Encrypted PGP Messaging

I basically outlined what I was getting at in my previous post attempting to articulate threat models and messaging models. My last post may have distracted from that.

###TLDR:

  1. The social and technical landscape has changed since this thread stopped in 2014.
  2. I really like the implementations of PGP notifications by Facebook and the aforementioned WP plugin. Discourse adding that capability would be helpful.
  3. I’d also love to be able to use Discourse messaging secured by something like Signal Protocol so I could avoid Facebook Messenger altogether for private conversations with forum users (currently, we end up shifting back and forth).
  4. My aesthetic preference for encrypting everything likely does not represent most users.

Email notifications with no content leakage would certainly be less useful, but it would alleviate some of the concerns. Thank you for pointing that out.

I don’t think I have anything further to add.

1 Like

The way I see it this completely solves “Thread Model 3”

Big Data: User email providers (Gmail, Yahoo!, Microsoft, etc.). Transactional email providers (Mandrill, etc.). Attacks on email in transmission or at rest.

I would only be comfortable solving

Directly in the Discourse mobile app (or whatever packaged desktop app).

1 Like

Hi there,

I work for a consortium of journalists (ICIJ) that investigates on highly sensitive projects. Most known being the Panama Papers and the Paradise Papers.

I’m about to use Discourse to help our network to coordinate and I wonder if anyone ever come out with solution for encrypted private messaging? Our main concern being: if ever the database get leaked, how can we prevent the attackers to read private messages which could reveal sensitive info about our sources.

With our current forum portal, we already setup a “proxy” service in front of our SMTP that uses GPG to automatically encrypt messages for the known keys. If the key for an email has not been provisioned, the email is not sent.

Thanks a ton!

4 Likes

My suggestion would be to have the actual source info referenced as a general codename – all direct source communication should be through a highly secure medium like Signal.

https://medium.com/@mshelton/signal-for-beginners-c6b44f76a1f0

Derived from

https://techsolidarity.org/resources/congressional_howto.html

1 Like

Yeah. Where that document says:

Assume that anything you say on Slack or in Twitter direct messages will one day be public.

Apply that to Discourse as well.

Discourse is trying to be a facilitator for public discussion and doesn’t put a lot of focus on protecting users from the admins.
As a case in point, the re-naming of “private messages” to “personal messages” – the forum admins need to be able to audit PMs for harassment etc without the abusive participant noticing.

Make sure that your journalists know how to go from a codename & document number to the actual document, and that this actually WORKS, so you don’t have people uploading documents to the forum in order to get their work done.

2 Likes

Yes, we already advise them to use Signal, and of course we have many security instructions like the one @riking mentioned. But each investigation involve hundreds of journalists, not all of them are tech savvy and since there is no ways to ensure they follow our recommendations, we must encrypt as many things as possible to lower risks.

The main things to check with regards to “database being leaked”:

  • anyone who has admin access to your Discourse can download the DB so limit the number of admins, and perhaps only log in as admin when absolutely required, use a “regular” moderator account typically

  • anyone who can log into your hosting server can directly grab the database, so strictly limit and control who has login credentials to your hosting server.

5 Likes

Gotcha, I’ll limit the number of admin, thanks!

So I suppose no one ever implemented OTR in PM then?

It’s a very difficult problem space. I’d also STRONGLY recommend (require?) two factor auth for your hosting server login.

(We do support two factor auth in Discourse as well, but admins can override that as a technical support tool.)

2 Likes

We have 3-factors of authentication in fact, using our own SSO.

1 Like

I’d like to add one point:

  • Keep Discourse and the host up to date. As is the case for any complicated software, sometimes, security vulnerabilities surface that could lead to the database being compromised. Assuming you won’t be the target of sophisticated attacks that specifically target you, quickly installing patches can eliminate most of that risk.
3 Likes

The underlying issue is that you can not trust the server if you want truly secure messaging between members.

This means that the software used to encrypt and decrypt stuff should not be sent from the discourse server.

I second what was said here, you want something like keybase or signal for secure comms, you have to invest in training here. Treat the info you have on Discourse as potentially leaked, there are just too many vectors. People hosting the service, web browser caches on local computers running old exploitable operating systems and so on.

If I was pushed hard to come up with something for journalists discussing highly sensitive info that is Discourse I would

  1. Host the physical server in my house or somewhere I can see it all the time

  2. Use SSL clearly

  3. Only have myself as admin

  4. Enforce limited user agent support, demand everyone use a very specific browser and only allow that user agent on the site, this browser would not store any cached files on local disk

But… even with all of that … signal/keybase is much better on so many levels

10 Likes

It would be great if there were an AutoCrypt overlay for Discourse (or similar aynchronous posting platform)

https://autocrypt.org/

It manages the “complexity” of PGP transparently for the user in a secure way. It’s ‘best effort’ mode still does not make known well enough to the user this allows fallback to clear text if without an explicit room configuration

Yes, I realize key exchange vs public out of loop. This would be without blind trust.

No. 2FA is nothing like ID management (like shibboleth). Are you obliquely making reference to something I have and something I know? In that providing the proof of something I have is by extension an identity?

You will need also DANE confirmations.

Are you implying ‘free’ accounts?

So did Movim which is why they abandoned OMEMO for their xmpp social web platform.

A github project worth reflecting upon is OverSec. While is is for android someone could pickup the gauntlet for android.

I will give more though to the threat models

AutoCrypt ftw?

Tolerance of the evils perpetrate against privacy have created the ground for the current menaces. I don’t know how solve indifference.

Using this reasoning I would invite them to discontinue using the far more antiquated internet.

Email, like xmpp and matrix, are federated.

Amen. Thank you

I disabled Digest Mode for this reason.

They need to be reeducated on this like adblocking.

Does this still problematically require a mobile number?

necro’d because it was a best match to a search

1 Like

It would maybe also be great if people used more the search function before posting on a public forum (and/or read more before writing).

It’s unclear to me: Are you advocating for more adblocking, or less?

1 Like

Yes, the main recommendations here are

  • Install and use Discourse Encrypt plugin (very mature, we use it internally)
  • Turn on “secure media” (warning, this is extremely difficult to configure)
  • Turn on “private email” so no content leaks via email
2 Likes