Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: PhytoExtractum Kratom Powder for Sale   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order   Bridgetown Botanicals CBD Concentrates

Jump to first unread post Pages: 1
Invisibleroquet
Expat tippler
Male User Gallery


Registered: 05/29/07
Posts: 1,195
Loc: Dubai بجدية عربي...
encrypted PM email notification unencrypted??
    #7735090 - 12/08/07 11:04 PM (16 years, 1 month ago)

how come my email notification for encrypted shroomery PMs displays them unencrypted? Doesn't that mean shroomery must have a copy of either my encryption password or key? How else can it decode the message? Whereas when I read the message on shroomery I have to enter my password to unencrypt it. Or what am I not understanding here?


Edited by roquet (12/08/07 11:35 PM)


Extras: Filter Print Post Top
Invisiblemonstermitch
Growing in Bags Doesn't Work

Folding@home Statistics
Registered: 02/10/06
Posts: 3,911
Loc: Arizona Bay Flag
Re: encrypted PM email notification unencrypted?? [Re: roquet]
    #7735191 - 12/08/07 11:57 PM (16 years, 1 month ago)

this is not good.
so much for the encryption.
:rolleyes:

I hope this gets fixed or whatever.


--------------------



Extras: Filter Print Post Top
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male User Gallery


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 4 hours, 15 minutes
Re: encrypted shroomery PM email notification unencrypted [Re: roquet]
    #7735232 - 12/09/07 12:15 AM (16 years, 1 month ago)

Encryption happens on the server side. That's why you don't have to install any additional software to use secure PMs. What happens is:

1) The message is sent to our server. The transmission is secured using SSL encryption, so nobody can eavesdrop on the connection.

2) We decrypt the SSL stream and regenerate the plaintext message.

3) We encrypt the plaintext message to your public key and store the encrypted copy.

4) The plain-text message is discarded (actually it never touches the hard disk to begin with).

What was happening is that the e-mail notification was going out between steps 2 and 3. This is obviously a problem, since e-mail is sent in plaintext and should not be used for any communication which is intended to be secure. I'm embarrassed about that and I'll fix it right now. However it doesn't mean we can decrypt your secure PMs on demand, and we don't have a copy of your key. It just illustrates a weakness of server-side encryption, namely we need a copy of the message in plaintext at some point to make it work. The only way around this is for you to perform the encryption on your own computer.

The system we use is much better than nothing and can be considered secure as long as you trust us to do what we say and not retain any of your sensitive data. It will protect you from most common exploits, and even if someone managed to dump a copy of our entire database they couldn't read your message. However, as illustrated by this bug, it is possible for human error (or, theoretically, a malicious administrator) to cause your "secure PM" to not be so secure. If I wanted to (or another user gained my credentials) I could save a copy of your message before it's encrypted, or I could save a copy of your private key in the brief instant it's on our server when you decrypt a message. Here's an interesting article about just this scenero, where Hushmail was using a system very similar to our own. For what it's worth, I'd just disable the use of secure PMs before complying with an order to insert a backdoor in the system (and I wonder why Hushmail didn't do the same). But at the end of the day, if security is of critical importance, the only option is to handle it yourself.

-Y


Extras: Filter Print Post Top
Invisibleroquet
Expat tippler
Male User Gallery


Registered: 05/29/07
Posts: 1,195
Loc: Dubai بجدية عربي...
Re: encrypted shroomery PM email notification unencrypted [Re: Ythan]
    #7735267 - 12/09/07 12:33 AM (16 years, 1 month ago)

thanks for the explanation, Ythan. Not sure I really understand how encryption works but doesn't matter. Glad we agree the notification email should be encrypted too.


Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: PhytoExtractum Kratom Powder for Sale   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order   Bridgetown Botanicals CBD Concentrates


Similar ThreadsPosterViewsRepliesLast post
* forwarding encrypted PM's Dragonaut 614 3 09/21/05 12:18 AM
by Ythan
* Email notification of replies seems inconsistent at best HagbardCeline 597 2 06/10/04 02:06 PM
by Vampire999
* email notification.. 40oz 2,025 10 11/24/01 06:53 PM
by 40oz
* Email Noticifaction fjbk47985 1,771 17 04/23/03 05:25 PM
by Baby_Hitler
* secure pm problem, 2 computers and one key? ZippoZM 1,163 12 07/21/05 08:06 PM
by Ythan
* Secure PMs not working!! ShroomismM 795 5 08/24/05 05:27 PM
by Shroomism
* PM's: Unsend if Unread? OneMoreRobot3021 365 3 06/13/05 01:23 PM
by OneMoreRobot3021
* Re: Email notification for everyone Anonymous 658 2 01/23/00 11:32 PM
by walrus

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Ythan, Thor, Seuss, geokills
978 topic views. 0 members, 2 guests and 1 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.018 seconds spending 0.004 seconds on 12 queries.