Gosora - Supremely fast forum software

Discussion in 'Forum Software Development' started by MagicalAzareal, Apr 30, 2019.

  1. mysiteguy

    mysiteguy Administrator

    2,950
    1,387
    +2,277
    But none of that is shady since shady implies intentional dishonesty or ill intent, versus lack of competence.
     
  2. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    Complain about phpBB somewhere else. And it's not like half of the stuff in this market has particularly high quality names lol

    The name of the software was actually originally Grosolo, but it wasn't a very popular name.
     
    Last edited: Sep 27, 2019
  3. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    Thank you for the report, I have an idea of why that might be, likely maps.

    I've implemented very simple conversations and group promotions (to help with spam, if that becoems an issue). There's still a fair bit of work to be done however. I'm sorry I haven't had much time to put into this lately.
     
  4. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    Oh sorry, I didn't see the post moving it to pms.

    Uh anyway, a few people are asking about security, so I'll that here. User inputs should be generally escaped, although like any good paranoid person, I'm also rolling out a content security policy header throughout the software to kill any scripts that shouldn't be running. I'll further tighten that as time goes by.

    I also use modern SameSite cookies to deal with CSRF and a couple of other things. I plan to further tighten that, as there's nothing like overkill and better safe than sorry.

    The software also very strongly avoids sending out requests to arbitrary sites by forsaking things like things like Discourse's oneboxes as that could be used to capture the server's IP Address and in turn mount a DDoS attack. I seem to know quite a few people who have gotten hit by one of these lately. This also has the side-effect of being complaint with Article 11 which bans such snippets. I will see what I can do to implement such things securely.

    I also use constant time comparisons to prevent side-channels in things like sessions, password resets and password comparisons which could be used to deduce one of these strings a character at a time and in turn allow someone to login as an administrator with a high enough bandwidth link and enough patience.

    There are likely other things too, if anyone has any good ideas regarding security, feel free to tell me.
     
    Last edited: Oct 10, 2019
    • Like Like x 2
    • Informative! Informative! x 1
    • List
  5. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    I'm pushing the ability to block users from messaging you now. I'm not quite sure about the end-to-end encryption now that the crypto wars are looming, we will have to see, there are some other things to do first anyway.
     
  6. \o/

    \o/ an oddity

    173
    33
    +50
    Today, I am provided four themes in the dropdown box, but every time I want to select something that is not Tempra Simple, I get:

    Boo!
     
  7. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    I'm working on stripping metadata from uploaded images, as sometimes you can get stupidly identifying information in there like someone's GPS location or the camera's serial number. I don't even know why some devices toss in this garbage.
    That is strange, I will have to look into it.
     
  8. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    • Appreciation Appreciation x 1
    • List
  9. \o/

    \o/ an oddity

    173
    33
    +50
    It is!
     
  10. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    As suggested by Casmic I'm going to see about adding a feature which makes emails non-mandatory (although, if the site is setup with them disabled or everyone gets activated straight away without checking, then it's functionally the same as someone could put gibberish in). The admin can still require verification, if they so wish.

    As suggested by Rick Ace, I've started re-encoding uploaded images on the server-side to strip away unnecessary identifying metadata. So far, I've done it for attachments, avatars are already re-encode, but keep the old images around, so I could perhaps flush those bases. I will also have to do some tests to make sure the metadata is actually going away, otherwise this'll be a little embarassing.

    I would also like to see about limiting retention periods for a user's last IP address, possibly even disabling that feature entirely, if an admin so wishes it. I might extend the option of disabling retainment to the other IP retention periods as-well for consistency. Last IP is generally unreliable for combatting abuse for a number of reasons anyway.
     
    Last edited: Oct 27, 2019
  11. Jura

    Jura Devotee

    2,143
    747
    +236
    The Reddit crowd or people that think similarly would like not needing an email. If you browsed Reddit long enough you'd know there is a lot of mistrust in small sites that aren't large enough to be seen frequently. Something something people that have their own site are scum looking to make money off of them or exploit information.

    It is fast. The name is fine (although I'm sure some people would want something that seems more Western in origin).

    I always wanted to toy with a smaller software after using IPB for so long. PunBB way back then looked promising. Something simple enough to feel different because it's not held back by legacy features or ideas. Or something that was basic seeming and easy to install, but has loads of extensions like Wordpress to experiment or customize.

    Anyway it looks nice. Would be cool to see it turn into something that'll last a long time with loads of backers/fans.
     
  12. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    I implemented optional emails, although it won't be quite complete until I completely implement the Email Manager and Secondary Emails. It should work for the purposes of registering however, although I haven't pushed it to the live instance yet.

    I agree that it is unfortunate that so many sites have to collect emails. I didn't really want to either at first. I mainly implemented it as a convenience feature as I didn't want members constantly forgetting their passwords and bugging administrators (with perhaps flimsy proof of their identity) to reset their passwords.

    Thanks for the kind words :)
     
  13. MagicalAzareal

    MagicalAzareal Magical Developer

    426
    332
    +199
    More progress.

    I've added adminlogs, so you can see what your crafty admins are up-to.

    I've also added spoilers in posts as someone requested that.

    I've also deployed content security policy headers globally, so that should give a greater margin of security. There may be some ways of expanding upon this, as I currently white-list YT, so that videos will actually load, but I don't necessarily have to do that on every page outside the control panel.

    https://gosora-project.com/topic/privacy-tips-gosora.115 Tips on tightening privacy on the software.

    https://gosora-project.com/topic/personal-privacy-tips.114 Tips on tightening privacy personally in general.

    I had a long discussion with someone about end-to-end encryption, this one might take a little longer than I would like to get the most security out of it, but it might be worth it in the end. One idea is to have some sort of app which I digitally sign myself and whose code you can audit to make sure that the NSA hasn't paid me off or whatever the paranoid folks think these days.

    This app would allow you to communicate privately with the knowledge that the admin can't simply slip a bad piece of JavaScript which causes your client to reveal all of your secret messages, something that is obviously very not compatible with the concept of E2EE. There are still a few potential problems like where the public keys would live, perhaps the two parties would find their own means of exchanging them, perhaps they could be stored on the instance, but the client could verify other instances to see if it matches up, I'm not quite decided on that.

    There are also some other problems which have entered the common imagination in regards to E2EE like metadata. As the Director of the CIA once said, "We kill over metadata". Metadata can tell the admin (or an adversary who has taken over the server) information on when a communication happened, to whom and possibly other things, depending on the implementation.

    Hiding who is talking to who is very difficult and possibly outside the scope of the project, although there are E2EE implementations in existence which somewhat tackle this problem. One possible method is to send the same payloads to every single user to try to mask it somewhat, although I'm not sure as to the efficacy of such.

    I will have to investigate all of this more deeply, it is all very deeply fascinating.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.