I've done some ad hoc testing, and I think that it isn't possible to get to private messages or private forums, but I've noticed an odd thing from the control panel. After a registered user (using MSN as their isp), goes to the forums, there is an msn...bot that appears to be looking at the same places including private messages and private forums.
But I used another computer and put in the URL of a private message and the control panel indicates that a guest is at location "private messages" even though the login display is up.
But it raises another concern. An isp can certainly see the traffic if it is not encrypted between the client and server. I guess you gotta trust the server people, I realize, but it's the big entities, msn, google, etc. and their bots that I'm more concerned about.
So, all this to say, can there be an option to encrypt (even simple encrypt) between phpbb and user client browser? Not that we have extraordinary sensitive data, I just don't want it cached on google somewhere.
Thanks,
Edro
msn, google searching through private messages??
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- smithy_dll
- Registered User
- Posts: 461
- Joined: Tue Jan 08, 2002 6:27 am
- Location: Australia
- Contact:
Re: msn, google searching through private messages??
are you using ad-sense or the google toolbar?
phpBB, its open source, become involved, write a modification!
Modifications Database | MOD Development Forum Rules | MOD Studio
Re: msn, google searching through private messages??
They are not reading private messages, it simply shows the page they're trying to access in the online list, though they're still stuck at a login screen. They cannot see any private information, and there is no need for additional encryption. It will not turn up on Google somewhere.
-
- Registered User
- Posts: 11
- Joined: Mon Jan 17, 2005 10:08 pm
- Location: South Wales
- Contact:
Re: msn, google searching through private messages??
What he said I actually had a similar thing with my admin area on 2.0.11 and it scared the crap out of me, I saw one of my members reading the mod forum. I quickly registered a test account with the same privelidges, got the login screen and appeared to be in that area in the admin cp, so the security is sound as a pound.
As davidis mentions though, there is the issue of google adsense and toolbar. Im not sure what data the toolbar collects but if users are using it, it may be that it will collect some data for google. Adsense definitely will, given that it collects information about each page as it is viewed and presents targetted ads accordingly, which means if a user views their pms and an adsense page is there, the PM content may possibly be cached by google. The solution then is to include the adsense code not in the overallheader or overallfooter but to include them in individual pages where you want them.
As davidis mentions though, there is the issue of google adsense and toolbar. Im not sure what data the toolbar collects but if users are using it, it may be that it will collect some data for google. Adsense definitely will, given that it collects information about each page as it is viewed and presents targetted ads accordingly, which means if a user views their pms and an adsense page is there, the PM content may possibly be cached by google. The solution then is to include the adsense code not in the overallheader or overallfooter but to include them in individual pages where you want them.
Re: msn, google searching through private messages??
I'll ask the 2 users if they use ad-sense or whatever else.
Thanks for the reassurance. I expected, based on my own little test, that just because admin cp says a guest is somewhere doesn't mean they're actually able to view that somewhere.
But it does raise a secondary concern, doesn't it? I mean, ok. Let me spell it out. I'm setting up a board with prayer requests.. These are private. Not a matter of public security but a private one. I don't want any mistakes. As it is, it is a private, hidden forum, by invitation only, so that we can pray together, well, e-pray together..
I'd like to see an end-to-end client to server simple encryption so that there are no mistakes.
When you do root admin, you don't use telnet. Why? Because even in the unlikely event that there is a packet sniffer on your cable line, or a bad isp, or carnivore, or ??, well, you want end-to-end encryption, and it's not difficult to do with ssh.
I've looked at all the message forum boards that I can find, even found one board that is all about security software but not for the board itself!! No one seems to provide this and it doesn't seem like it would be difficult.
Am I wrong here? I'd really appreciate some feedback, advice, anything.
Sincerely,
Edro
Thanks for the reassurance. I expected, based on my own little test, that just because admin cp says a guest is somewhere doesn't mean they're actually able to view that somewhere.
But it does raise a secondary concern, doesn't it? I mean, ok. Let me spell it out. I'm setting up a board with prayer requests.. These are private. Not a matter of public security but a private one. I don't want any mistakes. As it is, it is a private, hidden forum, by invitation only, so that we can pray together, well, e-pray together..
I'd like to see an end-to-end client to server simple encryption so that there are no mistakes.
When you do root admin, you don't use telnet. Why? Because even in the unlikely event that there is a packet sniffer on your cable line, or a bad isp, or carnivore, or ??, well, you want end-to-end encryption, and it's not difficult to do with ssh.
I've looked at all the message forum boards that I can find, even found one board that is all about security software but not for the board itself!! No one seems to provide this and it doesn't seem like it would be difficult.
Am I wrong here? I'd really appreciate some feedback, advice, anything.
Sincerely,
Edro
Computer Security discussion forum
Here is that site about security products, using a non-encrypter forum: [SPAM]
Last edited by Draegonis on Fri Feb 11, 2005 3:21 pm, edited 1 time in total.
Reason: We really don't need a link now...
Reason: We really don't need a link now...
Link
Sorry.. Really didn't mean to spam (which I didn't, I posted a link).
Just conveying that there is an interest in SSL https means to use a message forum.
Well, I'll continue to look for an answer. Maybe I'm missing something important. Searching for "encrypt" I see that other users are interested in encryption, then some are not but wanting to view PMs.
Anyway, I'm sorry I posted a URL. What's the tag there for if not?
Edro
Just conveying that there is an interest in SSL https means to use a message forum.
Well, I'll continue to look for an answer. Maybe I'm missing something important. Searching for "encrypt" I see that other users are interested in encryption, then some are not but wanting to view PMs.
Anyway, I'm sorry I posted a URL. What's the tag there for if not?
Edro
Re: msn, google searching through private messages??
Cut the cheek, the link wasn't needed. Furthermore, phpBB2.0.x already has the ability to operate over SSL.
Re: msn, google searching through private messages??
Please, really not cheek. I did not know that URLs were not supposed to be posted.
Even now I am studying how to implement SSL. "To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it." ...that's about where I am in the process. I do not understand it, but seem to be implementing it.
I'm sorry about my poor wording seen as cheek.
Sincerely,
Edro
Even now I am studying how to implement SSL. "To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it." ...that's about where I am in the process. I do not understand it, but seem to be implementing it.
I'm sorry about my poor wording seen as cheek.
Sincerely,
Edro
Re: msn, google searching through private messages??
You can post URIs if you want, just not ones that don't actually have anything to do with the discussion at hand.