Help me find a sooper sekrit blog!
July 23, 2008 7:02 AM Subscribe
I need a private, secure blog that will store my posts in an encrypted form. Does one exist?
I'm working with a distant team on a project, and I need a secure private blog to facilitate collaboration. The requirements for the blog are that it support user accounts, multiple authors, require logins by SSL (https:// vs. http://) (this could be enforced via plugin), store blog posts in an encrypted form, and of course I'd like the encryption/decryption to be seamless for my users. Up to this point we've been using the service at WideBlog, but it's not very flexible, and it's been a little flaky recently. We'd also prefer to have the blog on our own hosting to remove a layer of trust.
In my hunting around, I haven't had much luck. The biggest sticking point seems to be the requirement that posts be stored in an encrypted form. I've found some solutions that will "encrypt" passwords with MD5. But I want to encrypt more than just passwords, and the use of MD5 is itself a little questionable. I'm looking for something more along the lines of AES.
Does what I want exist?
I'm working with a distant team on a project, and I need a secure private blog to facilitate collaboration. The requirements for the blog are that it support user accounts, multiple authors, require logins by SSL (https:// vs. http://) (this could be enforced via plugin), store blog posts in an encrypted form, and of course I'd like the encryption/decryption to be seamless for my users. Up to this point we've been using the service at WideBlog, but it's not very flexible, and it's been a little flaky recently. We'd also prefer to have the blog on our own hosting to remove a layer of trust.
In my hunting around, I haven't had much luck. The biggest sticking point seems to be the requirement that posts be stored in an encrypted form. I've found some solutions that will "encrypt" passwords with MD5. But I want to encrypt more than just passwords, and the use of MD5 is itself a little questionable. I'm looking for something more along the lines of AES.
Does what I want exist?
Well if the posts themselves were stored in an encrypted form, how would they be displayed? The blog software would need a decryption key, and in that case an intruder would still be able to decrypt the messages. So I'm guessing most blog software authors don't bother with this level of privacy.
Obviously it would be possible to do this, you would probably want to use public key encryption, though, rather then a symmetric cipher where everyone would need a copy of the same key.
Maybe get everyone setup with PGP or GPG and use an email list?
posted by delmoi at 8:04 AM on July 23, 2008
Obviously it would be possible to do this, you would probably want to use public key encryption, though, rather then a symmetric cipher where everyone would need a copy of the same key.
Maybe get everyone setup with PGP or GPG and use an email list?
posted by delmoi at 8:04 AM on July 23, 2008
(oh, and as far as HTTPS rather then HTTP, you should be able to use any blog software and configure Apache to use https exclusively)
posted by delmoi at 8:05 AM on July 23, 2008
posted by delmoi at 8:05 AM on July 23, 2008
Personally -- do you trust this remote blog to encrypt for you? If you are that worried, you shouldn't.
I would compose and encrypt locally, then post the crypto text. Various and sundry tools exists to do this -- PGP/GPG would work, OpenSSL would work.
You want somethign that outputs ASCII text, so you could post in a blog. Then, what blog you post to is immaterial, and you aren't trusting the remote server one bit. All they have is cryptotext.
This is far better than sending plaintext and *hoping* that the remote server is encrypting it correctly (and not saving the plaintext copy!)
posted by eriko at 8:08 AM on July 23, 2008
I would compose and encrypt locally, then post the crypto text. Various and sundry tools exists to do this -- PGP/GPG would work, OpenSSL would work.
You want somethign that outputs ASCII text, so you could post in a blog. Then, what blog you post to is immaterial, and you aren't trusting the remote server one bit. All they have is cryptotext.
This is far better than sending plaintext and *hoping* that the remote server is encrypting it correctly (and not saving the plaintext copy!)
posted by eriko at 8:08 AM on July 23, 2008
What exactly do you mean by "store blog posts in an encrypted form"? You could turn on field level encryption in the backend DB (I think MySQL supports this but haven't done it), for example, would that meet this requirement? For that matter, you could use an encrypted file system, would that meet this requirement?
There are still potential problems with either approach - someone with full access to the DB server would probably be able to get the key (from config files or memory) and extract the posts. This is why the requirement needs refinement. What is the risk you're attempting to mitigate by storing in encrypted form?
posted by These Premises Are Alarmed at 8:37 AM on July 23, 2008
There are still potential problems with either approach - someone with full access to the DB server would probably be able to get the key (from config files or memory) and extract the posts. This is why the requirement needs refinement. What is the risk you're attempting to mitigate by storing in encrypted form?
posted by These Premises Are Alarmed at 8:37 AM on July 23, 2008
Blogger supports access-restricted and private blogs.
posted by blue_beetle at 9:36 AM on July 23, 2008
posted by blue_beetle at 9:36 AM on July 23, 2008
Response by poster: These Premises Are Alarmed: The risk I'm trying to mitigate is for a site admin (think DreamHost) -- even a determined site admin -- with prying eyes from reading the blog posts. I was thinking/hoping that something could be accomplished with public key encryption (so that a key wouldn't have to sit around the server), but I'm no crypto expert.
posted by perrce at 9:44 AM on July 23, 2008
posted by perrce at 9:44 AM on July 23, 2008
'Host-proof hosting' is one technique/pattern that would probably satisfy your requirements - Google has plenty more, but I don't know of any blog-software that implements such a thing.
posted by gregjones at 10:19 AM on July 23, 2008
posted by gregjones at 10:19 AM on July 23, 2008
You might be interested in the type of solution proposed in this IBM DeveloperWorks article, which proposes using a Firefox extension, coupled with gnuPG public key encryption, to encrypt/decrypt the contents of a google calendar in a way that is transparent to the user. (Note that it stores the plaintext on a local machine, so it isn't actually all that secure at the endpoints, but it does encrypt the data on the server end).
posted by Alterscape at 10:19 AM on July 23, 2008
posted by Alterscape at 10:19 AM on July 23, 2008
It should be relatively simple to create a Wordpress Plugin that would encyrpt posts as they are stored in the database, and decrypt them as they are read back out.
You can have a shared key encoded against each user account with their own personal key. They login, you use their password (or a second personal secret) to decrypt the shared key from their user account, and then you use that shared key to encrypt and decrypt posts are they are written to and read from the database.
posted by sycophant at 5:52 PM on July 23, 2008
You can have a shared key encoded against each user account with their own personal key. They login, you use their password (or a second personal secret) to decrypt the shared key from their user account, and then you use that shared key to encrypt and decrypt posts are they are written to and read from the database.
posted by sycophant at 5:52 PM on July 23, 2008
I still think it'd be cheaper to find trusted admins. A solution like sycophant's could still be beaten by a determined malicious administrator, who could, for example, decrypt the user's password sent over SSL (ssl private key will be on the server), pull it from memory, or modify apache to use an unencrypted channel (un-noticed by a non-attentive user). Even if those attacks wouldn't work, the malicious administrator is one of the most expensive challenges to overcome.
posted by These Premises Are Alarmed at 5:45 AM on July 24, 2008
posted by These Premises Are Alarmed at 5:45 AM on July 24, 2008
Best answer: I work with the Movable Type team, and we've got clients doing this kind of setup by using MT with Oracle or Microsoft SQL Server databases, which they've set to encrypt at the database level. HTTPS support is easy to do, and the access controls you've described were done using the built-in authentication on the web server (generally Apache, sometimes IIS.)
I honestly don't know the exact details of these deployments offhand, but I do know groups like the Department of State's eDiplomacy group have found that it met some pretty stringent security requirements. If you're interested, I can reach out to the folks who'd know more about how to do this.
posted by anildash at 8:58 AM on July 26, 2008 [1 favorite]
I honestly don't know the exact details of these deployments offhand, but I do know groups like the Department of State's eDiplomacy group have found that it met some pretty stringent security requirements. If you're interested, I can reach out to the folks who'd know more about how to do this.
posted by anildash at 8:58 AM on July 26, 2008 [1 favorite]
This thread is closed to new comments.
But off the top of my head, I can tell you that it is possible to set up WordPress so that you have to be logged in to see anything. Which might not sound like the ideal solution until you realize that you can also set it so that users can't register themselves (anyone with an admin account can) or that anyone who registers has to be approved by an admin.
Again, not exactly what you're looking for. But at worst it's a possible fallback solution.
posted by theichibun at 7:45 AM on July 23, 2008