...and the upgrade is finally complete!
Thanks for bearing with us as we revamp our back-end security. There were a few bumps in the road along the way due to the ancient version of PHP we were previously running and a nasty obscure bug with our particular version.
How about an overview of the major changes?
Upgraded password security!
Since SocialCu.be was created, the best practices for password security in PHP have changed quite a bit. We were almost ahead of our time with our original implementation... almost
. Due to the aforementioned obscure bug, apparently our version of PHP actually suffered slight data loss under certain conditions during the password hashing process (which is horrible that it made it in PHP at all) but what's done is done and they've fixed the issue in subsequent releases.
Therefore, we have set it up so that as soon as you log in, you password is seamlessly upgraded to the current standard without it ever being exposed. No additional action necessary. However if you have contact with an old user here, we strongly suggest you reach out to them just to get them to log in so that their old password isn't sitting around as is.
Unfortunately, this also brings along with it the "confirm password" field. If you were already using a password manager to log in, it should be safe to have this autofill with the same password. However, if you were typing your password manually, this is an unfortunate necessity to account for the data loss that PHP bug may have caused. Without going into technical details, we have to be extra sure it's actually you logging in, just to be on the safe side in case your password was affected by the bug.
Really sorry about this. Blame PHP for releasing broken stuff (and then not making a big deal about it so people would know when they fixed it). ?
Encrypted mail going forwards!
All messages starting now are going to be encrypted (both body text and subject) for additional privacy in case we ever have a breach of the mail database. We don't suspect there will be one any time soon, but better safe than sorry.
Again, this change should be pretty much seamless. You'll see your old messages just as you'd expect and any new ones will look the same (but a bit safer behind the scenes).
Upgraded PHP version!
As a necessary measure to implement the previous two changes, we've done a full sweep of the active codebase to make sure that it runs without errors in PHP 7.x. A number of changes in the PHP spec meant adapting older areas of our code to play nicely with now-deprecated functionality. Good news is that if you haven't seen any errors yet, we did a good job.
If you do
see an error somewhere, PM one of the admins and we can take a look. There's a lot of code, so it's likely we just missed something.
One additional point to mention is that the site should now be slightly faster as PHP 7 brings with it quite a bit of extra performance for free, which is nice!
Added missing styling to certain pages!
If you ever reset your password or viewed the term of service, you may have been a little sketched out, because honestly, it looked pretty bad. But fear not, it now looks consistent with the rest of the website's styling. Just seemed like a good thing to address while we were at it.
Tons of minor fixes!
In doing the code sweep, a number of long-standing minor issues were also addressed such as incorrect timestamps in the outbox and missing mod stars in the news comments. I won't bother listing all of them here since most you'd hardly even notice and honestly I didn't even bother keeping track. :P
Version number bumped to 3.1!
Self-explanatory! But this was enough change that I felt we should increase the number. Cuz we don't do that very often.
So with all that being said, what's next?
As we've mentioned previously, SocialCu.be will still not be under active development aside from security fixes and misc. non-security-related fixed like those mentioned above. We are still looking at the possibility of adding two factor authentication and a way to reset your password if you forget it (other than contacting SLEDGE), however those will not be implemented for at least a while. And of course, if any future issues arise with the security of the website, we will be sure to address it.
Thanks again for using SocialCu.be, and I hope you enjoy the update (even if most of it you'll never notice :P )!