11 July 2018

How to Keep Your Slack Messages Private Using Shhlack Encryption


slack-encryption

Communicating with your colleagues on Slack is a lot of fun. The instant messaging tool brings your workplace together into a single communication portal and removes reliance on long-winded email threads of yore.

But one thing Slack doesn’t do is protect your messages. For all of its amazing positives, Slack unfortunately doesn’t feature integrated encryption.

That’s where the Shhlack encryption tool for Slack comes in. Let’s take a look at Shhlack, what it is, and how you can use it to protect from prying eyes.

What Is Shhlack?

Shhlack is a message encryption service for Slack developed by Minded Security. The development of a messaging encryption tool was prompted by two things: changes to the Slack privacy policy, and GDPR compliance.

On April 20, 2018, Slack updated their privacy policy. The new privacy policy made a few additions and changes that make it easier for the owners of certain Slack plans to access the data of other users.

For instance, those with a Plus plan ($12.50 per user per month) can request access to a “self-service export tool” that allows them to download “all data from their workspace,” including “content from public and private channels and direct messages.”

Obviously, that’s quite a change. But there is another, more worrying change for Slack users:

“Automatic notices to employees will be discontinued. The employer will now decide whether users will be told their conversations are being exported.”

Before the privacy policy update, Slack users received a notification when their private messages were exported. But now, the entire Slack workspace can be downloaded without warning—so long as the Workspace Owner has previously informed its users that this is a possibility.

In a corporate environment, this equates to a formal notification that it might happen at some point, so most likely when you sign your contract.

In addition, Slack doesn’t enforce the measures. Slack confirmed to me that “it’s the responsibility of each Workspace Owner to ensure that both measures are in place” before they proceed to exporting the data via the self-service export tool.

Wait, My Boss Can Read My Slack Messages?

Your boss has a chance of reading your Slack messages if they have a Slack Plus plan or an Enterprise Grid plan. That means they’ll get to read all those super nice things you and your colleagues said about them!

However, this doesn’t completely apply to Free or Standard plans. Free or Standard Workspace Owners can use Standard Export to “export content from public channels only.” Private channels and messages require a “valid legal process,” the “consent of all members,” or the demonstration of “a requirement or right under applicable laws.”

How Does Shhlack Encryption Work?

Before Shhlack, if you and your team wanted or required the security and privacy of encrypted messaging, you would have to use a different service. That’s no longer the case, but how does Shhlack work?

Shhlack allows users to trade encryption keys to view messages with end-to-end encryption. Anyone else attempting to read the messages receives a string of jumbled characters.

Shhlack uses Pre-Shared Keys (PSK). PSK means that if you want Shhlack to encrypt your messages, you need to exchange your keys in the form of a passphrase. Only other users with the passphrase can decrypt your messages, and vice versa.

Interestingly, you can send messages using Shhlack encryption in group chats, but people without the passphrase only see gobbledygook.

The Two Downsides to Shhlack

The idea behind Shhlack is pure. Slack is fast becoming the workplace messaging tool of choice, from small businesses to global conglomerates. Data privacy is important, and users are worried about who can peek over their shoulder.

But Shhlack has a couple of issues.

First, you have to share your keys. Obviously, you cannot share your keys using Slack because someone could export the Workspace, find your keys, and crack your messages wide open. That’s out of the question.

Instead, you have to send your keys via an alternative secure messenger, such as Signal or Telegram, then enter them in Shhlack. But if you and the recipient both have Telegram or another encrypted messaging app, why not just use that for your messages in the first place?

Second, Reddit user ScottContini points out that “there is a security issue with the implementation [of Shhlack] due to a security issue in cryptojs.”

The issue stems from how CryptoJS converts passwords to keys, and how the current Shhlack CryptoJS implementation does this in an insecure way. Read the linked post above for more information regarding this issue (as well as more links that further detail the issue).

How to Install Shhlack

Before installing, consider that Shhlack is a work-in-progress and may not protect your messages. As such, “use it with a grain of salt!”

That said, the developers over at Minded Security have made it easy for you to add encryption to your Slack messages. Shhlack is available for:

Shhlack will only protect messages on the platform you install it on. For instance, if you install the Chrome extension, messages sent from your browser are secure, but those from your desktop app are not. Installing Shhlack is simple. Use the links above to head to the app store for your browser of choice, then follow the on-screen instructions to add to your browser.

Alternatively, download the standalone archive, then unzip using your favorite archive tool. The standalone archive contains a number of files. Locate patch_slack.bat, then right-click and select Run as administrator.

The first time you use Slack after installing the standalone or browser extension, a Shhlack dialog box will appear. (If it doesn’t, click the Shhlack padlock icon next to the message input box, or use the Alt + S shortcut.)

It has three tabs: Send Message, Manage Passphrases, and Master Key. Open the Manage Passphrases tab and select Add new passphrase. Add a Passphrase name, then add your Pre-shared passphrase. The Pre-shared passphrase is what you need to share with your intended encrypted message recipient, or else they will only see jumbled characters.

Manage passphrases in Shhlack

How to Send an Encrypted Message Using Shhlack

Open the Send Message panel, select your Passphrase name from the dropdown menu, and type your message. Hit OK when you’re ready.

The message will broadcast to whichever Slack channel you are currently in. Anyone with your pre-shared passphrase can unlock the message and read the contents. Those who don’t will see a mishmash of characters.

Here’s what a message looks like to the sender:

Sent message in Slack, encrypted with Shhlack

And here’s how it appears to users without the passphrase:

An encrypted Slack message

You can also send a message to your current channel using the previously selected passphrase by adding the @@@@ prefix to your text. For example:

@@@@ I love MakeUseOf

It’s that easy, just like the main Slack service. And really, Shhlack can be just another aspect of Slack for you to master.

Secure Messaging Alternatives to Slack

Of course, setting up and using Shhlack isn’t ideal for everyone. For some, it’s too fiddly (even if it’s well worth learning). For others, it could directly violate your workplace policies.

Don’t do anything that jeopardizes your job security. There are other messaging services out there that use encryption to keep your communications private!

Read the full article: How to Keep Your Slack Messages Private Using Shhlack Encryption


Read Full Article

No comments:

Post a Comment