Very secret info and email notifications

(Alexander Logger) #1

I have a private forum with confidential information which must be stored only on our own server and should not pass to any other systems like gmail, etc. via email notifications. How can I configure email notifications to not include any info from the forum except only for number of new posts/mentions etc.?

Secure email mode
(Jeff Atwood) #2

You should be able to do this via admin/customize/email_templates, simply remove the %{message} / %{topic_title} and replace with something like:

posts are private; to view this reply, visit the site.

Looking at the email templates the big ones are:

  • User Invited to PM
  • User Invited to Topic
  • User Linked
  • User Mentioned
  • User Posted
  • User Posted PM
  • User Quoted
  • User Replied

@neil it might be easier to have a conditional site setting here that suppresses %{message} and %{topic_title}– can you add that to your list?

I do think this matters, for sites that are covering sensitive info, for political reasons or anything else. If post content leaks out through people’s random not-so-secure email services, that defeats a lot of the security of being a private site over HTTPS.

(Jeff Atwood) #7

Not leaking posts into email is quite important for some sites:

(Alexander Logger) #8

Just thought, how about encrypting and signing emails with PGP? A User can set own public PGP key in a profile and can dowload and trust serever’s public key. Though PGP doesn’t have forward secrecy, and it doesn’t have plausible deniability.

(Jeff Atwood) #9

And you can ensure every single person on the site is using this onerous and complex – not to mention error prone – email setup process how, exactly?

(Alexander Logger) #10

No need to ensure that every single person on the site is using, due to security settings Discourse should send private info only to those who added a public key. BTW, there is also S/MIME.

It is as simple as two short commands:

gpg --gen-key
gpg --armor --export John Doe

or simple UI form:

Do you really think it is onerous and complex to create a key pair in one window, export the public key and add it to a user’s profile settings?

It is so simple so anyone can even generate a new PGP key every day (with expiration in 1 day (not mondatory)) and delete the old one to ensure perfect forward secrecy. It can be done even automatically with a script added to an OS scheduler. A new generated public key is sent to a Discourse via API. :allthethings:

It is better than nothing for those users who want to receive email notifications from a private discourse site.

(Jeff Atwood) #11

I think you are literally delusional if you believe this highly complex, fragile setup can be guaranteed across all users’ email at all times.

(Alexander Logger) #12

Not sure I understand what do you mean by “highly complex and fragile”, as user of gpg I see a simple system, and don’t see where it is fragile. Can you describe it, please?

(RĂ©gis Hanol) #13

Do your parents and grand-parents use GPG? If not, have them try and you’ll get the gist of it :wink:

(Tobias Eigen) #14

So glad this conversation is taking place. We’re actually facing a potentially dangerous situation for one of our members and are seeing the need for an extra level of precaution, so this is timely for us. Thank you discourse! :seedling:

Generally, I approve of the way discourse uses email for transactional notifications and day-to-day, low-security engagement with the community. These don’t need to be encrypted or secure. They can and should continue to be sent in full by email, and contain meaningful context so people know what’s going on before they even log into discourse. I feel good about this, knowing that everyone expects these to be low-security.

Occasionally though there will be moments when users need to know that the message they are sending will not be transmitted by email but only accessible via discourse. Would it be feasible to create an admin enable-able “secure” feature similar to whisper, perhaps with a padlock icon to indicate security? When selected, the message would not be sent in full but rather a generic notification would be sent explaining that something is waiting for them. Like whispers, any replies to secure messages would also be sent securely and trigger similar generic notifications instead of the actual message. A warning would be provided that site admins can still read secure messages. It could also be enabled on a category-basis to provide secure discussions in private categories.

I realize these generic notifications will look suspiciously like spam/phishing a la linkedin messaging, but in combination with user education and additional contacts via other means this can work quite well. It would be used only in rare, extraordinary circumstances and only be available on sites that enable it.

Another (or additional) feature that would help is a secure messaging option in user settings, again as an admin-enabled feature. If selected, the user would only ever get generic notifications by email about pending messages. That way if they suspect their own email is being monitored they can still communicate with a reasonable level of confidence.

Oh, and FWIW I completely agree with this sentiment. GPG is impossible to rely on in our global community where we have people contributing from a wide variety of contexts (many languages, many cultural contexts, many skill levels, many types of devices and mostly mobile etc) and it would be a huge challenge to get them on GPG to help them communicate reasonably securely. I think that ship has sailed.

(Alexander Logger) #15

How about optional PGP encryption for users who want to receive full messages with emails? Other users who don’t add their PGP public key will receive notification only about some events without any private details like username, topic name, message text.

(Tobias Eigen) #16

Sure - this sounds like a great plugin idea. I would use it! :sunglasses:

(Jeff Atwood) #22

Just following up on this, @eviltrout added a secure email mode in 1.8, that does not leak any topic or post info into email.

(Jeff Atwood) #23

4 posts were split to a new topic: I need to change user email defaults after setup

(Jeff Atwood) #24

Good times. Good times.

(Jeff Atwood) #25

From Bruce Schneier

  1. Why is anyone using encrypted e-mail anymore, anyway? Reliably and easily encrypting e-mail is an insurmountably hard problem for reasons having nothing to do with today’s announcement. If you need to communicate securely, use Signal. If having Signal on your phone will arouse suspicion, use WhatsApp.