There were a few important security improvements to the Private Message system that we wanted to push through fast, so this update is focused almost entirely on those. There were also a couple of important bug fixes to the Private Message View page.
* Added: Private Message contents are now encrypted on disk/database using AES-256 in CBC mode. Not foolproof, but it provides a bit more protection against a variety of common web application and operating system attacks. Please note that moderators can still see your private messages.
* Removed: You can no longer search the message text of Private Messages.Searching by date, sender/recipient and subject still work fine. Content search is not possible now because the messages are encrypted on disk and that prevents the database from being able to index and search them efficiently or securely.
* Added: Moderator accounts are now heavily restricted on how many Private Messages they can view over a set period of time. This allows moderators to do their job but prevents a moderator account being used to harvest large numbers of private messages from the system in the event of an account compromise.
* Added: A few other minor security measures have been added to help prevent moderator accounts being used to harvest private messages in the event an account is compromised.
* Changed: The way the system tracks message threads has been changed to be more efficient, and to allow logging of who has viewed which threads recently.
* Fixed: A bug was causing messages to be marked “replied to” in your inbox even if you hadn't actually replied to that message yet. This would happen if someone messaged you twice in the same message thread before you had a chance to reply for yourself.
* Fixed: A couple of bugs caused the Private Message view to behave oddly when displaying very long threads. When it was collapsing message threads in to the “expand” box, it would sometimes fail to show some messages in the thread even after “expand” was clicked.
* Changed: Private Messages view will now always show the first two messages in a thread, the last two, the “focused” message and one message either side of that focused message. If there are 6 or more messages in the thread before or after the focused message, the excess messages will be collapsed into an expandable box. All this makes the content of long threads much nicer to view.
* Fixed: A bug was allowing the keyword/username autosuggester to pop up even after the target textbox was no longer focused.
* Fixed: The username autosuggester on the Private Message Search page was submitting the search as soon as you clicked a username in the suggestions list. Now it will wait for you to click the Search button after making a suggested username selection.
Please see the complete Site Revisions History for a list of changes to the site since it was launched. That page is getting a bit out of date, but we promise to update it asap. :P
Fantastic - and I mean that without sarcasm. I really love how our security is apparently your primary concern. That you have chosen to remove a useful feature (body-text search) for reasons of security, and to weather the cries of anguish, speaks really well of you.
I imagine it hurt to remove it, but it's a tricky problem. You'd have kept it if you could, but you genuinely care about our security.
One possibility might be [over-complicated suggestion moved to Support Ticket, where I should have put it in the first place.]
I see no easy solution, so I think you made the right call, and I'm really glad you thought about it.
Fantastic - and I mean that without sarcasm. I really love how our security is apparently your prima
All good, but I'm liking the limiting of how many pms a mod can read in a certain amount of time the most. Great way to prevent a compromised account from being abused too much is to only give mods the abilities they need.
All good, but I'm liking the limiting of how many pms a mod can read in a certain amount of time the
