Forum upgrade: SSL/HTTPS

(Andrew) #1

We (me least of all) have been working on some server upgrades the last few days. I’m happy to report that the forums are much more secure with the implementation of full SSL via Let’s Encrypt. This is a huge step toward securing the privacy of communications and browsing here. I wish it had been done sooner!

(Andrew) #2

I’m not going to suggest spending time on this, but the last source of data leakage is forum emails (notifications, digests, etc.). If anyone has Ruby skills, and spare time, there seems to be some interest in a plugin to reproduce the PGP encryption of outgoing messages that Facebook offers.

In short, it would look something like:

  1. User adds public PGP/GPG key to their forum profile
  2. System encrypts a verification email with that key
  3. If user is able to decrypt the message and click verification link, outgoing PGP is enabled for that user.
  4. System encrypts subsequent oitgoing emails to that user.

@Liras @ajprog @mikecharlieuniform

(Jarosław Wątroba) #3

Sure, can be done. Seems like a cool and not overly difficult challenge… So, to be clear we are talking encrypting the emails that members get when someone replies to their threads on this forums, etc, right? Would be no problem for me to do in PHP, but I (almost) never touched Ruby… worth a try though, just one more language. :slight_smile: What is the backend of this forum?

Ah, I use GMail for now, at least as long as I don’t have the address, so I wonder how users would conveniently decrypt the emails… I mean, you’d have to select the text and use a browser plugin or something. Idk if PGP decryption is built into Gmail and there are other hosts as well…

It is a question of if safety is worth the additional effort of decrypting the messages. We would only probably encrypt our internal posts, right? Or maybe create a special category like “Top Secret” and these would get encrypted?

Or we could write our own epic Feralculture Undercover system from scratch. And this is not a joke, I’ve been doing similar things for organizations for sponsor evidence and gathering… tasks, members, money, etc. We could have communications, custom tools, possibly land and services sharing around the world among FC members… My imagination is running wild, lol :slight_smile: Why not?

P.S.: One last thing: I have a 120GB HDD Linux machine with external IP sitting in NY that I pay for. It is (was) used as a repository for our gamedev projects, but after school pretty much destroyed my studio… well. It’s doing nothing and using my money. Maybe it would be useful here?

(Andrew) #4

The forums are Discourse, which is the site I linked above. I believe the app is Ruby. The cleanest method would be to develop the PGP notifications as a Discourse plugin.

The PGP encryption would probably need to be handled on the server. There is an OpenPGP.js project, and it is actively supported by ProtonMail, but it would likely be a mess to integrate that with discourse.

Until ProtonMail expands the beta and allows us to add more accounts, their free accounts work the same, and using any valid email (or .ch) should automatically add your account to the secure email group here.

It’s possible to use PGP with gmail, but requires an app (like K-9 on Android) or something else to do the encryption in the browser or app. The reason ProtonMail is gaining popularity is that it’s built in and automatic.