Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Encryption of token name+email

  • Jmantysalo
  • Jmantysalo's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
More
3 years 3 months ago #209667 by Jmantysalo
Encryption of token name+email was created by Jmantysalo
Today I saw an error that according to bugs.limesurvey.org/view.php?id=16122 is already fixed half a year ago.

But in my test the name and email of a token is not encrypted in the database. Where is that setting located?
The topic has been locked.
More
3 years 3 months ago #209687 by jelo
Replied by jelo on topic Encryption of token name+email
I recommend to open a new bugreport with your LS4 version.
There are still issues around encryption. And LS4 is still not ready for production.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: DenisChenu
The topic has been locked.
  • Jmantysalo
  • Jmantysalo's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
More
3 years 2 months ago #209690 by Jmantysalo
Replied by Jmantysalo on topic Encryption of token name+email

jelo wrote: I recommend to open a new bugreport with your LS4 version.


Before that I want to know how this should work. When the system should encrypt name and email?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 2 months ago #209695 by DenisChenu
Replied by DenisChenu on topic Encryption of token name+email

Jmantysalo wrote: Before that I want to know how this should work. When the system should encrypt name and email?

It muts be encrypted in DB : always.

It must be shown decrypted on browse and export toke, (an when using TOKEN:FIRSTNAME)

But maybe it's only my opinion ?

Else : just check on an already activated survey with 4.3.31 : after set crypted on attribute management : lastname, firstname and email was crypted.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • Jmantysalo
  • Jmantysalo's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
More
3 years 2 months ago #209703 by Jmantysalo
Replied by Jmantysalo on topic Encryption of token name+email

DenisChenu wrote:

Jmantysalo wrote: Before that I want to know how this should work.

It muts be encrypted in DB : always.


I am not at all sure about this. If we have a small installation having webserver and database at the same machine, then the evil hacker gets both db and decrypting key at the same time. If we use external network disk, then we could encrypt everything in other level -- maybe encrypted DB, something like encfs for files containing DB or a block-level encryption.

(Btw, other thing is asymmetric encryption of responses. Survey maker could generate keypair, and put the public part in the server. Then the evil hacker would have no way to read responses given before the intrusion. I guess I must do a plugin for that sometime.)

Kind of strange to be able to encrypt first name but not last name and vice versa. Anyways, I'll continue testing and make a bug report.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 2 months ago #209707 by DenisChenu
Replied by DenisChenu on topic Encryption of token name+email

Jmantysalo wrote:

DenisChenu wrote:

Jmantysalo wrote: Before that I want to know how this should work.

It muts be encrypted in DB : always.


I am not at all sure about this. If we have a small installation having webserver and database at the same machine, then the evil hacker gets both db and decrypting key at the same time. If we use external network disk, then we could encrypt everything in other level -- maybe encrypted DB, something like encfs for files containing DB or a block-level encryption.

I tell how it's constructed now, and how it must work now.

If you activate crypt option for fistname : it must be crypted in DB always.

personnaly i think it's only false security …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: Jmantysalo
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose