ESP Mail and Privacy

A new feature added to the main server today, and available on the demo world.

ESP Mail.

Given we have so few regular users, I was keen to get this working. Now you can leave a message for each other, even when that person is not logged in.  Simply send your friend an ESP as normal, and if they are not connected at that time, you will be prompted if you wish to send the message as an ESP Mail!  Easy.

The question I had though was how to store this.  The last thing I wanted to do was save all your private messages in the database in a way that was visible to anybody with even a modicum of server privileges, so definitely not something linked directly to an avatar.  As well as myself, there are two others with potential access to raw data on avatars and objects, and as the service grows, I'm sure this will expand.  Plus, there's also the very slight chance that malicious actors ('hackers') could access the database itself, despite my best efforts to reduce the chance of this happening.

At present, passwords you use are stored in salted hashed form using industry best-practice methods, which means there is absolutely no chance that they can be extracted again from the data.  However, hashing an ESP Mail message is no use as you want to be able to get it back again, for when the recipient actually reads it!  For this you need encryption, which is reversible if you have the right keys.

To implement this, therefore, messages are stored in a distinct database table, and are encrypted using OpenSSL and an AES-256 bit cypher.  The decryption key is in two parts, one part is chosen randomly and stored per message, and the other part created at setup time and stored outside of the database.  What this means is that even knowing the contents of one message and brute forcing the decryption keys for that message, they will be of no use when it comes to the next message.  Similarly, even with a full copy of the entire database, even with the server software, still nobody can decrypt your messages because one key part will be missing!  Finally, all messages are deleted on reading, so there is no record kept of anything you have already received, even encrypted.

This is probably overkill for your messages about what the cat ate for dinner, but I do feel that if I'm going to implement something that might possibly store private or personal information, then I need to do it properly, and right from the start!  Plus, it would be a breach of GDPR laws should private messages be revealed to anybody whom should not have access, and it is a duty under GDPR to use ‘appropriate technical and organisational measures’ to protect data. I think this satisfies this requirement.

Please do note, though, that all communication between the server and the client over the internet is still sent unencrypted.  This is a consequence of the protocol in use having been developed in the early 1990s.  Even with the later clients used elsewhere, not the 1999 ones we use, this is still the case.  This means that there is a potential that somebody determined enough could see your messages if they were monitoring you or the server at the point you read them.  This is an area I want to address, and have some ideas on doing so, but this how things stand at the moment.  Similarly, the server log stores communications data in it's log files when in debug mode, which will include message texts.  Normally a server would not be in this state.  I am considering ways to counter this while still keeping the log files useful for debugging, but rest assured nobody but me has access to these logs.  In any case, I have now added a notice at login to let you know if the sever is doing this.

Although I have done my best to ensure your privacy, the old adage stands - the only way to ensure nobody else finds out about something is to never tell anybody!  Especially on the Internet!  This is the same for any service you might use, not just us!