Shout - Private Messaging for Flarum

Kyrne

HD3D if you forget you password you lost access to all your old messages. This is true of every encrypted messaging service.

Mark73

Kyrne I'm 100% against admins accessing users private messages. But losing access to all old messages because you forgot the PMs password? Well that's a negative point...

HD3D

Kyrne In this case, I think you should let us (admins) to decide if we want our users to set up shout password or let them use it without password.

I understand that you want your extension to work securely sir but you can do it on your site and on our sites you can let us decide.

And if you can please disable the setup option and make it default that everyone should have Private Messaging option enabled. (Imagine I'm an admin and I need to wait for my users to set up their inbox in order to message them?) 😕
I should be able to message them without this restriction

Kyrne

Mark73 the only other secure way around this is to have users download a copy of their keys (which is totally doable) to import later if they forget the password.

Mark73

Kyrne Not the best way as we all know how people want everything to be as simple as possible. Yet, I'm glad there is a way to recover old messages, definitely considering this

Kyrne

Yalfoosh nope. That update wasn't supposed to add full emoji support (and I guess it didn't add it at all). I'll try to hook flarum/emoji.

Mark73 interesting read: https://www.forbes.com/sites/anthonykosner/2012/08/05/how-secure-is-your-cloud-take-the-mud-puddle-test/#76fcfd506627

Yalfoosh

Kyrne You're insanely fast! However, I don't think emojis work (2 different messages):

Kyrne

Yalfoosh not sure if joyful is an emoji. Try :1234:

Yalfoosh

Kyrne

am I doing something wrong?

[deleted]

Kyrne Upgraded successfully (it seems to 0.1.7), truncated the table, and set PMSetup to 0 for all users. Now I am unable to set any password - it responds with the below

EDIT: Spoke to @Kyrne on Discord. Seems it's a caching issue of sorts - all working now !

Yalfoosh

HD3D Why don't you simply use Byobu then? It's more polished and has more features.

HD3D

Yalfoosh I'm already using byobu but I thought Shout could be more useful and easy for users but the restrictions to shout are making it impossible for me to use

Kyrne

HD3D shout was built around the concept of private, encrypted messages. The 2 are essentially inseparable without a lot of work.

I'm still lost as to how the password aspect makes it impossible to use? Websites run on passwords and if you lose them for encryption you're SOL on any truly secure messaging service.

I'm going to stand firm on encryption only. I will be adding a feature shortly where you can force a user to setup their encryption before they can continue to use the site (on a per user or whole site level)

HD3D

Kyrne I understand your point but let me explain my point in simple words:

Because of the password requirement the shout won't be enabled right? So it simply means that as an Admin I need to wait for my certain user to setup Shout with the password in order to message him/her.
What if they never setup their private messaging so I can't message them?

If you really want users to have their private messages secured and have control over it, you can give them an option to set up password for shout in their profile/settings or on the shout UI itself so they can decide if they want a password on their messages or not. but as default shout private messaging should be enabled for all the users.

Just like on facebook, twitter or any other social app.

HD3D

Kyrne I'm going to stand firm on encryption only. I will be adding a feature shortly where you can force a user to setup their encryption before they can continue to use the site (on a per user or whole site level)

This can do the trick too but don't you think it will confuse the noob users? And if they use password other than their account's password then it will confuse them during login to remember which password is for which.

I'm pretty sure it will be more appreciated by everyone and less confusing for everyone if you can give and password setting up option on shout UI or settings. so everyone can decide if they want to secure their messages or not.

Kyrne

HD3D I had several people expressed to me that the wording on the setup modal is confusing. I'll try to make it more clear and detailed along with this next update.

Mark73

I sort of agree with @HD3D
Having the options for the password (make it optional or make it a must) instead of ONLY making it mandatory would be appreciated. If someone's forum users somehow exchange confidential info over PMs then he should configure the settings to make it mandatory to set up a password before being able to use PMs, but for someone like me who runs a game forums that mostly kids play, why would I need them to go through this hurdle of setting up a password to chat with their friends? I find it very odd and I'm sure most of them will too

HD3D

Mark73 That's what I have been trying to explain to @Kyrne
Not everyone is smart enough to set up chat with a password and not everyone is gonna talk sensitive things on a forum chat app (They have facebook, messenger, whatsapp and other apps for that)
Having their chat secured with a password should be optional but at the first place chat should be enabled for everyone.

Kyrne

HD3D Mark73 Byobu is going to be the way to go.

If you don't use SSO like GitHub or whatever all they're having to do is type in their password again. You have to do all this with WhatsApp, iMessage, Facebook, anything. I'm still very much failing to see how typing in a password (or making a new one which can be the same) is a hurdle or intelligence prohibitive? People login using passwords all day, what makes this one different?

It's not about sending sensitive info, it's about the peace of mind knowing no one can read you messages.

When I want to change something about my Microsoft account, or github account, it asks me for my password again. While this is annoying, it's not hard. Not only that but shout won't ask you again on that same device, so unless you clear your cache, that device won't ask you for a password for life.

[deleted]

And if you do clear your cache, this is what password managers are built for. Seriously guys - it's a one time exercise. I did it on my pc first as a test, then on my phone which imported all my conversations.

This extension is so cool it even has a back off timer to stop you from spamming users with messages until they respond. Now that, you have to admit, is cool.

« Previous Page Next Page »