Encrypted PGP Messaging

I basically outlined what I was getting at in my previous post attempting to articulate threat models and messaging models. My last post may have distracted from that.

###TLDR:

1. The social and technical landscape has changed since this thread stopped in 2014.
2. I really like the implementations of PGP notifications by Facebook and the aforementioned WP plugin. Discourse adding that capability would be helpful.
3. I’d also love to be able to use Discourse messaging secured by something like Signal Protocol so I could avoid Facebook Messenger altogether for private conversations with forum users (currently, we end up shifting back and forth).
4. My aesthetic preference for encrypting everything likely does not represent most users.

Email notifications with no content leakage would certainly be less useful, but it would alleviate some of the concerns. Thank you for pointing that out.

I don’t think I have anything further to add.

The way I see it this completely solves “Thread Model 3”

Big Data: User email providers (Gmail, Yahoo!, Microsoft, etc.). Transactional email providers (Mandrill, etc.). Attacks on email in transmission or at rest.

I would only be comfortable solving

Directly in the Discourse mobile app (or whatever packaged desktop app).

Hi there,

I work for a consortium of journalists (ICIJ) that investigates on highly sensitive projects. Most known being the Panama Papers and the Paradise Papers.

I’m about to use Discourse to help our network to coordinate and I wonder if anyone ever come out with solution for encrypted private messaging? Our main concern being: if ever the database get leaked, how can we prevent the attackers to read private messages which could reveal sensitive info about our sources.

With our current forum portal, we already setup a “proxy” service in front of our SMTP that uses GPG to automatically encrypt messages for the known keys. If the key for an email has not been provisioned, the email is not sent.

Thanks a ton!

My suggestion would be to have the actual source info referenced as a general codename – all direct source communication should be through a highly secure medium like Signal.

Derived from

Yeah. Where that document says:

Assume that anything you say on Slack or in Twitter direct messages will one day be public.

Apply that to Discourse as well.

Discourse is trying to be a facilitator for public discussion and doesn’t put a lot of focus on protecting users from the admins.
As a case in point, the re-naming of “private messages” to “personal messages” – the forum admins need to be able to audit PMs for harassment etc without the abusive participant noticing.

Make sure that your journalists know how to go from a codename & document number to the actual document, and that this actually WORKS, so you don’t have people uploading documents to the forum in order to get their work done.

Yes, we already advise them to use Signal, and of course we have many security instructions like the one @riking mentioned. But each investigation involve hundreds of journalists, not all of them are tech savvy and since there is no ways to ensure they follow our recommendations, we must encrypt as many things as possible to lower risks.

The main things to check with regards to “database being leaked”:

• anyone who has admin access to your Discourse can download the DB so limit the number of admins, and perhaps only log in as admin when absolutely required, use a “regular” moderator account typically

• anyone who can log into your hosting server can directly grab the database, so strictly limit and control who has login credentials to your hosting server.

Gotcha, I’ll limit the number of admin, thanks!

So I suppose no one ever implemented OTR in PM then?

It’s a very difficult problem space. I’d also STRONGLY recommend (require?) two factor auth for your hosting server login.

(We do support two factor auth in Discourse as well, but admins can override that as a technical support tool.)

We have 3-factors of authentication in fact, using our own SSO.

I’d like to add one point:

• Keep Discourse and the host up to date. As is the case for any complicated software, sometimes, security vulnerabilities surface that could lead to the database being compromised. Assuming you won’t be the target of sophisticated attacks that specifically target you, quickly installing patches can eliminate most of that risk.

The underlying issue is that you can not trust the server if you want truly secure messaging between members.

This means that the software used to encrypt and decrypt stuff should not be sent from the discourse server.

I second what was said here, you want something like keybase or signal for secure comms, you have to invest in training here. Treat the info you have on Discourse as potentially leaked, there are just too many vectors. People hosting the service, web browser caches on local computers running old exploitable operating systems and so on.

If I was pushed hard to come up with something for journalists discussing highly sensitive info that is Discourse I would

1. Host the physical server in my house or somewhere I can see it all the time

2. Use SSL clearly

3. Only have myself as admin

4. Enforce limited user agent support, demand everyone use a very specific browser and only allow that user agent on the site, this browser would not store any cached files on local disk

But… even with all of that … signal/keybase is much better on so many levels

Seria ótimo se houvesse uma sobreposição AutoCrypt para o Discourse (ou uma plataforma de postagem assíncrona similar)

Ela gerencia a “complexidade” do PGP de forma transparente para o usuário, de maneira segura. O modo de “melhor esforço” ainda não torna claro o suficiente para o usuário que isso permite a volta ao texto simples sem uma configuração explícita da sala.

Sim, eu sei sobre a troca de chaves versus pública fora do loop. Isso seria sem confiança cega.

Não. A 2FA não tem nada a ver com gerenciamento de identidade (como o Shibboleth). Você está fazendo uma referência velada a algo que tenho e algo que sei? Nesse caso, fornecer a prova de algo que tenho seria, por extensão, uma identidade?

Você também precisará de confirmações DANE.

Você está insinuando contas “gratuitas”?

O Movim também fez isso, e é por isso que abandonaram o OMEMO para sua plataforma social web XMPP.

Um projeto no GitHub que vale a pena refletir é o OverSec. Embora seja para Android, alguém poderia pegar a bola e continuar para Android.

–

Vou dar mais atenção aos modelos de ameaça.

AutoCrypt ftw?

A tolerância aos males perpetrados contra a privacidade criou o terreno para as ameaças atuais. Não sei como resolver a indiferença.

Usando esse raciocínio, eu os convidaria a deixar de usar a internet, que é muito mais antiquada.

O e-mail, assim como o XMPP e o Matrix, é federado.

Amém. Obrigado.

Desativei o Modo de Resumo por esse motivo.

Eles precisam ser reeducados sobre isso, assim como com o bloqueio de anúncios.

Isso ainda requer problemáticamente um número de celular?

Revivi o tópico porque era a melhor correspondência para uma busca.

Talvez também seria ótimo se as pessoas usassem mais a função de pesquisa antes de postar em um fórum público (e/ou lessem mais antes de escrever).

Não está claro para mim: você está defendendo mais ou menos bloqueio de anúncios?

Sim, as principais recomendações aqui são:

• Instale e use o plugin Discourse Encrypt (muito maduro, usamos internamente)
• Ative “mídia segura” (aviso: isso é extremamente difícil de configurar)
• Ative “e-mail privado” para que nenhum conteúdo vaze por e-mail