PGP Encrypted Emails

[naia]

With services like Facebook now offering the feature to display your public PGP key on your profile, and to have all emails sent to you by Facebook encrypted with this key (source), and with Xenforo being a forum built on security, and especially with the recent addition of two factor authentication, it seems that this would logically be the next step for improving security.

This feature would mainly serve to protect staff information (such as private messages sent to them, and password reset requests) by not sending them via email in plain-text. This would also be nice for the occasional paranoid user (ex. me).

 

[melbo]

I would love to offer this and make the implementation as easy as Facebook's

 

[beanfan78]

One of my forum members were asking about this. I honestly had no idea what it was so I started reading up about it. My domain is secure with SSL, but that doesn't seem like a lot. Does anyone use PGP with their Xenforo? I would like to offer my members the most secure platform that I can.

 

[melbo]

It's not really something that's available as an integrated feature of XF but I'd love to see it.

 

[beanfan78]

It's not really something that's available as an integrated feature of XF but I'd love to see it.

Thanks for the response. I am not really familiar with the technology of PGP. Perhaps I am missing another layer of how I can secure xenforo? I mean without taking it to the world of TOR

 

[melbo]

Oh, PGP/GPG just encrypts messages between 2 (or more) parties using 2 'keys'. The only thing it would really do for XF (and what we're asking for here) would be to allow a member to add their public key to their account settings and then all email traffic from the forum to that user would be encrypted even further than your SSL/TLS. Anyone can use PGP in a forum post or conversation now since the encryption is performed on the users PC and decryption occurs on the other users PC.

The messages after encryption look like this:

-----BEGIN PGP MESSAGE-----
Version: ***********

hQQMA89rse9TjBQPAR//Xl4R4FWVUP2VDBufEuqt935xpPxwCG9PQ9ALCSvyFvhl
fsJ4H2RK+GEjjp6oP2qyl2xc+65nES+j5DjhApl352PguTa//HE/QLngEVHjNzrj
sO1HLoRM3Q4RIaB9qsczn8N6AWzzRILhViGALTkH51YHfPB1TLRKCml15KL8fSg8
dcnzBmrsl6P8iHBtbXvfMN90JJCjh5W4Yme71ISgUEaoz4vCsRi7YhyVGBKUxTVL
7P6DjZXnKg9Ouoe1hjfjGBMHphfQzb0A5QB/yA3cqCIo+7EieyrJ+Z6XjHAlUeIT
kNDQQmNjKq8l6mIG/R2yG95r6vfmlN0i+uRYRUOCtcKrpdejJ+eOlQRpXd5Bvczj
Vl8RAaIj5l4VcebhbvZoDSzSj9zvlWhdXd2K0e1BNNKuKegYpb1YmumVlEv3AuLE
5XAyxJLBjr21yILMWt/Ehv9m06I0Vp2S9hBbXPUKWcYfItrNE8oG2tkIz/yLKYbT
IF1KlrC6dz+l5UvfxOmXjwJIiU2Ie8xOaTV2fCMM1JoNks7y7R8cCO/by/GoCqgH
q/J8+bsHhyRqWWiA7gZ7aF54YTU2laBGD2kR9J93/9tqryWp1tjXUo6zyap4vXMW
GjA2m8EvKjtXXzUqljm0vnyQGAqx1UdZY1lzc8nU6CZDQDUetvtroSz55xH4ecfe
sXZZfMFyaACi0Hj2ab09TTZIzGoype7TSBZY9LQ7mKt2mwTCX+qOpVSRaYwwk8ti
8Re4QGzNDgKi8CU6rSJ/oReDnVEchBbIMklZ+zK5ANpuRoo+eyMGO1cj2TVgrODw
w1+q+vbsPCTxnhX1Su0yDRThX4WEyxHMl8/5e7az1hpvWqE1N/+1i1eFoBUTOn/K
fbZZCTI1zo4AWhvY2M63ZEBPk4cleakEIxQhIGf6UACyEX9ROMkiCGeJW7IxlGCK
PzfUcf4hwPKE/vXA3P0ohztygpQw7ofVaOGiNuxw/dgFTpPxCiL86om7/RQcoCzt
yv2Hfey0sJARZYuNPW/ES/ax/egPqHQjHl0UWJK9fTaL7qSGwRk9hKFTdH/LQuxK
6R/F+3j135rigI3JkP0zO2fun/gte9c62DrDyI6h4MKEjgpGYMXkVzcZPq4/pQMj
jxqqoUOfPECLROgywYQWQ4R/Wi1ftSgDdV5tDw4bevyLCPDLZod0cT4VSFfvwQT7
dLBY+FDSWYJ8/540oeDEsNUCfk7XwYKqBKf79mCXDJFBES9f29hena/O0gPaiLnv
T1FgixHV9EJF9mq2iPwij7X6GCblkZ7k4pE/PXGi4tLlQOqdaCAZl66wxbDtt+Ca
BIfAm8rmfkvRIF54kQBzZZZ9Y3kb6nr/CGZiIN1CS9LAiwFZKNxtBZmr1F4U8/3H
kNtcvVi76917ENiSnTS/hvGuvUEB20MOWrAOeUr5PMp2VEaetNlIzO2K7AvmDyi5
4jl3I31RbQZa1AuWxcfmbJWcZYCUtXj/9mAXnfABkIVrSUgRUPOsTjWAY310GMHL
8ZcDuCrhFHDPUngc7bAeSn4/HHAmZqRnGREZbIndqVzkix6IRyQoni90Gj+PjTwd
gLKmoeF1E78nhESJyAPuiU1pLQvylmXaHzrTkoUdMKOXuDIv6yD9nPLxNy2hXL1a
hAOCQEfgJ3uapmk1pF/bPHLNsNiXR91ZKJ/5Pu9jXRqigECl89tE8PcnMeTJivcC
oI1DrWuPOIIz9WVcq9S0nhDhWbEkxsAdh5oceVGaYTCD/9ACxD3iSYsn09K6JaUG
OqeCCrB2FGFh3DOzYR7rNZ77zGNvRSUk1zuiKQg=
=u/eb
-----END PGP MESSAGE-----

 

[melbo]

This seems like a project that @Liam W could easily create. I know he is an expert in public/private key pairs as a Bitcoiner

 

[naia]

@Liam W How about a quote on this?

 

[Liam W]

I actually looked into it when I got @melbo's mention, but I can't find a working PHP PGP library...

The extension isn't working for me (and hasn't been updated in ages so isn't a surprise really).

Liam

 

[melbo]

@Liam W
Maybe try searching for GPG or GnuPG. PGP is actually now owned by Symantec. GPG is an open source version (fully compatible) maintained by Gnu. There may also be OpenPGP, not sure since I just use GPG as packaged in Fedora.

http://php.net/manual/en/book.gnupg.php
https://pecl.php.net/package/gnupg
https://github.com/jasonhinkle/php-gpg