I read this morning a topic in the MOD Authors forum at phpbb.com where the topic poster was trying to figure out a way to encrypt / decrypt private message text. The technical challenge was easily overcome, as someone posted some code that allows the board owner to do exactly that.
The problem is, it accomplishes nothing.
Private messages are often a hot topic for board owners, probably because of the privacy implications of the name “private” message. As most board owners probably know, private messages are not truly private. Anyone with database access can read the private message text. Anyone with access to a backup SQL dump can do the same. But who has this type of access, and what can be done to prevent it?
Board Owner Access
In many cases, only one person owns and manages a web site that includes a phpBB board. In this case, that person is likely to have the administrator passwords for the phpBB board, the SQL database password, and ftp or even shell access to the server itself. Even if that person does not start out knowing the SQL database password, they can get it easily enough by downloading the config.php file and getting it from there. Now suppose that private messages are encrypted as suggested in the topic listed above. Is the data safe?
No, I’m afraid not. The data in the database is encrypted, but by definition the information has to be able to be unscrambled for the PM recipient to be able to see it. All the board owner has to do is download the php code to obtain the encryption key and then use it to decrypt the data. It turns out it’s not the fact that the data is encrypted or not, because the board owner has access to the data and the tools required to decrypt it. The board owner can still read private messages, it just takes longer.
Encryption Versus Hashing
Passwords are hashed, not encrypted. This means that even though the board owner can see what the hash string is in the field in the database, there is no way to de-hash the data. By definition a hashing algorithm is one-way. But if the private message text is hashed, then there would be no way to get the original text back! That’s why as a board owner I can change a password to something new, but I cannot tell you what your original password was.
The point is, hashing is secure. My password is relatively safe. Encryption by definition has to be reversible, and there is really no way to eliminate all avenues of accessing that information as long as access to the raw data is possible.
It’s About Trust Not Technology
Even in a more complex environment where there is more than one person with access to and permissions to manage a web site there is only so much that can be done to compartmentalize the issue. Someone, at least one person, is going to have access to the server. Even if it takes two or more people (one to get into the database, the other to decrypt the data) private messages are still not so private.
It all comes down to trust. If I don’t want someone to read what I wrote, I don’t write it down. I have to trust that a board administrator is not going to go about reading private messages, or that they’re not going to edit my post to make it look like I’m saying something that I didn’t, or that they’re not going to install a key-logger that captures my password as it’s entered on the login screen, or that they’re not going to try to … well, it goes on from there. Adding encryption to private messages doesn’t fix the issue.
And here’s one more loophole. I mentioned above that password information is hashed and therefore I cannot log in as “you” because I cannot determine your password. But I can do this:
- Log in to the SQL database and retrieve the hash for my password
- Also retrieve the hash for your password and save it
- Update your account so that your hash value is equal to mine. No I “know” your password because it’s the same as mine.
- I log in and do whatever I want to do as “you” because I have effectively stolen your identity
- When done, I reset your password hash back to the original value so you can log in again, and you have no idea that anything has happened
Not very nice, but certainly possible. You just have to trust me not to do these things.
It’s for this and other reasons I have removed the PM feature from the boards that I manage. By removing the illusion of privacy implied by the name “private message” I don’t have to deal with this.