-side in plaintext.
As a general rule this is a big no-no
Click to expand...
Server-side, yes, but you'd store it in the PHP session. And if you pipe session logs to dev null, how would someone find it?
 
You must log in or register to reply here.
Top