Secure email mode

rfc

(Rafael dos Santos Silva) #1

Continuing the discussion from Very secret info and email notifications:

Definition

“Secure email mode” site setting ensures that no content is leaked to the outside via emails when the site’s content is sensitive.

Use Case

My Forum is safe (HTTPS, secure server) and I use it for discussion of sensitive information. However, participants may use insecure emails and mailing list / notifications / digests will leak sensitive information to outside agents.

Affected Area

  • Digests
  • Mailing List Emails
  • Notification Emails
  • Push Notifications

Proposal

All notifications to outside systems will be replaced by a “dumb” notification:

  • Instead of a standard notification, you will get a mail only saying that there is a new reply for you on the forum.

  • Digests will only have the big numbers section.

  • Mailing list makes no sense in this mode, so I believe we can expect that it will be disabled.


Private Forum - Groups only
Images broken in Emails
Is there a way to disable including the post body in email notifications?
(Jeff Atwood) #2

I would still have comprehensive protection in place; if mailing list does get set, it will contain nothing but “a new post was created, go to the site to look at it”.


(Leo McArdle) #3

How about mailing participants the usual emails but encrypted with PGP, if they’ve uploaded a public key to Discourse?

This is how Bugzilla handles it, without a PGP key:

And with (of course, I use Thunderbird to actually read the decrypted contents of the email):


(Sam Saffron) #4

I think this would be awesome but I worry that it is a bit too ninja for the majority of users.


(Felix Freiberger) #5

PGP support seems like plugin territory to me – but core should at least make it possible for a plugin to keep the content even in secure mode, for exactly this reason :slight_smile:


(Jeff Atwood) #6

We will not be doing anything with PGP in this spec.


(Tobias Eigen) #7

I’m interested in seeing secure email mode implemented.

A single site wide admin setting to enable/disable secure email mode is a good starting point but perhaps a bit draconian for most sites including ours. We have many users accustomed to using email to participate in discussions and we also have many topics that are public or, if private, not worthy of this level of security. It would be a shame to lose all that - though on the other hand it also might also lead to more engagement since people would be forced to start logging in.

Here are some other possible ways to bite this cherry :cherries: for your consideration:

  • user preference - allow users to opt for secure email mode themselves, separately for PMs and posts. This is handy for users who might be feeling paranoid about the security of their own email mailbox and want to control what lands there.
  • category security settings - allow admins to set up secure email mode independently for each category. Then we educate our users on where to put secure correspondence.
  • break out site setting to enable/disable secure email separately for public categories, private categories, and private messages
  • composer - add secure email option directly to the composer, so user can decide to keep a specific message or post secure. (probably overkill)

Discourse 1.8 released!
(Nordize) #8

I’m also very interested in a secure email option (I was redirected here after asking about it in a new thread). I’m a little surprised it wasn’t available, given how feature rich Discourse is :). Other web forum software kind of have this by default, i.e. “there is a new post in thread X” … though I’d like even the thread name to be avoided. Would be happy with just a link to the thread and to the new post.

Also very opposed to anything PGP, unless it’s optional.


(Michael Downey) #9

“Secure email” … isn’t that an oxymoron? :wink:


(Nordize) #10

Just a note for when this is going to be implemented. The URLs should be sanitized too. For example, currently they contain the topic title which in many cases is revealing, they should be replaced with http://discourse.example.com/t/123/99 for topic id 123, post id 99 which already works fine.

I was looking at changing the email templates to leave only the URLs, but can the above be done currently? Is there a placeholder I can use in the email template that gets me the sanitized url version?


(Jeff Atwood) #11

Excellent point, @falco will keep that in mind as he builds it out.


#12

Not if “Secure email” would mean what I expected when I opened this thread: The ability to upload my S/MIME public key to discourse and received encrypted emails in the future. :astonished:

The RFC title should be “Void email mode”. :stuck_out_tongue:


(Jeff Atwood) #13

I’m handing this to @eviltrout so we can try to get something in this week and clear it off the 1.8 #releases list.

I would scale back the requirements a bit:

Perhaps just don’t send digests with secure email mode on, I’m not entirely sure what that would get you. And it’ll be simpler!


(Robin Ward) #14

I’ve just merged in my first attempt at this. I ended up renaming it to private_email instead of secure_email following some feedback from the team. I think the new name works better because it’s about keeping details private rather than actually securing email.

^ oops I just realized the commit message was wrong. The key is private_email despite that message which I cannot update now because our master doesn’t allow force pushes


(Robin Ward) #15

Here’s some screenshots of what emails look like when this feature is enabled. Whenever the Topic Title should be shown instead we show it as “Topic #ID”, and we remove all context posts and excerpts:

Inviting a user to a topic:

Receiving one of the many topic notifications (reply, @mention, etc):

I’d love for people in the community to help us test this on their forums. I should warn you that Discourse has a lot of email templates and it’s possible I missed some, so it should be considered not 100% private until we’ve had some users test it out and report bugs.


(Régis Hanol) #16

I don’t want to scope creep, but they look terrible :frowning:

Here’s an example of what Facebook notification emails look like


(Robin Ward) #17

Part of the problem is the templates they’re based on just don’t look as nice as Facebook’s. I think we’d have to add all new templates to look as nice.


(Tobias Eigen) #18

So to be clear - this new feature functions as described in the OP? It covers all content on the site even topics in public categories?


(Robin Ward) #19

Yes, right now if that setting is enabled all emails will be “privatized”. The links are still to the topics by ID, but the slugs are removed.