Skip to:
Content
Pages
Categories
Search
Top
Bottom

Privacy Forum – is it really private?


  • kannued
    Participant

    @kannued

    I came across these articles that says usernames and passwords do not necessarily mean privacy thanks to Google’s cache system. If you have the knowledge, these private areas are easy to hack. I’m wondering how bbpress’s privacy plugin stacks up against this hacking.

    http://hackforums.net/showthread.php?tid=25040

    http://www.theregister.co.uk/2008/08/22/accessing_restricted_sites/

    On a slightly related issue:

    I have noticed that ALL profiles in any forum are public. If you keep sequencing then, you can see each person’s profile, which means even the spammers that are blocked can still be viewed with their websites, emails, and interests. This unintended promotion bothers me. If I start deleting the spammers profiles, I will just have a lot of work to do. The perfect world is that profiles that are approved should be the only ones available by sequencing.

    ie.

    http://www.example.com/forums/profile/1042

Viewing 6 replies - 1 through 6 (of 6 total)

  • _ck_
    Participant

    @_ck_

    There’s no hacking involved in that process.

    It’s just a simple workaround.

    The foolish forum operators are allowing anyone with the user-agent of “GoogleBot” into their private forums. And/or they are allowing Google to cache their private forums. The reason why they do this is they want Google to send them traffic and the only way they can do that is to let google see the content of the hidden forums.

    bbPress doesn’t do this by default and no known plugin does it either, certainly not my “hidden forums” plugin.

    My Mini-Track plugin can tell you the difference between real Google and people pretending to be Google. It’s very easy, you just do a rDNS on the ip and see if it goes to a google owned ip block. rDNS is very slow (1-5 seconds) so people don’t normally do it by default.

    You wouldn’t have to delete the spammer profiles if you didn’t let them on in the first place. Install my “Human Test” plugin and 99.9% of them will never register.


    _ck_
    Participant

    @_ck_

    If you don’t want Google to make a cached copy of any your forum pages, use this mini-plugin (Google will still scan and return results for your site, it just won’t show the “cache” link)

    function noarchive() {echo "n".'<meta NAME="robots" CONTENT="noarchive">'."n";
    } add_action('bb_head', 'noarchive');

    Note that some search engines won’t obey “noarchive” and give away a cached copy anyway. This includes Alexa and others. Also note that installing this plugin doesn’t make existing “cache” links disappear instantly, Google has to re-scan your site (eventually) and then “cache” will disappear.


    _ck_
    Participant

    @_ck_

    Oh and as far as the rest of bbPress security, the bbPress password/cookie method has never been more secure than the method used in 1.0 (and WP 2.6) It’s based on a security researcher’s design (first implimented incorrectly in WP 2.5 and bbPress 0.9)


    kannued
    Participant

    @kannued

    CK, if the password/cookie in 1.0 is the most secure, than that means I wouldn’t need the miniplug for the private area to restrict from Google and other search engines like Alexa?

    I have installed Human Test. Now, to the task of deleting all those bozos.

    The miniplug, do I put that into my template header.php? Or does it go into the directory/folder that I want as strictly private?


    chrishajer
    Participant

    @chrishajer

    I don’t see how the cookie has anything to do with google indexing your pages. Forums hidden with the “Hidden Forums” plugin won’t be indexed either. If you want to prevent anyone (including search engines) from seeing certain forums, protect them with the Hidden Forums plugin. If you want to prevent search engines from caching public forums, then use the mini-plugin that _ck_ posted.

    To use it as a plugin, just create a plugin file. The only difference between what _ck_ posted and a full blown plugin is the header.

    <?php
    /*
    Plugin Name: No Archive
    Description: Prevent some search engines from caching your forum
    */

    function noarchive() {
    echo "n".'<meta NAME="robots" CONTENT="noarchive">'."n";
    }
    add_action('bb_head', 'noarchive');
    ?>

     

    Now, save that as a file, something like “noarchive.php” and save it in your my-plugins folder. Active the plugin in the admin and then load a forum page and check the headers to see if it worked.

    _ck_ likes to create one plugin called bb-tweaks.php that contains all these little function tweaks. Then you just need one header and all the little functions can be dropped into the one file.


    _ck_
    Participant

    @_ck_

    Cookies have nothing to do with reading the forum (unless there’s a hidden/private forum). Cookies are about identifying yourself as a registered member and giving you the ability to post. But a secure login method and cookie means that no-one else can pretend to be you.

    The mini-plugin is to prevent Google from showing a “cache” link on your pages when people find results from your website. They’ll have to visit your site directly, and if it’s a hidden/private forum, they won’t be able to just read it through Google’s cache (which can’t see it anyway, unless someone changes “Hidden Forums” behaviour).

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.