Discourse Encrypt - RFC

Hosting includes some official plugins, core just means part of the base discourse install rather than a plugin.

3 Likes

At the moment we are not planning on including this plugin in the business or standard tier. Once it passes the RFC process and is released as an official plugin it will be available to the enterprise tier.

4 Likes

For V2 we do plan to just show the proper titles and a special icon, I am not sure if we will have time to improve this for V1.

5 Likes

Is it possible to add a plugin to translate in transifex.com?
Decided to test it. It is amazing! :+1:

2 Likes

Is there a means to backfill existing PMs or a plan to? Excellent work :+1:

Not planned even multiple versions out, way to complex since clients would need to work through the data, plus it is pointless due to backups

1 Like

The demo has no new message button, i cant try it out.

Apologies, had to fiddle with some site settings to decrease trust level required for messaging. Can you try again?

4 Likes

It works now, thank you.

2 Likes

First time I accessed the demo I couldn’t try out sending messages.

Now tried again but … it seems I already had forgotten my passphrase (!)

Does make me think that lack of passphrase recovery is going to be quite an issue for numptys like me.

I do understand the security issues around resetting a passphrase in relation to already encrypted messages. Would it be good to give the option of adding a hint when entering the passphrase for the first time?

3 Likes

imo “hints” are a security issue. They encourage you to use passwords that hints work for and people tend to do “hint : password” followed by “password: password”

Allowing you to download a recovery key though should be added and allowing you to give up on encrypted content and start from scratch should be allowed. We will eventually get there, but need to fix some basics in the protocol first.

3 Likes

I thought he meant UI hints at the time of password (passphrase?) creation about

:warning: Be REALLY careful with this password, if you lose it, you lose access to all your messages!

which I do think makes sense. Because the consequences of forgetting this particular password are severe, we want the language to be pretty scary and a big warning glyph.

9 Likes

@udan11 Thanks for this; truly great. However, I’m getting an error only when enabling it for the admin account that created the instance and who’s also a moderator; not sure if that matters but it’s working on other accounts (admins and non-admins).

  • This is the only thing I get in the UI:

  • No errors on [main_url]/logs

  • What I see in the browser console:
    uncaught exception: [object Event]

  • What I see in rails production.log (seems to be successfuly done):
    Processing by DiscourseEncrypt::EncryptController#update_keys as */* Parameters: ...
    Then:
    Completed 200 OK in 29ms (Views: 0.2ms | ActiveRecord: 16.7ms)

I refresh the page and I see that it‘s activated for the account but not enabled on the browser although it gets enabled by default on other accounts.
I try to enable it after entering the passphrase, I get that the passphrase is wrong.

Retried all of the above multiple times.
Any idea what could be going wrong? Thanks again!

Alright. I think I identified the issue; the error comes up in Firefox 66 Private Mode. Probably has to do with LocalStorage.

4 Likes

Would it be possible to add U2F auth in the future?

Maybe, we have a big pile of changes first in the pipeline before considering this.

6 Likes

Not seen anything on this for a while - I wonder if there is an estimated time this might move forward from RFC stage? I hope the changes are being worked on by @udan11, or is this shelved?

No, we are actively using this internally.

3 Likes