Today I saw a disgusting opportunity, the administrator can read private messages of users without leaving the admin panel.
Also administrator can hide login in user account, bypassing the password and 2FA to read encrypted messages (Discourse Encrypt).
I suspect that I am not the only one in horror of the administrator’s rights and the position of Developers Discourse is unchanged - the privacy of users does not cost anything.
I want to ask, maybe someone found a solution to this problem to make the administrator’s capabilities more transparent and notify the user that an administrator authorized in his account or read it PM?
If I recall, the PM accessibility feature is only available to admins. Mods cannot open other users’ messages. So the simple answer is you only give admin access to those who specifically service and manage the Discourse instance itself. From a technical standpoint, those managing your instance could get access to the PMs from the database itself without generating log entries. As an admin of the site and the server it’s on, the only way to ultimately prevent admins from gaining that level of access is to encrypt the contents with a key they don’t have.
For the level of security you’re looking for, you basically need this:
I haven’t used it (yet), but I believe it generates and stores the keys client-side in a way where they wouldn’t be accessible via the impersonation feature. The key is still stored locally and impersonating shouldn’t provide access to it (as far as I’m aware). This is really the only way to protect the data in the database itself.
Actually, no. You cannot read encrypted messages of other users unless you have their key to decrypt it. Encryption/decryption happens on the client side, not on the server, and encrypted messages are stored encrypted on the server.
The ability of admins to read personal messages is an oft discussed issue and won’t be changed. If you are concerned about privacy and security, then strictly limit who has admin access and only log in as admin yourself when you need to change site settings or download a backup.
You seem to be pretty uphappy with Discourse. It is open source so you are welcome to use different software.
Are you sure you were looking at encrypted messages? The user has to actually set it up and start using it to send/receive messages. Existing messages created before they do this won’t be encrypted, and they can also still choose to send unencrypted messages.
Sorry to hear it but wish you all the best, and good luck!
I think you are looking at unencrypted messages. The admin would have to know the users password in order to decrypt the messages and password are stored hashed PBKDF2 which makes it costly and lengthy process to bruteforce the hashes. The encrypted PM plugin has an expiry function if you need extra privacy. In any case, even if the admin UI wouldn’t have the PM reading option they would still be in the database in cleartext unless using encryption plugin.
Open-source doesn’t mean privacy I guess you’re confusing terms.