Home | Community | Message Board


Cannabis Seeds - Original Sensible Seeds
Please support our sponsors.

Feedback and Administration >> Website Announcements and Feature Feedback

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: Kraken Kratom Red Vein Kratom   Bridgetown Botanicals CBD Edibles   Unfolding Nature Unfolding Nature: Being in the Implicate Order   PhytoExtractum Kratom Powder for Sale   Amazon Ranch Dressing

Jump to first unread post. Pages: 1
Invisibleroquet
Expat tippler
Male User Gallery


Registered: 05/29/07
Posts: 1,183
Loc: Dubai بجدية عربي...
encrypted PM email notification unencrypted??
    #7735090 - 12/09/07 01:04 AM (13 years, 2 months ago)

how come my email notification for encrypted shroomery PMs displays them unencrypted? Doesn't that mean shroomery must have a copy of either my encryption password or key? How else can it decode the message? Whereas when I read the message on shroomery I have to enter my password to unencrypt it. Or what am I not understanding here?


Edited by roquet (12/09/07 01:35 AM)


Post Extras: Filter  Print Post  Remind Me! Notify Moderator
Invisiblemonstermitch
Growing in Bags Doesn't Work

Folding@home Statistics
Registered: 02/10/06
Posts: 3,911
Loc: Arizona Bay Flag
Re: encrypted PM email notification unencrypted?? [Re: roquet]
    #7735191 - 12/09/07 01:57 AM (13 years, 2 months ago)

this is not good.
so much for the encryption.
:rolleyes:

I hope this gets fixed or whatever.


--------------------



Post Extras: Filter  Print Post  Remind Me! Notify Moderator
OfflineYthanA
ᕕ( ᐛ )ᕗ
Male


Registered: 08/08/97
Posts: 17,755
Loc: NY/MA/VT Borderlands, USA Flag
Last seen: 1 hour, 6 minutes
Re: encrypted shroomery PM email notification unencrypted [Re: roquet]
    #7735232 - 12/09/07 02:15 AM (13 years, 2 months ago)

Encryption happens on the server side. That's why you don't have to install any additional software to use secure PMs. What happens is:

1) The message is sent to our server. The transmission is secured using SSL encryption, so nobody can eavesdrop on the connection.

2) We decrypt the SSL stream and regenerate the plaintext message.

3) We encrypt the plaintext message to your public key and store the encrypted copy.

4) The plain-text message is discarded (actually it never touches the hard disk to begin with).

What was happening is that the e-mail notification was going out between steps 2 and 3. This is obviously a problem, since e-mail is sent in plaintext and should not be used for any communication which is intended to be secure. I'm embarrassed about that and I'll fix it right now. However it doesn't mean we can decrypt your secure PMs on demand, and we don't have a copy of your key. It just illustrates a weakness of server-side encryption, namely we need a copy of the message in plaintext at some point to make it work. The only way around this is for you to perform the encryption on your own computer.

The system we use is much better than nothing and can be considered secure as long as you trust us to do what we say and not retain any of your sensitive data. It will protect you from most common exploits, and even if someone managed to dump a copy of our entire database they couldn't read your message. However, as illustrated by this bug, it is possible for human error (or, theoretically, a malicious administrator) to cause your "secure PM" to not be so secure. If I wanted to (or another user gained my credentials) I could save a copy of your message before it's encrypted, or I could save a copy of your private key in the brief instant it's on our server when you decrypt a message. Here's an interesting article about just this scenero, where Hushmail was using a system very similar to our own. For what it's worth, I'd just disable the use of secure PMs before complying with an order to insert a backdoor in the system (and I wonder why Hushmail didn't do the same). But at the end of the day, if security is of critical importance, the only option is to handle it yourself.

-Y


Post Extras: Filter  Print Post  Remind Me! Notify Moderator
Invisibleroquet
Expat tippler
Male User Gallery


Registered: 05/29/07
Posts: 1,183
Loc: Dubai بجدية عربي...
Re: encrypted shroomery PM email notification unencrypted [Re: Ythan]
    #7735267 - 12/09/07 02:33 AM (13 years, 2 months ago)

thanks for the explanation, Ythan. Not sure I really understand how encryption works but doesn't matter. Glad we agree the notification email should be encrypted too.


Post Extras: Filter  Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

Shop: Kraken Kratom Red Vein Kratom   Bridgetown Botanicals CBD Edibles   Unfolding Nature Unfolding Nature: Being in the Implicate Order   PhytoExtractum Kratom Powder for Sale   Amazon Ranch Dressing

Feedback and Administration >> Website Announcements and Feature Feedback

Similar ThreadsPosterViewsRepliesLast post
* forwarding encrypted PM's Dragonaut 585 3 09/21/05 02:18 AM
by Ythan
* Email notification of replies seems inconsistent at best HagbardCeline 562 2 06/10/04 04:06 PM
by Vampire999
* email notification.. 40oz 1,946 10 11/24/01 08:53 PM
by 40oz
* Email Noticifaction fjbk47985 1,574 17 04/23/03 07:25 PM
by Baby_Hitler
* secure pm problem, 2 computers and one key? ZippoZM 1,075 12 07/21/05 10:06 PM
by Ythan
* Secure PMs not working!!
ShroomismM
749 5 08/24/05 07:27 PM
by Shroomism
* PM's: Unsend if Unread? OneMoreRobot3021 345 3 06/13/05 03:23 PM
by OneMoreRobot3021
* Re: Email notification for everyone Anonymous 606 2 01/24/00 01:32 AM
by walrus

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Ythan, Thor, Seuss, geokills
922 topic views. 0 members, 1 guests and 0 web crawlers are browsing this forum.
[ Print Topic ]
Search this thread:
World Seed Supply
Please support our sponsors.

Copyright 1997-2021 Mind Media. Some rights reserved.

Generated in 0.042 seconds spending 0.012 seconds on 16 queries.