ᴡᴅツ Posted August 5, 2013 Share Posted August 5, 2013 For Social Suite 4.X, would it be possible to consider the option of obfuscating or hiding the URL path for logged in members of pages they are viewing? In other words, every link they click on has http(s)://{board url}/encrypted-string where "encrypted-string" is a randomly generated string of characters set for 1 use (or used at each log in and randomly generated again during the next login)? Use case scenario: There is a private forum for XYZ user group. However, the viewed topic titles can be discerned by people on the same network. If a non-member notices the url Charles is visiting because he's using a public wifi at a cafe, e.g. https://community.invisionpower.com/topic/5434-the-release-date-for-social-suite-is-tomorrow/, while viewing the network traffic, then that would be a problem... In this scenario, the attacker could try to visit the encrypted url but won't have access since he's not logged in (either because of the forum category restricting guest access or the encrypted string not executing the actual topic ID because of the guest group ID) Link to comment Share on other sites More sharing options...
Mark Posted August 6, 2013 Share Posted August 6, 2013 Just turn off friendly URLs Link to comment Share on other sites More sharing options...
ᴡᴅツ Posted August 6, 2013 Author Share Posted August 6, 2013 Just turn off friendly URLs Won't that just make it a fixed URL that can be accessed by anyone if guest permission is active? It would be more secure to use an encrypted string/obfuscated url to go to topic id XYZ rather than directly going to id XYZ and relying on forum permissions to do the rest. This method I'm proposing blocks access to the original link as well as content. Link to comment Share on other sites More sharing options...
Mark Posted August 7, 2013 Share Posted August 7, 2013 In your scenario - that topic would presumably be in a staff forum, so all that would be seen is "community.invisionpower.com/index.php?showtopic=XXXX" - accessing that URL would give a 403 error. Although, a much better solution to the problem is https. Link to comment Share on other sites More sharing options...
ᴡᴅツ Posted August 7, 2013 Author Share Posted August 7, 2013 In my opinion, to have the most reasonably secure setup for privacy purposes is: Complete site wide SSL for logged in members Topic ID cloaking Expiring URLs With all 3, it makes data snooping a lot harder. Perhaps this much security might not be top priority for the Social Suite, but thank you for participating in this topic with me and at least considering it given that some of your user base might want/need the additional security measures given the current political climate. Link to comment Share on other sites More sharing options...
.thumb.png.72c24494603afd7a572d55d4a71e4af2.png)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.