MyBB Community Forums

So I have an idea which may or may not be outside the scope of MyBB but could improve the security of the system.

MyBB should encrypt the user tables (or at least the password, salt, and loginkey parts, maybe encrypt other things like the email address and IP Addresses, or the entire table, or even everything in the database) with a special key (randomly generated by the MyBB Core) that's inserted into the config.php file or the MyBB 2.0 equivelent. 

Normal database calls would obviously not have access to this key and would only get an encrypted blob and not the real value, ONLY the login functions would have access to the key, so if your forum had an SQLi vuln or someone somehow gained database access, it would be useless when trying to access the user account table since each value would be encrypted. 

Maybe a similar system (again with a seperate key) could be implemented for private messages.

Obviously for performance reasons the entire database shoudn't be encrypted, only the values with sensative, non-public information should be.

---

No Database Encryption Login:

1. Get login attempt info from user
   
2. Check againist stored password hash and salt
   
3. Accept or Reject Session
   

Database Encryption Login:

1. Get login attempt info from user
   
2. Decrypt stored password hash and salt and keep in temporary memory
   
3. Check againist temporary memory
   
4. Accept or Reject Session
   

---

So what do you think about this idea? It'd provide a little more time for users to get the message so they wouldn't have to worry about the speed they changed their passwords at because the data would be inaccessible to the attacker for at least quite some time. I know it'd be quite a bit of extra development work but it could improve of the login system and further protect users. Your thoughts?

The security of password hashing will be significantly improved in MyBB 2.0 (using bcrypt by default) and such encryption should be limited to hashes with salts only (given bcrypt stores them as a single string) as user-related information and IP addresses stored in multiple tables are often accessed for comparison and statistics; it may not be included in the standard package but should be relatively simple to implement.
The session key issue can be solved by storing only a hashed version of it in the database, which should provide enough time for forum administrators to reset them.

I think that passwords should be hashed instead of encrypted in the database. Data should only be encrypted if we need access to the plaintext version. For passwords, we can apply the same hash function to the provided password and compare it to the hashed value from the DB. A hook should be available to use a different hash method without modifying core code.

^ I believe OP is referring to encrypting the data after hashing.

(2016-12-27, 11:01 PM)Josh H. Wrote: [ -> ]^ I believe OP is referring to encrypting the data after hashing.

Yes, that's what I understood too.

Which is actually something DropBox do to their passwords, after hashing with bcrypt: https://blogs.dropbox.com/tech/2016/09/h...passwords/

We might consider this, but I'm not sure how much of a benefit it would serve your average forum. Remember that encrypting/decrypting things takes time, and will slow down page loads. Also, users shouldn't really be sending top secret information via PM - they should be using some proper form of secure communication such as Signal or PGP or whatever is considered current best practice at the time.

The other thing is a lot of times sites get compromised via shells, which would give attackers access to the key, nullifying the majority of the benefit of encrypting the data. The only things it partially protects against is SQLi (which there are many better ways of preventing) and DB-only compromise.

(2016-12-28, 02:38 AM)Josh H. Wrote: [ -> ]The other thing is a lot of times sites get compromised via shells, which would give attackers access to the key, nullifying the majority of the benefit of encrypting the data. The only things it partially protects against is SQLi (which there are many better ways of preventing) and DB-only compromise.

Better to spend time writing documentation educating administrators how to protect their forums.

(2016-12-27, 11:15 PM)Euan T Wrote: [ -> ]

(2016-12-27, 11:01 PM)Josh H. Wrote: [ -> ]^ I believe OP is referring to encrypting the data after hashing.

Yes, that's what I understood too.

Which is actually something DropBox do to their passwords, after hashing with bcrypt: https://blogs.dropbox.com/tech/2016/09/h...passwords/

We might consider this, but I'm not sure how much of a benefit it would serve your average forum. Remember that encrypting/decrypting things takes time, and will slow down page loads. Also, users shouldn't really be sending top secret information via PM - they should be using some proper form of secure communication such as Signal or PGP or whatever is considered current best practice at the time.

Encrypting private messages was just an extra idea. But yeah better password hashing with bcrypt then encrypting the actual hashes to keep things a bit safer. I never said it was a perfect solution but would buy users a bit more time to change their passwords. You can never be too safe

On the subject of private message encryption, PGP/GPG is always an option, but building in encryption that the site administrators can't crack (i.e. client side pub/priv key encryption) would be awesome, it'd avoid the need for manual key exchanges.

One idea:
* Use https://openpgpjs.org/
* Public Key Stored In Database
* Private Key Stored In Database BUT requires a user set passphrase which would work client side for security reasons.
It'd be reasonably safe maybe give users options like "generate new key pair" and either A) warn the user old messages won't be reasonable OR B) do something similar to the login convert system and convert all private messages to be encrypted with the new key then destroy the old key. Again there are so many awesome ways to do such a thing.

Seems like something better served as a plugin for those extremely security-conscious board owners, because as Euan said, you shouldn't really be using a forum PM system for top-secret messages. But then again it could make MyBB stand out from the crowd as an exceptionally secure option? Do any of the other big forum frameworks support this out of the box right now?

(2017-01-03, 12:53 AM)fizz Wrote: [ -> ]Seems like something better served as a plugin for those extremely security-conscious board owners, because as Euan said, you shouldn't really be using a forum PM system for top-secret messages. But then again it could make MyBB stand out from the crowd as an exceptionally secure option? Do any of the other big forum frameworks support this out of the box right now?

Not that I know of.