|
Shroomery - Magic Mushrooms Demystified
|
Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!
|
 roquet
Expat tippler
 
Registered: 05/29/07
Posts: 1,183
Loc: Dubai بجدية عربي...
|
 encrypted PM email notification unencrypted?? 
#7735090 - 12/09/07 01:04 AM (13 years, 2 months ago) |
|
|
how come my email notification for encrypted shroomery PMs displays them unencrypted? Doesn't that mean shroomery must have a copy of either my encryption password or key? How else can it decode the message? Whereas when I read the message on shroomery I have to enter my password to unencrypt it. Or what am I not understanding here?
Edited by roquet (12/09/07 01:35 AM)
|
monstermitch
Growing in Bags Doesn't Work
Registered: 02/10/06
Posts: 3,911
Loc: Arizona Bay 
|
 Re: encrypted PM email notification unencrypted?? [Re: roquet]
#7735191 - 12/09/07 01:57 AM (13 years, 2 months ago) |
|
|
this is not good.
so much for the encryption.
I hope this gets fixed or whatever.
--------------------
|
 Ythan
ᕕ( ᐛ )ᕗ
Registered: 08/08/97
Posts: 17,755
Loc: NY/MA/VT Borderlands, USA
Last seen: 1 hour, 6 minutes
|
Re: encrypted shroomery PM email notification unencrypted [Re: roquet]
#7735232 - 12/09/07 02:15 AM (13 years, 2 months ago) |
|
|
Encryption happens on the server side. That's why you don't have to install any additional software to use secure PMs. What happens is:
1) The message is sent to our server. The transmission is secured using SSL encryption, so nobody can eavesdrop on the connection.
2) We decrypt the SSL stream and regenerate the plaintext message.
3) We encrypt the plaintext message to your public key and store the encrypted copy.
4) The plain-text message is discarded (actually it never touches the hard disk to begin with).
What was happening is that the e-mail notification was going out between steps 2 and 3. This is obviously a problem, since e-mail is sent in plaintext and should not be used for any communication which is intended to be secure. I'm embarrassed about that and I'll fix it right now. However it doesn't mean we can decrypt your secure PMs on demand, and we don't have a copy of your key. It just illustrates a weakness of server-side encryption, namely we need a copy of the message in plaintext at some point to make it work. The only way around this is for you to perform the encryption on your own computer.
The system we use is much better than nothing and can be considered secure as long as you trust us to do what we say and not retain any of your sensitive data. It will protect you from most common exploits, and even if someone managed to dump a copy of our entire database they couldn't read your message. However, as illustrated by this bug, it is possible for human error (or, theoretically, a malicious administrator) to cause your "secure PM" to not be so secure. If I wanted to (or another user gained my credentials) I could save a copy of your message before it's encrypted, or I could save a copy of your private key in the brief instant it's on our server when you decrypt a message. Here's an interesting article about just this scenero, where Hushmail was using a system very similar to our own. For what it's worth, I'd just disable the use of secure PMs before complying with an order to insert a backdoor in the system (and I wonder why Hushmail didn't do the same). But at the end of the day, if security is of critical importance, the only option is to handle it yourself.
-Y
|
roquet
Expat tippler
Registered: 05/29/07
Posts: 1,183
Loc: Dubai بجدية عربي...
|
Re: encrypted shroomery PM email notification unencrypted [Re: Ythan]
#7735267 - 12/09/07 02:33 AM (13 years, 2 months ago) |
|
|
thanks for the explanation, Ythan. Not sure I really understand how encryption works but doesn't matter. Glad we agree the notification email should be encrypted too.
| |
|
|
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Ythan, Thor, Seuss, geokills
922 topic views. 0 members, 1 guests and 0 web crawlers are browsing this forum.
[ Print Topic ] | | |
|
|
|
|
|
Threaded
Previous
Index
Next
Edit 
Reply 
Anonymous