Enhancing your security: I now use U2F authentication

At last count, I have had 391 different clients since I started this business in 2006. So that’s at least 391 times that customers have had to send me confidential information on how to access their forums so I could work on them.

For many years, I have been using two-factor authentication. Since the data clients share with me is largely sent via email, it usually ends up in GMail. I don’t normally delete emails you send me because there are often issues, and the conversations over email help me remember what I did for you. With two-factor authentication, it’s not enough to know my Google username and password to get into my account. You would also have had to enter a code sent by text message to my cell phone. This helps explain why to the best of my knowledge the information you sent me has never been compromised.

However, it was still possible that someone malicious that knows my cell phone number could hijack it, and do a two-factor authentication that way. Now that’s no longer possible because I am using U2F (Universal 2nd Factor) authentication.

U2F authentication is what Google employees use to work remotely. It’s a physical key they have that they use for two-factor authentication. Depending on the key and your device, you either plug it into a USB port, use your device’s Near-field Communication, or a Bluetooth signal as part of logging into sites that support U2F. The key issues a public key while hiding a private key. It will issue the public key to the authentication service, but only when I authorize it by pressing a button. The key will work only with that service, like Google.

What this all amounts to is that the safety of the information you send me is even safer, exponentially so. Now a malicious person would need not only the username and password to my Google Account, but would have to get one of these physical keys from me. That’s not impossible, but so unlikely as to be effectively impossible.

I do depend on Google’s security system, however. But if Google’s accounts are successfully hacked, millions of us are going to be in a heap of trouble. Hopefully such a breach would affect only those not using two-factor authentication.

Google always lets me know if a new device has attached to my Google account, via various means including text messages and emails to my primary and alternate email accounts. So in the event something like this happens, hopefully I could take action to mitigate any danger before any vulnerabilities are exploited.

So rest assured your information is as safe as I can practically make it. I would never betray the trust you place in me.

Filter by country version 1.0.8 released

The VPN-only feature has been removed because it didn’t work. This version will also check a number of HTTP headers for IP addresses, since there are many possibilities including headers from content delivery networks like Cloudflare. More here.

It can be downloaded from the extension’s page or on GitHub. If downloaded from GitHub, make sure to place it in an /ext/phpbbservices/filterbycountry folder.

 

Selective mass emails extension version 1.0.6 released

Made a mistake in version 1.0.5 that facilitated my testing, I just forgot to correct it. It’s related to the new feature to count unapproved posts. It was counting approved posts instead, which was much easier to test than creating an account and setting up a bunch of unmoderated posts. Happily, it was a one line code fix

It can be downloaded from the extension’s page or on GitHub.

Edit subscribers bug fix

If the edit subscribers feature of digests is not working for you, except possibly the pagination feature, you are not alone. I haven’t had any issues with it in my development or test environments, but others have. Anyhow, there is now a solution if this is happening to you which is described in this post.

The fix will be rolled out in the next release of digests, version 3.2.16 which is in development.

Update October 10, 2019: According to this poster the <form> tag needs to have the novalidate attribute set as well. This post describes how this template can be appropriately changed.