Let's Use E2E Encryption on Discuss Messaging! Tin Foil Hat Crew Client Side Resort for the Paranoid, Delusional Student

Discuss now supports Encryption of messages

  • Client side end to end e2e ENcryPTion.
  • This is an opportunity to learn something new!

Great, Why?

On this forum encryption helps you access this site over SSL, ensuring you are browsing to https://discuss.noisebridge.info

However, once you are on the site and using it, you might decide to send a private message. Perhaps this message is a sensitive subject that you do not wish others to know, ex. Your mother is very sick.

Keep in mind, nothing is stopping you from messaging using a different tool such as the excellent Signal. However, Signal needs you to have that person’s phone number, which you do not have. So, you’ve decided contacting them through this forum is the simplest solution. Normally, messages sent on this Discourse Forum software can be read by administrators, of which we have a few people volunteering.

How Discourse works normally

Obviously, administrators should not be reading your private message. But, even an excellent administrator might be debugging forum settings and find themselves looking at… your message. Should an admin read your messages, that action is tracked and can be noticed by the other admins. But that doesn’t fix the problem. It is awkward to think a server admin can look at your data.

How to protect your messages with Encryption

With client side encryption enabled, no one will be able to read your private message once you encrypt it. Now, an admin reading a private message will still be noted and tracked by Discourse, but what they will read will be encrypted garbage without the decryption key.

  1. You are welcome to turn on e2e encryption from your user account preferences by scrolling to the last option:

Screenshot_20200406_100230

  1. Select Enable Encrypted Messages. You are not done yet! After a couple seconds you’ll see this message appear on your use profile…

  2. Select Generate Paper Key. You must record the seed of words that appear immediately! Put this information directly into a password database or somewhere else. Losing the seed = losing your encrypted messages.
    Screenshot_20200407_091024
    THESE WORDS ARE NOT MY ENCRYPTED SEED HORSE CARD BATTERY

  3. Did you write down your Paper Key, like the example shown above? Please do so.

  4. Add your key to all devices you will be using, including web browsers, mobile apps, you name it. You will only be able to decrypt your messages once you’ve successfully imported your paper key. Once your device is authorized, try composing a private message and verify you can select the following:

Encrypted messages look like this: Screenshot_20200407_091447
Unencrypted messages look like this:Screenshot_20200407_091438

  1. Point of Clarification: If you logout of Discuss you will be required to confirm your paper key all over again! This also applies to every device and browser you use. This will also apply if you enter anonymous mode in Discuss or clear your browser cache. Seriously. Keep retrievable backups of your paper key. :slight_smile:

  2. Please enjoy and help us test this new forum functionality. Details on the plugin we use and implementation below. Obviously, this is only as useful as we make it. It is not a perfect system, but we can enjoy it as a fun experiment and learning tool.

Limitations – Click here to for up to date information

It does not encrypt any post metadata, such as names of participants in the conversation, posted time, likes, small actions, etc; uploads are encrypted, but their presence is not because the system must associate uploads with posts to prevent deleting them.

Once enabled, you can totally lose access to your own encrypted data!
Always backup your generated paper key to avoid data loss. Also, know that we strive to support each other as an open, loose collective. Bad actors should never be tolerated. Consider this a fun thing to try, and remember that truly private data should never be posted online in the first place. :slight_smile:

Code Review

All code is open-source and security enthusiasts are encouraged to review it. You can ask questions and make suggestions to the plugin dev here. Please edit this page if you have the proper trust permissions and have found a mistake or correction.

2 Likes