December 5, 2011It’s About Trust, Not Technology
Comments (3)
I read this morning a topic in the MOD Authors forum at phpbb.com where the topic poster was trying to figure out a way to encrypt / decrypt private message text. The technical challenge was easily overcome, as someone posted some code that allows the board owner to do exactly that.
The problem is, it accomplishes nothing. 
Private messages are often a hot topic for board owners, probably because of the privacy implications of the name “private” message. As most board owners probably know, private messages are not truly private. Anyone with database access can read the private message text. Anyone with access to a backup SQL dump can do the same. But who has this type of access, and what can be done to prevent it?
Board Owner Access
In many cases, only one person owns and manages a web site that includes a phpBB board. In this case, that person is likely to have the administrator passwords for the phpBB board, the SQL database password, and ftp or even shell access to the server itself. Even if that person does not start out knowing the SQL database password, they can get it easily enough by downloading the config.php file and getting it from there. Now suppose that private messages are encrypted as suggested in the topic listed above. Is the data safe?
No, I’m afraid not. The data in the database is encrypted, but by definition the information has to be able to be unscrambled for the PM recipient to be able to see it. All the board owner has to do is download the php code to obtain the encryption key and then use it to decrypt the data. It turns out it’s not the fact that the data is encrypted or not, because the board owner has access to the data and the tools required to decrypt it. The board owner can still read private messages, it just takes longer.
Encryption Versus Hashing
Passwords are hashed, not encrypted. This means that even though the board owner can see what the hash string is in the field in the database, there is no way to de-hash the data. By definition a hashing algorithm is one-way. But if the private message text is hashed, then there would be no way to get the original text back! That’s why as a board owner I can change a password to something new, but I cannot tell you what your original password was.
The point is, hashing is secure. My password is relatively safe. Encryption by definition has to be reversible, and there is really no way to eliminate all avenues of accessing that information as long as access to the raw data is possible.
It’s About Trust Not Technology
Even in a more complex environment where there is more than one person with access to and permissions to manage a web site there is only so much that can be done to compartmentalize the issue. Someone, at least one person, is going to have access to the server. Even if it takes two or more people (one to get into the database, the other to decrypt the data) private messages are still not so private.
It all comes down to trust. If I don’t want someone to read what I wrote, I don’t write it down. I have to trust that a board administrator is not going to go about reading private messages, or that they’re not going to edit my post to make it look like I’m saying something that I didn’t, or that they’re not going to install a key-logger that captures my password as it’s entered on the login screen, or that they’re not going to try to … well, it goes on from there. Adding encryption to private messages doesn’t fix the issue.
And here’s one more loophole. I mentioned above that password information is hashed and therefore I cannot log in as “you” because I cannot determine your password. But I can do this:
- Log in to the SQL database and retrieve the hash for my password
- Also retrieve the hash for your password and save it
- Update your account so that your hash value is equal to mine. No I “know” your password because it’s the same as mine.
- I log in and do whatever I want to do as “you” because I have effectively stolen your identity
- When done, I reset your password hash back to the original value so you can log in again, and you have no idea that anything has happened
Not very nice, but certainly possible. You just have to trust me not to do these things.
It’s for this and other reasons I have removed the PM feature from the boards that I manage. By removing the illusion of privacy implied by the name “private message” I don’t have to deal with this.
Comments (3)
Yeah, I’ve seen a few similar posts on phpBB.com:
http://www.phpbb.com/community/viewtopic.php?f=64&t=2126812
http://www.phpbb.com/community/viewtopic.php?f=64&t=2144273
I suppose with the example post you provided, a person that ONLY has access to the database would not be able to read the messages. The other problem was the base64 encoding used in that implementation, which increases the size of the messages in the DB by 33%.
Another idea I thought of:
It would be possible to encrypt the message, and then when the user views the message it gets decrypted on the fly, using public-key encryption. And the user could have their private key stored encrypted in the database with a password. However, there would be too many side effects:
- The user would have to enter in their password EVERY time they viewed or reported (v3) a PM – since the password is never permanently stored by phpBB.
- The report feature would have to be heavily modified in phpBB3: if a user wants to report a post, it would have to be decrypted and stored somewhere else. So one would assume that once a PM has been reported it’s no longer private.
- A PKI would have to be invented especially for phpBB.
- What happens if a user forgets their password???
So, in other words, I completely agree with you. Any attempt to prevent private messages from being read by admins is more or less useless or not really feasible. And attempts to prevent hackers from reading private messages probably isn’t very strong either.
Comment by /a3 — December 12, 2011 @ 5:54 pm
I think my last comment got submitted right.
Forgot to mention in my last post: you could also have the private key not stored on the server (encrypted by password) at all (as Marshalrusty mentioned in one of those threads); instead it could be all done by JavaScript. However, there are still a few drawbacks of this:
- Not all users have JavaScript.
- HTML5 storage would be required to permanently store something across many pages. Not all browsers support this.
- If not above, the private key would have to be uploaded to the server EVERY time a PM is read.
- Reporting would mean that the message would no longer be encrypted.
- Potential for Man In The Middle Attacks, false sense of security.
Also, how many boards use SSL? No matter the implementation, sending private information back and forward to the server is never a good idea.
Comment by /a3 — December 12, 2011 @ 6:05 pm
/a3, thank you for your comments and for the more thorough job of reviewing some of the additional issues with securing private messages. I think a solution I have suggested in the past is the best: instead of calling them “private” messages call them “personal” messages instead.
Comment by Dave Rathbun — December 12, 2011 @ 6:37 pm