Would it be possible to encrypt PM's? If so, which (of anything) out of the following would that give?
1) Encryption against account intruders.
2) Encryption against outside attackers.
3) Encryption against the administrator.
4) Encryption against the hosting provider.
Curious to know which of those would be possible.
PGP. It's already possible, just encrypt a message, send it, and have the recipient decrypt it offline. All you'd need to do is create a new custom profile field for a public key. If you want to force users to use PGP over PMs then you'd need a custom system to validate the profile field and validate the contents of the PM. It's probably better to just say "hey, here's how you can encrypt messages, don't send anything in plaintext you wouldn't want your family to read".
(2016-09-17, 11:23 PM)Nathan Malcolm Wrote: [ -> ]PGP. It's already possible, just encrypt a message, send it, and have the recipient decrypt it offline. All you'd need to do is create a new custom profile field for a public key. If you want to force users to use PGP over PMs then you'd need a custom system to validate the profile field and validate the contents of the PM. It's probably better to just say "hey, here's how you can encrypt messages, don't send anything in plaintext you wouldn't want your family to read".
I think I'll try to figure out how to create a PM button that opens a new PM to that user, with that user's PGP code already in the text editor.
How would the receiver decrypt after receipt? I know how PGP works but would like to keep everything within mybb.
The setup I mentioned means you never handle any private keys. If you want your users to be able to decrypt messages automatically they'll need to give you their private keys, which is a bad idea from the start. If you want a system where you can't read their messages, your host can't read their messages, and any attackers can't read their messages, then the setup I mentioned is what you need.
PGP isn't something realistic to use on your board. At a recent hacking conference, the crowd was asked if they encrypt their emails (by PGP) almost all of them said no! Why? Because it's too complicated.
Doesn't MyBB encrypt and decrypt private messages with Mcrypt*? Swear I remember reading over a line of code that said something like that.
If you can figure out how to even create a key, that's more than 99% of our worlds population has done with encryption. PGP is the most powerful encryption tool ever built.
Quote:Doesn't MyBB encrypt and decrypt private messages with MD5? Swear I remember reading over a line of code that said something like that.
Bcrypt would be your best option for user privacy, although I like to look at Reddit as a standard right now and I don't believe they use Bcrypt for PM's. Rather MD5.
You're confusing encryption and hashing. Passwords are hashed one-way. They can't be decrypted. You take the password supplied by the user on login, hash it, and compare it to the one in the database.
If you encrypt something it can be decrypted. If it's a hashing algorithm it's one way.
Both MyBB and Reddit store messages in plaintext.
(2016-09-18, 04:50 AM)Nathan Malcolm Wrote: [ -> ]Quote:Doesn't MyBB encrypt and decrypt private messages with MD5? Swear I remember reading over a line of code that said something like that.
Bcrypt would be your best option for user privacy, although I like to look at Reddit as a standard right now and I don't believe they use Bcrypt for PM's. Rather MD5.
You're confusing encryption and hashing. Passwords are hashed one-way. They can't be decrypted. You take the password supplied by the user on login, hash it, and compare it to the one in the database.
If you encrypt something it can be decrypted. If it's a hashing algorithm it's one way.
Both MyBB and Reddit store messages in plaintext.
No, you're confused. I'm talking about private messages here. You can also encapsulate and decrypt strings in MD5, and I believe MyBB does this.
(2016-09-19, 05:16 AM)alfred702 Wrote: [ -> ]No, you're confused. I'm talking about private messages here. You can also encapsulate and decrypt strings in MD5, and I believe MyBB does this.
Ha. Gonna print this off and frame it. I hope you're never tasked to develop anything critical.
You're clueless.
How come can you "decrypt" a hashed string? Also, in a world where hashing can be reversed, that string would miss pieces since hashing leads to data loss anyway.
Hashing is not the same as encrypting.