Giving something back - security assistance

[deleted]

As I become more engrossed in Flarum, it's community, and the astounding support given for free here, I wanted to give something back.

By trade, I'm a CISO, InfoSec Expert, and Head of IT with 28 years worth of "on the tools" experience under my belt. Every day, I see poorly secured sites (no reflection of anyone on here BTW 😀 ) and have "made it my mission" to create a more secure website experience. To this end, I'm stepping up to the plate to help those who may not fully understand the inner workings of security and infrastructure etc as a way of giving back to this amazing community.

Do let me know if this would of of interest to you

[deleted]

As a novice and without basic knowledge about (Flarum) security, what are the basic steps to secure flsrum forum website from user information leaks?

[deleted]

[deleted] This really depends on a couple of factors. The first is the underlying architecture of the system - in most cases, you should at least implement best practice standards such as WAF, adequate security headers, appropriate hardening etc. From the shared host perspective, you are very much in the hands of whoever is the provider of that system, therefore, you can only take the hardening so far without impacting other users on the same tenant.

The second is at the information level. From the security and regulatory standpoint, you should be able to prove that you have taken all necessary steps to secure any information that you are essentially a custodian of. For example

Username and Password
DNSSEC
TLS / SSL
DKIM, SPF and DMARC
Physical security measures of systems which contain personal data (make concerted efforts to enable reCAPTCHA, two factor authentication, basic security measures such as HTTPS coverage for the entire site, disabling weak and outdated ciphers, implementing HSTS / TLS1.3)
Implementation of Security software (firewall, malware protection, virus protection, audit logs, access logs)

If you are handling information that belongs to EU residents, then you are technically in scope for GDPR, although there is an active argument for personal forums etc that do not fall into this category). Similarly, you need to be aware of the CPPA (Californian Privacy Law), and others that are coming into effect. Several people are under the misconception that this does not in fact impact them, when it does.

The subject matter is broad - if you can be specific, I can give a more specific answer.

Sanguine

Thanks for your offer. I run the FreeFlarum service. Does the GDPR apply to me, even though there is no economic activity (my revenue is 0).

[deleted]

Sanguine It's not about economic activity - it's really around the data concerning EU residents that you may hold. As you are the host, but not directly responsible for the sites themselves, you can actually defer that responsibility onto the owners of those sites. However, even as the host, you have to be able to demonstrate that you are GDPR compliant. There's an interesting debate that private sites are not affected by the GDPR, but in your case, it's not exactly private in the sense that there are several other users of your service.

This might shed some light - you would be classed as a "web host" because of the service you are providing
https://sysally.com/blog/what-is-gdpr-and-how-does-it-affect-web-hosting-companies/

Sanguine

[deleted] Thanks, that's a very interesting read!

[deleted]

Sanguine no problems. Let me know if you need any other info

010101

I’ve wondered, what could they do to a website owner who offers a free service, makes zero, or technically makes negative. Because nothing’s coming in, and you’re paying for hosting. I’ll be honest I haven’t read the law so I guess it might say somewhere in there. Maybe the answer is, if you can’t pay the fine, you’d be forced to shutdown the website? Do they come after your personal assets? Scary. I wish they’d make these laws extremely clear. Although I’m also guessing that they mostly target companies they know make money. Because they know how pointless it would be to go after some small site that doesn’t make money. I hope.

Technically Flarum isn’t compliant, right? There’s no user data download extension. That’s a key component of the law. I mean you can manually export data from your database I guess if a member asks for it.

Sometimes I miss the earlier Internet.

Edit: And when I say Flarum isn’t compliant I don’t mean the foundation or the software itself... because it’s free and open source - take me as-is software. I mean, any webmaster who installs Flarum core only, and gets a lot of members, would they be compliant? I don’t think so. But I guess that would be the webmaster’s fault for not doing what they need to do.

Final note: Cookie notices ruined the Internet. “This site uses cookies...” Ok. Thanks? 😃 I know that’s part of being super transparent. But if you have to be told that a website uses cookies then you probably don’t know what cookies are, and therefore a notice does nothing but make someone more nervous. Oh, and the checkboxes for forms that say something like, we’re about to collect what you input into this form, ok? ... isn’t that obvious? All because some large sites started handling data poorly. Ugh.

Long live small niche sites and forums!

[deleted]

010101 I’ve wondered, what could they do to a website owner who offers a free service, makes zero, or technically makes negative. Because nothing’s coming in, and you’re paying for hosting.

Free or not, this doesn't matter under GDPR. It's all about the data you hold, how it's handled and processed, and how you are securing it.

010101 Maybe the answer is, if you can’t pay the fine, you’d be forced to shutdown the website? Do they come after your personal assets? Scary. I wish they’d make these laws extremely clear.

The current maximum fine that can be levied by the ICO is €20m, or four times the annual turnover of your entity, or it's parent.

010101 Technically Flarum isn’t compliant, right? There’s no user data download extension. That’s a key component of the law. I mean you can manually export data from your database I guess if a member asks for it.

Technically, yes and no. The key here is data anonymity. Flarum doesn't permit a full profile with Full Name, Address, etc, but does record an email. The GDPR is all about personal data, and attribution. That same data can only be classed as identifiable if it can be aligned with a specific user to identify them personally. However, if IP addresses are being stored, then that is in scope. Arguably, you can state in your privacy policy that you record IP addresses in order to manage the site, and providing the user accepts that at signup, you are covered. It's always going to be a case of tl;dr, but these policies are specifically geared towards protecting both the user, and the individual. In a similar sense, each site must provide a mechanism for the user to "opt out" of cookies, mailing etc - for this reason, you should not set your forum to automatically follow posts, or be sent an email without the user's prior consent. The best approach is to let the user control that process, and give them a mechanism to change it - which Flarum does out of the box.

010101 I mean, any webmaster who installs Flarum core only, and gets a lot of members, would they be compliant?

Natively, no. They would still need to define their own privacy policy, and provide the mechanisms I stated above.

010101 But if you have to be told that a website uses cookies then you probably don’t know what cookies are, and therefore a notice does nothing but make someone more nervous. Oh, and the checkboxes for forms that say something like, we’re about to collect what you input into this form, ok? ... isn’t that obvious? All because some large sites started handling data poorly. Ugh.

An excellent point. Unfortunately, it's the law - even for contact forms - you place the decision in the user's hands, and ultimately have to be able to prove that the form cannot be submitted without the user ticking the consent box.

010101 Long live small niche sites and forums!

Yes. Again, there is a minor exception in the GDPR that permits the above, but it's not entirely clear as to what defines this. You have to remember that the ICO mandated these before the regulation went live, and there are already various changes to the law that are being considered.

Ultimately, GDPR, like CPPA is a potential minefield. We aren't lawyers, but also have to be on the right side of the law - even if that does negate the overall experience for the user.

Pollux

[deleted]

Don't you see a case here for an extension that reflects some if not all of the points you made here?

010101

[deleted] Thanks! I love privacy, and I agree with ensuring the user is in control of their data.

But, regarding certain things in these laws like GDPR - it feels like they were written by politicians who don't truly know how websites work. That's the scary part. GDPR is only the beginning; and the people who write laws, most likely aren't developers or webmasters.

The law's the law, but that doesn't make it right. Any law like GDPR should be clearly written to basically say: "This law only pertains to official businesses who make money." 🙂 Because it's the companies who make a lot of money, who do a lot of the sneaky, sell your data, type stuff.

[deleted]

Pollux Yes - 100%. The question is, who writes it ? Me, I expect 🙂 I'm also a developer, so could.

Kyrne

010101 term limits

[deleted]

010101 the people who write laws, most likely aren't developers or webmasters.

That's a common theme across the board. The same issue applied when the Sarbanes Oxley act was made law in 2002 - otherwise known as the Public Company Accounting Reform and Investor Protection Act - admittedly, a mouthful, so it was shortened to "SOX". This was the genesis of 2 politicians ( U.S. Senator Paul Sarbanes, and U.S. Representative Michael G. Oxley), and whilst designed to bring financial firms to account, it's along the same path of lawmakers creating legal frameworks when they have no concept of how the engine actually works.

Non-profit entities should also ensure that they are complying with GDPR if it applies to them.

In fact, GDPR applies not only to non-EU for-profit entities, but also to nonprofits that collect or otherwise process any information relating directly or indirectly to identifiable individuals in connection with the offer of goods and/or services to EU residents.

There is no exception for nonprofits in GDPR. A nonprofit organization could be considered to provide “goods and services” by holding conferences or meetings in the European Union or monitoring the online behavior of EU residents who visit a website.

The only way you could potentially be able to avoid GDPR is to block access to your website from the EU member states - a simply pointless exercise when you could use a reverse proxy or a VPN to gain access. Surprisingly, there are a number of sites that actually still adopt this stance rather than comply. The Chicago Tribune is one of them - try to access https://www.tribpub.com/gdpr/chicagotribune.com/ from anywhere inside the EU, and see what happens.

tankerkiller125

[deleted] Can't really say I blame them for it though, the risk of a lawsuit is high and development cost possibly even higher if they want to comply. For newspaper companies, it is much easier to block access to a group of users who make up an extremely small percentage of their users (How many EU residents actually read the Chicago Tribune?) than it is to develop a whole new set of tools and systems in order to comply the GDPR rules. As a one-man show for my personal websites, I have zero intention of ever complying with GDPR rules. I'd much rather simply block EU access if it comes down to it.

[deleted]

tankerkiller125 great points. I'm no fan of these regulations either. My sites are 100% free and make zero profit, yet, I have to comply as a custodian of personal information