Is safe and private the Tor forum?

agiteg · January 23, 2024, 12:49pm

Hello,
forum is written in Ruby On Rails 7.0 by the open source code on github ie
how much secure and private is?

BobbyB · January 23, 2024, 3:08pm

Primary definition of private: intended for or restricted to the use of a particular person, group, or class as in private park. Webster definition.

Private, yes, but then anyone can join the forum by registering so the answer is NO.
Do you mean private as in not indexed by search engines? NO again.
There may be private forums for the admins and developers.

Safe as in not having vulnerabilities? Don’t know.

FranklyFlawless · January 24, 2024, 12:13pm

The safety of your activity on the Tor Project Forum depends on your threat model. As for privacy, it is a public forum.

agiteg · January 24, 2024, 12:53pm

Hello BobbyB && FranklyFlawless,

I asked, becouse I want use this open source code for our project forum, as well, create own advanced modules etc…

github.com

discourse/discourse/blob/main/docs/SECURITY.md

## Discourse Security

We take security very seriously at Discourse. We welcome any peer review of our 100% open source code to ensure nobody's Discourse forum is ever compromised or hacked.

### Where should I report security issues?

In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please use our [vulnerability disclosure program at Hacker One](https://hackerone.com/discourse) to provide details and repro steps and we will respond ASAP. If you are unable to use Hacker One, email us directly at `team@discourse.org` with details and repro steps. Security issues *always* take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.

**Please note:** Due to a significant number of low quality security reports sent via email, we are unlikely to act on security reports sent to us via email unless they come from a trusted source, and include details on the vulnerability and step by step instructions to reproduce it. Theoretical reports without a proof of concept are not accepted. We strongly recommend you follow the Hacker One submission protocols.

For a list of recent security commits, check [our GitHub commits prefixed with SECURITY](https://github.com/discourse/discourse/search?o=desc&q=SECURITY&s=committer-date&type=Commits).

### Password Storage

Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web [tend to agree that PBKDF2 is a secure choice](https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage).

Discourse currently uses PBKDF2 with the sha256 hashing algorithm and 600,000 iterations.

### XSS

This file has been truncated. show original

FranklyFlawless · January 24, 2024, 3:42pm

Sure, go ahead.