Encrypted PGP Messaging

I basically outlined what I was getting at in my previous post attempting to articulate threat models and messaging models. My last post may have distracted from that.

###TLDR:

1. The social and technical landscape has changed since this thread stopped in 2014.
2. I really like the implementations of PGP notifications by Facebook and the aforementioned WP plugin. Discourse adding that capability would be helpful.
3. I’d also love to be able to use Discourse messaging secured by something like Signal Protocol so I could avoid Facebook Messenger altogether for private conversations with forum users (currently, we end up shifting back and forth).
4. My aesthetic preference for encrypting everything likely does not represent most users.

Email notifications with no content leakage would certainly be less useful, but it would alleviate some of the concerns. Thank you for pointing that out.

I don’t think I have anything further to add.

The way I see it this completely solves “Thread Model 3”

Big Data: User email providers (Gmail, Yahoo!, Microsoft, etc.). Transactional email providers (Mandrill, etc.). Attacks on email in transmission or at rest.

I would only be comfortable solving

Directly in the Discourse mobile app (or whatever packaged desktop app).

Hi there,

I work for a consortium of journalists (ICIJ) that investigates on highly sensitive projects. Most known being the Panama Papers and the Paradise Papers.

I’m about to use Discourse to help our network to coordinate and I wonder if anyone ever come out with solution for encrypted private messaging? Our main concern being: if ever the database get leaked, how can we prevent the attackers to read private messages which could reveal sensitive info about our sources.

With our current forum portal, we already setup a “proxy” service in front of our SMTP that uses GPG to automatically encrypt messages for the known keys. If the key for an email has not been provisioned, the email is not sent.

Thanks a ton!

My suggestion would be to have the actual source info referenced as a general codename – all direct source communication should be through a highly secure medium like Signal.

Derived from

Yeah. Where that document says:

Assume that anything you say on Slack or in Twitter direct messages will one day be public.

Apply that to Discourse as well.

Discourse is trying to be a facilitator for public discussion and doesn’t put a lot of focus on protecting users from the admins.
As a case in point, the re-naming of “private messages” to “personal messages” – the forum admins need to be able to audit PMs for harassment etc without the abusive participant noticing.

Make sure that your journalists know how to go from a codename & document number to the actual document, and that this actually WORKS, so you don’t have people uploading documents to the forum in order to get their work done.

Yes, we already advise them to use Signal, and of course we have many security instructions like the one @riking mentioned. But each investigation involve hundreds of journalists, not all of them are tech savvy and since there is no ways to ensure they follow our recommendations, we must encrypt as many things as possible to lower risks.

The main things to check with regards to “database being leaked”:

• anyone who has admin access to your Discourse can download the DB so limit the number of admins, and perhaps only log in as admin when absolutely required, use a “regular” moderator account typically

• anyone who can log into your hosting server can directly grab the database, so strictly limit and control who has login credentials to your hosting server.

Gotcha, I’ll limit the number of admin, thanks!

So I suppose no one ever implemented OTR in PM then?

C’est un domaine de problèmes très difficile. Je vous recommande VIVEMENT (voire exigez) l’authentification à deux facteurs pour la connexion à votre serveur d’hébergement.

(Nous prenons également en charge l’authentification à deux facteurs dans Discourse, mais les administrateurs peuvent la désactiver en tant qu’outil de support technique.)

We have 3-factors of authentication in fact, using our own SSO.

I’d like to add one point:

• Keep Discourse and the host up to date. As is the case for any complicated software, sometimes, security vulnerabilities surface that could lead to the database being compromised. Assuming you won’t be the target of sophisticated attacks that specifically target you, quickly installing patches can eliminate most of that risk.

The underlying issue is that you can not trust the server if you want truly secure messaging between members.

This means that the software used to encrypt and decrypt stuff should not be sent from the discourse server.

I second what was said here, you want something like keybase or signal for secure comms, you have to invest in training here. Treat the info you have on Discourse as potentially leaked, there are just too many vectors. People hosting the service, web browser caches on local computers running old exploitable operating systems and so on.

If I was pushed hard to come up with something for journalists discussing highly sensitive info that is Discourse I would

1. Host the physical server in my house or somewhere I can see it all the time

2. Use SSL clearly

3. Only have myself as admin

4. Enforce limited user agent support, demand everyone use a very specific browser and only allow that user agent on the site, this browser would not store any cached files on local disk

But… even with all of that … signal/keybase is much better on so many levels

Ce serait formidable s’il existait une superposition AutoCrypt pour Discourse (ou une plateforme de publication asynchrone similaire)

Elle gère la « complexité » de PGP de manière transparente et sécurisée pour l’utilisateur. Son mode « meilleurs efforts » ne rend pas encore suffisamment clair pour l’utilisateur le fait qu’il permet une bascule vers du texte en clair sans configuration explicite de la salle.

Oui, je suis conscient de la différence entre l’échange de clés et une clé publique hors boucle. Cela se ferait sans confiance aveugle.

Non. La 2FA n’a rien à voir avec la gestion d’identité (comme Shibboleth). Faites-vous une allusion oblique à quelque chose que je possède et quelque chose que je connais ? Dans ce cas, fournir la preuve de ce que je possède constituerait, par extension, une identité ?

Vous aurez également besoin de confirmations DANE.

Faites-vous allusion aux comptes « gratuits » ?

C’est ce qu’a fait Movim, raison pour laquelle ils ont abandonné OMEMO pour leur plateforme sociale XMPP.

Un projet GitHub qui mérite réflexion est OverSec. Bien qu’il soit conçu pour Android, quelqu’un pourrait relever le défi pour Android.

–

Je réfléchirai davantage aux modèles de menaces.

AutoCrypt, c’est top ?

La tolérance face aux maux perpétrés contre la vie privée a créé le terrain propice aux menaces actuelles. Je ne sais pas comment résoudre l’indifférence.

En suivant ce raisonnement, je les inviterais à abandonner l’Internet, qui est bien plus obsolète.

L’e-mail, comme XMPP et Matrix, est fédéré.

Amen. Merci.

J’ai désactivé le mode Résumé pour cette raison.

Ils doivent être rééduqués là-dessus, comme pour le blocage des publicités.

Cela nécessite-t-il toujours problématiquement un numéro de mobile ?

Ravivé car c’était le meilleur résultat pour une recherche.

Ce serait peut-être aussi formidable que les gens utilisent davantage la fonction de recherche avant de poster sur un forum public (et/ou qu’ils lisent davantage avant d’écrire).

Je ne suis pas sûr de vous comprendre : prônez-vous plus ou moins de blocage de publicités ?

Oui, les principales recommandations ici sont :

• Installer et utiliser le plugin Discourse Encrypt (très mature, nous l’utilisons en interne)
• Activer « secure media » (attention, cela est extrêmement difficile à configurer)
• Activer « private email » afin qu’aucun contenu ne fuite par e-mail