What do you think of BLF's forum software?

I had an e-mail conversation with the Bitwarden creator back when it first launched (started in the BizSpark program in 2016) and they were forthright about their business model and intention to get the software audited. I had no concerns afterwards, but still waited to recommend it until after it was on every platform and had matured enough to pass an audit, which it did (as manithree said).

I now recommend it and though it’s free to use even for a 2-person account, I highly suggest paying for the $10/yr Premium or $12/yr Family subscriptions as it’s easily worth that and supports a company whose software is fully open source; it’s rare for a business to operate this way. It’s much cheaper than similar LastPass plans as well, which is still largely closed-source.

Though people are welcome to host their own Bitwarden server, I recommend using the official server as it’s managed by Microsoft Azure and thus has a lot more protection than your own server likely would. Bitwarden doesn’t manage any servers of its own, which means that they can focus on the software itself and the account system. Even then, the password data is client-side encrypted as manithree points out, so your master password can’t be guessed so long as it’s random and more than 14 characters.

I personally use KeePass, but I recommend Bitwarden as it’s fully open source, yet already integrated with the Cloud so that users don’t have to know anything or do anything :wink: . It doesn’t have all the technical bells and whistles of KeePass, but it’s much simpler and thus easier for “normal” people to use. I tested the Bitwarden Firefox extension recently and it worked well. All the clients offer a highly unified interface.

I like and use KeePass

I really like BLF’s forum software… more than any other forum I’ve ever used.

It has been very effective at fostering a healthy and productive community. It works on pretty much any device, including low-end “Web 1.0” browsers which I use very frequently. It doesn’t use a ton of RAM or CPU, and doesn’t cause browsers to bloat if a page is left open for a long time. It has a clean layout and a very useful feature set. It responds quickly, and it allows sb to respond quickly when people find creative new ways to make trouble. In general, it “just works”, which is a rare and valuable trait.

And one more big thing, which I haven’t seen in any other forum software — it’s unusually expressive. It doesn’t restrict users to an overly simplistic markup language, so people have a great deal of freedom in how they format their messages. Instead, it allows the majority of HTML and CSS. Want an emoticon the site doesn’t have? No problem — just link it from another site. Want a fancy table in your post? No problem. Want specific fonts, colors, an image which changes on hover, or even animations? No problem. If you can express it in HTML, it’s probably possible… with no need to learn any weird site-specific languages.

For example, the thing I do with custom avatars on a per-post (or even per-paragraph) basis isn’t possible on any other forum software. (or a variety of other fancy formatting… the quoted post there is not a screenshot)

But there are some things I’d probably change:

  • Add HTTPS
  • Add a dark theme, since client-side overrides aren’t always possible

Those are the main things. Given enough time and enough boredom though, I’d probably get into some other enhancements too…

  • Add username notifications
  • Add an Approval Voting option to the polling system, or perhaps even a Condorcet system
  • Add a +1/-1 comment rating system, but not like Reddit. People could see and edit their own votes, but it wouldn’t be visible to others. It would instead track the affinity between people, and emphasize or de-emphasize posts based on whose posts the viewer liked or disliked in the past. If you usually like someone’s comments, it would make those stand out… and if you usually dislike someone’s comments, it would make those look partially faded out. So, kind of like an automatic “follow / ignore” system. Also, if a post/person/thread gets a lot of dislikes in a short time, it could let the admin know there might be trouble to resolve.

Those aren’t really important though; just ideas I think could be neat. As I said, I’m pretty happy with things already, with no changes. Usually when I’m on other forums, I find myself sad that it doesn’t have BLF’s features.

I am here to point out an issue which I often have to deal with. As most of you should he aware of, this forum has two editors: simple and advanced. The advanced is HTML, has all the bells and whistles, supports emoticons too but for some reason someone forgot to add an emoticon button to it (you can copy and paste their simple post editor :BLUSH: identifiers); the simple can most stuff a regular user may want. However, there is a problem whenever someone using the advanced editor wants to quote a message written with the simple post editor: it needs to be edited for it to look right because the advanced editor doesn't supports the encoding used by the simple post editor in most aspects (text format, images, links, etc.). And when someone mixes and advanced editor post into his simple post editor one, well, let's say I would prefer for the editor to be unified.

Also, please be aware that when you try to post a link which employs non-ASCII characters you must click/tap the link button in the editor. Failure to do so leads to broken links with the simple post editor, and/or formatting issues when super long links (full of tracking crap) are involved.

I don’t run my own server, mostly because it’s easier for my wife to share my bitwarden vault without having to configure clients and plugins. I switched from keepass recently, and I’ll probably pay for a bitwarden account after I’ve finished my evaluation.

But knowing I have the option to keep using bitwarden, even if they go out of business or are purchased by Oracle is very important to me.

I honestly don’t understand the mindset of people who can convince themselves to use a closed source password manager. I can kinda see how Linux is not for everybody (I guess), but blindly trusting one company with all your passwords, with no way to verify how they are transmitted or stored, is weird to me. I guess it explains why so many scams work, though.

+1 for BitWarden.

^ This. I had forgotten about that in my initial post, but it is painful to deal with quoted text and links in the different editors. I mostly use the Simple editor myself, but I have to modify quoted text/links so that they’ll work correctly. Many people won’t know much about how to use the markup manually.

I agree with TK that it’s nice to use a forum in pretty much the same way as I did in 1999 :partying_face: . I do understand why it became taboo to allow HTML in user submissions, though :smiling_imp: . Separating post markup from page markup was probably the right move, though obviously some forum developers managed to keep it safe enough to last BLF into 2020 and beyond :beer: .

It still allows some extremely obnoxious things… which I’ll take the opportunity not to demonstrate here. But those things haven’t been an issue because, in general, people either don’t want to or don’t know how. In the rare cases that someone has both the ability and the willingness to attack the forum, sb has been vigilant at taking care of the mess.

If the site were scaled up to millions of users instead of thousands, it would probably be necessary to lock down all potential attack vectors. But we’re a relatively small crowd, so that hasn’t been necessary.

I meant to include,

“_Separating post markup from page markup was probably the right move, though obviously some forum developers” and administrators “managed to keep it safe enough to last BLF into 2020 and beyond._”

The glaring lack of HTTPS is a major issue that will likely eventually sink the site if not addressed. There are other usability concerns and so forth that need looking at, but SSL is the big one that needs to be looked at first.

But then I work in IT security and have to worry about this stuff for a living.

This pops up from time to time. If members use a password unique to this site what is the concern? There is no financial information of any members on file and extremely limited personal information.

Because eventually Google et al will start adding big security warnings to sites that aren’t secure, and the only way people will be able to browse this site will be by clicking through these warnings.

Then you also have to consider the amount of personal information that does exist, like all the buys and sells where people have PM’d each other addresses. There really should be a warning message on the direct messaging system saying that it is not secure and any personal information should not be sent through the system.

Lastly, security is one of these areas where everything is fine or an accepted risk, until suddenly one day it becomes a huge problem.

Here we go again with https? Whether the site will sink or not is sure not going to happen because of https. I have not spoken with sb56637 about this, but I'm fairly sure both https and new forum software will come along together. Not because of the forum software, but due to the increased hardware requirements. More powerful web servers are required for https to work with fluency. And as others are saying, there's really no point in httpsing this site. No point other than having to @#$% someone else's @#$% because @#$% @#$%, I mean.

It keeps coming up because not having SSL is a problem. If SSL is coming for a new version of the forum then this is awesome. But quite often the attitude I’ve seen expressed is that SSL is a pointless indulgence that isn’t needed, and frankly I find this more concerning than the actual lack of SSL itself.

Honestly, I really like it.

There is are 2 things that could be improved from it, and one that would be costly.

1. Allow for mentions. :smiley:
Would be way too powerful however.

2. Allow for the upload of <1MB images.
It would be easy, and not cost too much actually, but there would still be a cost.

@Vako
Why do you worry about those that believe SSL is not needed? It is no magic bullet and today’s TLS-encrypted Internet is more dangerous than ever. One day they’ll even start inventing SSL for our SSL :wink: .

The certificate system itself has arguably been providing a false sense of security for at least a decade; most world governments either control their own cert authorities or can obtain any ally’s certs within hours or days. Authoritarian govs may even require every device to install a national root cert and treat their whole country like a corporate network.

SSL mostly just avoids the Firesheep problem :wink: . I say that jokingly, but not entirely so.

I think were probably re-hashing old issues, but SSL/TLS is not crucial for “security”; it’s primarily needed because Chrome will eventually scare visitors into not coming to BLF because big scary warnings will pop up.

Vizzini: You want to send plaintext over the Internet? Inconceivable!

Montoya: You keep using that word, I do not think it means what you think it means.

So… SSL will eventually be necessary for the site to attract new users, but not because it keeps the site more secure; SB will be fighting just as many demons with HTTPS as he does today with HTTP.

BLF could likely have lived without SSL indefinitely with a few exceptions: it would be nice to have SSL during sign-in and for the “private” messaging system (and private forums). Since the days of sign-in-only SSL sessions are long gone, the writing is on the wall; everything must be TLS.

The browsers are even clamping down on all mixed content, which will eventually affect image posting here.

@Barkuti
It’s my understanding that SSL/TLS is no longer a speed issue for servers. Most everything in the process has been highly optimized and sometimes hardware-accelerated. HTTPS is usually faster and faster for you usually means less work for the server as well.

There’s also this speed comparison tool. I don’t know if it’s truly applicable to all situations as it’s obviously taking extreme advantage of HTTPS connection re-use, but it makes its point, regardless.

If we didn’t improve the world for the reason the new tech isn’t 100% perfect, we would still be living in caves and wondering what a perfect hammer might look like. :person_facepalming:

And how is “improving the world” defined? Technological development is not our prime goal, but spiritual. There is a myriad of conscious energies around us which the physical senses can't notice.

I can’t see x-rays, the TSA must be wizards!

I prefer this to other forum software I have seen. seems to be faster