Private messages stored in plain text

It looks like the CB private message system stores them in plain text in the database. Is there any easy way to encrypt these to improve privacy?

Correct they're stored in plain text. No there is no way to encrypt them. Private messages do not have end to end encryption and there's no point encrypting them as if the site is compromised the encryption key will also be compromised. HTTPS handles encryption during transmission (e.g. sending a message) so be sure you're using HTTPS.

With that said we might implement optional support for this in CB 3.x though when the PMS is finally rewritten into a live messenger, but it will force off searchability of messages when enabled. We'll need to consider where the encryption key will come from as it'll need to be from a server env more than likely.

Thanks for confirming. A degree of obfuscation would avoid casual reading whilst browsing the database and wouldn't need to be properly secure.

I'm interested in the "live messenger" that you reference potentially in CB 3.0 . I'm not clear how this would differ from what's there today, other than in respect of encryption, but perhaps you're referencing something more like WhatsApp, Messenger and such like with push notifications of the messages at the client? Would that require a dedicated app too or would it leverage something that's out there already?

A degree of obfuscation would avoid casual reading whilst browsing the database and wouldn't need to be properly secure.

I would recommend not giving access to your database freely. You can also use permissions to restrict read access to specific tables. This is relatively easy to do with tools like phpmyadmin.

I'm interested in the "live messenger" that you reference potentially in CB 3.0 . I'm not clear how this would differ from what's there today, other than in respect of encryption, but perhaps you're referencing something more like WhatsApp, Messenger and such like with push notifications of the messages at the client? Would that require a dedicated app too or would it leverage something that's out there already?

It would basically function just like Facebook Messenger. It won't be a separate application or anything though and will be built into your site like the current private messenger is.

It'll differ quite a bit as conversation will be a lot more fluid being a true messenger. It'll support multi-person conversations, reaction gifs, emoji, image/video/file/audio upload built in (current implementation relies on CB Gallery, which is a bit strange). There's also plans to implement voice and video call support via WebRTC for peer-to-peer voice/video, but that may not be in the initial release.

The PMS messages will be migrated to the new messenger so there won't be any data loss either so feel free to continue using the PMS and not worry about needing to wait.

I've no real timeframe for this though as we've a lot of work to do in CB 3.x before we start rewriting core systems. CB 3.x development is scheduled to start after the CB Gallery rewrite (which I'm currently working on as we speak!). We'll be first starting off with several massive overhauls to our API and core component structure. Details about all this will be posted after CB Gallery rewrite release.