If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)

Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

PMs and Security

28064212 · 2014-09-02 15:41:36

PMs are sent over HTTP, correct? Is that not a fairly big security hole? Especially since Talk To reps regularly ask for personal information over the PM system

02-09-2014 4:41pm

#1

28064212

Registered Users Posts: 10,455 ✭✭✭✭

Join Date: May 2005

Posts: 9740

PMs are sent over HTTP, correct? Is that not a fairly big security hole? Especially since Talk To reps regularly ask for personal information over the PM system

Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and dark mode). Now available through the extension stores
Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/
Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce
Post edited by Shield on December 2021

1

Comments

#2 15-09-2014 10:13pm

28064212

Registered Users Posts: 10,455 ✭✭✭✭

Join Date: May 2005

Posts: 9740

Soooo... bump?

Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and dark mode). Now available through the extension stores
Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/
Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce

0
#3 15-09-2014 11:37pm

Wibbs

Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 60,071 Mod ✭✭✭✭

Join Date: March 2005

Posts: 59000

No doubt far better minds will come along in due course to explain the whys, but from what I gather PM's are buried pretty deep in Boards security. Admin level access can't read them unless they're reported by the receiver. So even if you "hacked" an Admin account you couldn't read PMs. The Boards founders were pretty clear about that. DeVore was very clear about that from very early on. "Don't be a dick" and "Private messages are private" were the major tenets of the place. Even he couldn't read them. Yes they are readable, everything is online if you have enough access and time. However that would require more involvement of the techy team and a court order to have it happen. IMHO one area of Boards.ie where I really wouldn't worry about for a moment is the PM system. And that's pretty damned unusual in online forums.

Rejoice in the awareness of feeling stupid, for that’s how you end up learning new things. If you’re not aware you’re stupid, you probably are.

0
#4 15-09-2014 11:52pm

28064212

Registered Users Posts: 10,455 ✭✭✭✭

Join Date: May 2005

Posts: 9740

That's after it gets to boards' system. However, they're sent to boards in plaintext, as far as I can tell, which makes it pretty trivial to capture

Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and dark mode). Now available through the extension stores
Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/
Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce

0
#5 16-09-2014 9:02am

KomradeBishop

Closed Accounts Posts: 4,981 ✭✭✭

Join Date: September 2014

Posts: 4840

Ya, being sent over HTTP is very easy to capture at an ISP level (or on any other hop on the way to Boards - same with all email, so if you have email notification of PM's on, you leak it that way too - we know for sure the NSA has your PM's this way at least ) - and given this countries history of illegal wiretapping (and worldwide precedence of the same), it's worth being cynical, and it would take hardly any effort at all to setup a small script to capture them all.

If Boards is ever hacked in the future, to the point that the database can be accessed, then pretty much all past PM's would be accessible.

Also, Boards is part of a parent company/set-of-companies, and it can change ownership in the future, and your records on Boards are permanent (unless you delete account, as far as I know).
While it may seem unlikely for Boards to change hands anytime in, say, the next decade, long-term though it could change hands and then the database could come into the hands of some not-so-scrupulous folk, who could do pretty much anything with the sitewide PM history (e.g. a disgruntled worker in this possible-future-company, could take the database and then sell it for money, where it could become completely public as it spreads).

So ya, in my opinion it's not smart to treat PM's as truly private (not for anything important anyway). As I said above, it's known with certainty that emails are hoovered-up by intelligence agencies worldwide, so if you have PM notification emails on, they are already all leaked.

0
#6 16-09-2014 9:42am

28064212

Registered Users Posts: 10,455 ✭✭✭✭

Join Date: May 2005

Posts: 9740

Again, that's kind of missing my point. If you're sending PMs using Boards, it's assumed that you trust Boards with that information. Talking about the database being hacked or Boards being sold is off-topic. And I'm not even going near the NSA stuff.

The specific thing I'm concerned about is the fact that PMs are transmitted to Boards in plaintext over HTTP. That means that for anyone on the same network as you, it is incredibly trivial to obtain the contents of the PM. Which is particularly concerning given that many of the Talk To forums use the PM system to request personal information

Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, and dark mode). Now available through the extension stores
Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/
Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce

0
Advertisement
#7 17-09-2014 10:16pm

Steve

Moderators, Category Moderators, Entertainment Moderators, Sports Moderators Posts: 22,584 CMod ✭✭✭✭

Join Date: February 2006

Posts: 21207

100 years ago, telephone operators could 'intercept' your details. Post office employees could read through the thin paper envelopes and see your private stuff.
Then came cell phones.. guess what, they could be listened to as well..
It won't be long before we're complaining about how easy it is to intercept https and if all websites haven't progressed to quantum encryption then they shouldn't be used.

Moral: Don't post stuff on the internet if you are that paranoid.

0
#8 18-09-2014 4:13pm

Dav

Closed Accounts Posts: 8,840 ✭✭✭

Join Date: February 1998

Posts: 7801

Hey there,

I'm really sorry I missed this one, so apologies for that.

So, the big question - is your data vulnerable? I could try and be all clever and wrangle my words to say "of course not!" but that wouldn't be completely true. As it's being sent via HTTP then yes, it is vulnerable to an attack. Just like email. Just like *anything* being transmitted anywhere that isn't using an encrypted transmission (and even then, it's not bulletproof).

Does this concern us? Well of course it does - your data being safe and secure is always a huge priority for us. So, with that in mind, in 2010 we set out to have the process reviewed by the Data Commissioner's office after they were done with their audit post hack. We explained exactly how the system works and what it would be used for in relation to Talk To forums and Verified Reps and they were happy with it. Similarly, the companies who use it are also satisfied with our security - they're mega corporations with significant internal data security resources who have the power to veto such activities if they feel anything is at risk.

What are we going to do about it? Well the tech team are currently looking at what's involved in moving all PM traffic to HTTPS. I have no time frame for this as a project, but it's something we'd certainly prefer to do as it ads one more layer of security onto our platform.

I hope that helps and again, I'm sorry I missed this question when you first posted it.

0
#9 19-09-2014 4:15pm

Overheal

Registered Users Posts: 81,585 ✭✭✭✭

Join Date: September 2006

Posts: 75158

Considering that there is software on the web that can effectively download an entire website - just grab everything from the .com that is public access - it's kind of a thing. If you store racy photos on your personal domain in a folder that's not quite on your normal sitemap, programs can still sniff around and find it - those images could (if my understanding is right) potentially end up on google's crawler. Just for instance.

0
#10 19-09-2014 4:18pm

Spear

Moderators, Computer Games Moderators, Technology & Internet Moderators, Help & Feedback Category Moderators Posts: 25,047 CMod ✭✭✭✭

Join Date: September 2001

Posts: 22621

Google (as in this specific example) will obey the robots.txt:

http://www.boards.ie/robots.txt

0
#11 19-09-2014 4:41pm

Eoin

Moderators, Category Moderators, Motoring & Transport Moderators Posts: 21,238 CMod ✭✭✭✭

Join Date: July 2004

Posts: 20125

Dav wrote: »

Does this concern us? Well of course it does - your data being safe and secure is always a huge priority for us. So, with that in mind, in 2010 we set out to have the process reviewed by the Data Commissioner's office after they were done with their audit post hack. We explained exactly how the system works and what it would be used for in relation to Talk To forums and Verified Reps and they were happy with it. Similarly, the companies who use it are also satisfied with our security - they're mega corporations with significant internal data security resources who have the power to veto such activities if they feel anything is at risk.

Out of curiosity, do any of those agencies/companies audit how the data is sent to you, or is it just its security after it reaches you?

I know that you've said you're going to look at implementing SSL for PMs, but I think a few people have confused the security of the data after it's stored here, with its transmission in the first place.

0
Advertisement
#12 19-09-2014 4:57pm

Dav

Closed Accounts Posts: 8,840 ✭✭✭

Join Date: February 1998

Posts: 7801

Overheal wrote: »

Considering that there is software on the web that can effectively download an entire website - just grab everything from the .com that is public access - it's kind of a thing. If you store racy photos on your personal domain in a folder that's not quite on your normal sitemap, programs can still sniff around and find it - those images could (if my understanding is right) potentially end up on google's crawler. Just for instance.

Yes, but I'm not sure how that's relevant to this discussion.

Eoin wrote: »

Out of curiosity, do any of those agencies/companies audit how the data is sent to you, or is it just its security after it reaches you?

I know that you've said you're going to look at implementing SSL for PMs, but I think a few people have confused the security of the data after it's stored here, with its transmission in the first place.

Yea, the path to and from has been looked at. As the PM system is all internal and purely PHP & DB driven, the only real worries are in the "transmit from Boards Servers to your ISP and then on to you" part of the process.

On your second point, yes, I don't think people quite get that this has absolutely nothing to do with how things are stored on our database.

0
#13 19-09-2014 7:06pm

Overheal

Registered Users Posts: 81,585 ✭✭✭✭

Join Date: September 2006

Posts: 75158

Dav wrote: »

Yes, but I'm not sure how that's relevant to this discussion.

Could PMs be downloaded in such a manner if they're sent in the clear?

0
#14 19-09-2014 7:13pm

Eoin

Moderators, Category Moderators, Motoring & Transport Moderators Posts: 21,238 CMod ✭✭✭✭

Join Date: July 2004

Posts: 20125

No, they're not static files like images are. Otherwise the contents of private forums, like the moderator forum, could be accessed by google etc.

The potential issue here is that when you send a PM, while it's being sent to boards.ie, it is not encrypted. So it is possible for someone to intercept that traffic between you and boards.ie. When it reaches boards.ie and is stored in the database, it's not accessible in the manner you're describing.

0
#15 20-09-2014 4:30pm

oscarBravo

Technology & Internet Moderators Posts: 28,791 Mod ✭✭✭✭

Join Date: May 2001

Posts: 26911

Overheal wrote: »

Could PMs be downloaded in such a manner if they're sent in the clear?

No. PMs are only accessible to the logged-in account of the sender or the recipient. Neither Google's nor anyone else's web crawler can log in as either you or the recipient, so there's no way for them to access private messages.

0
#16 22-09-2014 1:14pm

Dav

Closed Accounts Posts: 8,840 ✭✭✭

Join Date: February 1998

Posts: 7801

Jebus, I'm not trying to single you out or anything Overheal, but is that really how people think the site works? :eek:

PM content in our database CANNOT be accessed through our platform without login credentials. Not ever. I can't read your email without your username and password, why would PMs be any different?

0
#17 22-09-2014 2:06pm

Overheal

Registered Users Posts: 81,585 ✭✭✭✭

Join Date: September 2006

Posts: 75158

Dav wrote: »

Jebus, I'm not trying to single you out or anything Overheal, but is that really how people think the site works? :eek:

0
#18 22-09-2014 2:08pm

kerry4sam

Registered Users Posts: 15,127 ✭✭✭✭

Join Date: November 2007

Posts: 11777

Dav wrote: »

Jebus, I'm not trying to single you out or anything Overheal, but is that really how people think the site works? :eek:

PM content in our database CANNOT be accessed through our platform without login credentials. Not ever. I can't read your email without your username and password, why would PMs be any different?

I think every day is a school day on here tbh and it's threads like this that assist users in understanding how it all operates

Imo anywhoo,
Thanks,
kerry4sam

0
#19 28-09-2014 1:58pm

Rucking_Fetard

Closed Accounts Posts: 1,260 ✭✭✭

Join Date: May 2014

Posts: 1106

Dav wrote: »

Does this concern us? Well of course it does - your data being safe and secure is always a huge priority for us. So, with that in mind, in 2010 we set out to have the process reviewed by the Data Commissioner's office after they were done with their audit post hack. We explained exactly how the system works and what it would be used for in relation to Talk To forums and Verified Reps and they were happy with it.

Is that not like explaining how to service a Car to a 3 year old?

Dav wrote: »

Similarly, the companies who use it are also satisfied with our security - they're mega corporations with significant internal data security resources who have the power to veto such activities if they feel anything is at risk.

Hope they're not all like Eircom.

0