Encrypting comment_author_IP, comment_author_email and user_email
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Encrypting comment_author_IP, comment_author_email and user_email
by William Canino
::
Rate this Message:
Hello,
Has anyone heard of anyone writing a plugin that encrypts these three columns in the database level? a. $comment->comment_author_email, "SELECT comment_author_email FROM wp_comments" and "SELECT user_email FROM wp_users" will display gibberish. b. comment_author_email() will display gibberish unless a condition set in the plugin is true. I would like assurance that someone who gains db access to the blog or get hold of a SQL dump cannot harvest email addresses. Also, if this is something one shouldn't worry about, why not? Thank you for your assistance. W _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by Tim Moore-14
::
Rate this Message:
Most encryption to a database is a one way street. Once the email addresses
are encrypted, you can't get them back in any useful way. Which makes collecting the email addresses pointless. In my experience, anyone breaking into a database is there not to gain a list of email addresses to spam, but to gain usernames and passwords. They're on a whole other level than email harvesters. <tim> On Fri, Oct 23, 2009 at 1:20 PM, William Canino < william.canino@...> wrote: > Hello, > > Has anyone heard of anyone writing a plugin that encrypts these three > columns in the database level? > > a. $comment->comment_author_email, "SELECT comment_author_email FROM > wp_comments" and "SELECT user_email FROM wp_users" will display > gibberish. > > b. comment_author_email() will display gibberish unless a condition > set in the plugin is true. > > I would like assurance that someone who gains db access to the blog or > get hold of a SQL dump cannot harvest email addresses. > > Also, if this is something one shouldn't worry about, why not? > > Thank you for your assistance. > > W > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by Matt Martz-2
::
Rate this Message:
On Fri, Oct 23, 2009 at 01:20:53PM -0400, William Canino wrote:
> Also, if this is something one shouldn't worry about, why not? One of the first things that comes to mind is issues with getting avatars from gravatar. As long as you can hash the email with md5, don't care about ever seeing the email address again and write a new get_avatar function (you can do that since get_avatar is in pluggable.php) to not try and md5 the email address you would be ok. This may not be the only problem. Just one of the first that popped into my head. -- Matt Martz matt@... http://sivel.net/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by Otto-19
::
Rate this Message:
On Fri, Oct 23, 2009 at 12:20 PM, William Canino
<william.canino@...> wrote: > I would like assurance that someone who gains db access to the blog or > get hold of a SQL dump cannot harvest email addresses. > > Also, if this is something one shouldn't worry about, why not? If somebody gets DB access, then you're pwned already. They can do much worse things than simply harvest email addresses. Your site is basically under their control at that point. -Otto _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by William Canino
::
Rate this Message:
True but I can restore the site from backups. But once the emails are
harvested, I cannot do anything about it. My blog's theme says, "Your email is <i>never</i> published or shared". This is why I want to do one step further. Can the plugin basically hook pre_comment_author_email (encrypt it) and hook get_comment_author_email, author_email and comment_email (decrypt it if conditions are met)? and the same with pre_comment_user_ip and get_comment_author_IP? For user_email, it seems I have to override get_userdatabylogin() to decrypt it. Matt mentioned get_avatar(). What else should I watch out for? W 2009/10/23 William Canino <william.canino@...>: > Hello, > > Has anyone heard of anyone writing a plugin that encrypts these three > columns in the database level? > > a. $comment->comment_author_email, "SELECT comment_author_email FROM > wp_comments" and "SELECT user_email FROM wp_users" will display > gibberish. > > b. comment_author_email() will display gibberish unless a condition > set in the plugin is true. > > I would like assurance that someone who gains db access to the blog or > get hold of a SQL dump cannot harvest email addresses. > > Also, if this is something one shouldn't worry about, why not? > > Thank you for your assistance. > > W > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by chrisbliss18
::
Rate this Message:
If you encrypt it in a way that can be reversed out, then the person who
gets ahold of the data can still reconstruct it. Even if a certain one-way hashes are used, which more or less destroys any value of having it in the first place, rainbow tables can be used to reconstruct the data quickly and simply. It is impossible to guarantee anything, especially security. So, it sounds like the problem is your promise, not the technology. Technically, if the data was stolen, it was neither published nor shared, so you haven't violated your promise. If this is truly a big concern for you, simply filter the email address into a dummy address before it gets stored so even you don't have access to it. Chris Jean http://gaarai.com/ @chrisjean William Canino wrote: > True but I can restore the site from backups. But once the emails are > harvested, I cannot do anything about it. > > My blog's theme says, "Your email is <i>never</i> published or > shared". This is why I want to do one step further. > > Can the plugin basically hook pre_comment_author_email (encrypt it) > and hook get_comment_author_email, author_email and comment_email > (decrypt it if conditions are met)? > > and the same with pre_comment_user_ip and get_comment_author_IP? > > For user_email, it seems I have to override get_userdatabylogin() to decrypt it. > > Matt mentioned get_avatar(). What else should I watch out for? > > W wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by Dougal Campbell
::
Rate this Message:
On Oct 23 2009 4:40 PM, Chris Jean wrote:
> Technically, if the data was stolen, it was neither published nor > shared, so you haven't violated your promise. That's just a cop-out. Keep in mind that there can be very good reasons for not wanting to store that data in a format that can be recovered. For example, if you live in an oppressive country where "Freedom of Speech" is not observed (and expressing opinions contrary to the government's can get you arrested, tortured, and killed -- this is not just a theoretical supposition). You may wish people to be able to have truly anonymous discussions without the risk of exposing their identities should the server be compromised or confiscated. That said, I am not aware of a plugin to do this, but it should not be hard to write one. -- Dougal Campbell <dougal@...> http://dougal.gunters.org/ http://twitter.com/dougal http://twitual.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by Peter Westwood
::
Rate this Message:
On 23 Oct 2009, at 18:20, William Canino wrote: > Hello, > > Has anyone heard of anyone writing a plugin that encrypts these three > columns in the database level? > > a. $comment->comment_author_email, "SELECT comment_author_email FROM > wp_comments" and "SELECT user_email FROM wp_users" will display > gibberish. > > b. comment_author_email() will display gibberish unless a condition > set in the plugin is true. > If you want to truly protect the address this is not possible! > I would like assurance that someone who gains db access to the blog or > get hold of a SQL dump cannot harvest email addresses. You have a number of choices here: Encrypt with a symmetric key algorithm so you can get the email address back temporarily when you need it - gravatar, checking comments are from same author etc. The downside of this is you are adding a lot of extra computation to every page load and if someone gets access to the db it is likely they will also get access to steal the key and algorithm used too so you don't get much protection. You also have the implementation cost of the crypto algorithm Encrypt with a public-private key algorithm and don't have the private key on the server so you can only get the email address back offline where the private key exists. To handle gravatar you would have to cache the image locally yourself and replace the pluggable function. To checking comments are from same author you would have to encrypt the incoming email address. The downside of this is you have to do the caching of gravatars if you use them. You also have the implementation cost of the crypto algorithm Hash the email address using md5 - this is what is used to generate the gravatar url so you are alright there and load wise this should have little effect. A plain md5 like this will be subject to the rainbow table worries and you would do better to use a salted md5 but then you will need to cache the gravatar image. Using this method you can't get the email address back! Hope this helps! -- Peter Westwood http://blog.ftwr.co.uk | http://westi.wordpress.com C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5 _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Encrypting comment_author_IP, comment_author_email and user_email
by William Canino
::
Rate this Message:
> For example, if you live in an oppressive country
> where "Freedom of Speech" is not observed (and > expressing opinions contrary to the government's > can get you arrested, tortured, and killed Yes, and remember guys that FoS only applies to governments. Blogging about your employer can get you fired. Blogging about a private individual or company can get you arrested, tortured and killed. c.f. the Godfather. Thank you for your ideas, Peter and Matt. Douglas saw through my intentions. Okay, anything sent to gravatar is unsalted md5 and is therefore subject to rainbow tables. My plugin must then have to cache them locally, including fetching them as needed. It's too much work and, hey, does it even make sense to have gravatars when we are striving to be anonymous? ;) My big challenge right now for this plugin is that WordPress Core uses "$comment->comment_author_email" in wild abandon. A hook to comment_author_email is worthless because nobody uses it. See http://phpxref.ftwr.co.uk/wordpress/_variables/comment_author_email.html I think PKI is the way to go. I mean, why even ask for his email address in the comment form if you won't use it to send him emails? However, for my plugin to be of any use to others, my plugin's users will just have to edit their other plugins so as to call my plugin's decryptor function. Here is my follow-up question: How about I put the private key and the decryption on a separate website? For example, the plugin's decryptor function will ask http://secret.com/secret.php to decrypt the database column data. Secret.com and Blog.com will have each other's private key. Will this work? For performance, secret.php could have a cache of results. Good idea? W 2009/10/24 Peter Westwood <peter.westwood@...>: > > On 23 Oct 2009, at 18:20, William Canino wrote: > >> Hello, >> >> Has anyone heard of anyone writing a plugin that encrypts these three >> columns in the database level? >> >> a. $comment->comment_author_email, "SELECT comment_author_email FROM >> wp_comments" and "SELECT user_email FROM wp_users" will display >> gibberish. >> >> b. comment_author_email() will display gibberish unless a condition >> set in the plugin is true. >> > > If you want to truly protect the address this is not possible! > >> I would like assurance that someone who gains db access to the blog or >> get hold of a SQL dump cannot harvest email addresses. > > You have a number of choices here: > > Encrypt with a symmetric key algorithm so you can get the email address back > temporarily when you need it - gravatar, checking comments are from same > author etc. > The downside of this is you are adding a lot of extra computation to every > page load and if someone gets access to the db it is likely they will also > get access to steal the key and algorithm used too so you don't get much > protection. > You also have the implementation cost of the crypto algorithm > > Encrypt with a public-private key algorithm and don't have the private key > on the server so you can only get the email address back offline where the > private key exists. To handle gravatar you would have to cache the image > locally yourself and replace the pluggable function. > To checking comments are from same author you would have to encrypt the > incoming email address. > The downside of this is you have to do the caching of gravatars if you use > them. > You also have the implementation cost of the crypto algorithm > > Hash the email address using md5 - this is what is used to generate the > gravatar url so you are alright there and load wise this should have little > effect. > A plain md5 like this will be subject to the rainbow table worries and you > would do better to use a salted md5 but then you will need to cache the > gravatar image. > Using this method you can't get the email address back! > > Hope this helps! > -- > Peter Westwood > http://blog.ftwr.co.uk | http://westi.wordpress.com > C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5 > > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
| Free embeddable forum powered by Nabble | Forum Help |
