We have received some concerns and questions about the security of the server.
There is the difference between the public channels and private channels and direct messages.
Consider public channels as open as anything else on the internet. Think of it as that cops and journalists read everything in the public channels.
Is this a reason not to use the public channels? Or the chat at all? We do not think so. It offers a way to connect with anyone who wants to help with Code Rood and allows working groups to share what they are doing.
Use private channels for things that you do not want everyone to know. But check and control who is a member of the channel! Also consider the fact that anyone joining later can read back the history of the channel!
Private channels are slightly more secure than email lists. Private channels and direct messages are better than sending text messages and sending unencrypted emails (such as mail lists). Especially if you use e2e encryption. It really doesn’t take much for cops to be able to read text messages and unencrypted mails.
In order for cops to get into private channels they either need to:
We counter these possibilities in the following manner:
As with all digital communication:
Consider anything you post on chat compromised, even if it is encrypted (see below).
Ask yourself for anything you post or say how it would feel if it were to be read aloud in a court case against you or one of your comrades.
e2ee means that the messages are encrypted and decrypted on your device and that the server is not able to decrypt it, it just sends the messages without knowing the content. In this case, if the server is compromised your messages are not. It works with the same principle of Signal. It is good to use this, but like always it has some downsides. You can’t search through e2ee messages/channels and you have to log in on each device that you are logged in to on the chat server.
By default e2ee is NOT on. You have to turn this on per channel/group/DM yourself. e2ee is currently not supported on the apps for Android and Apple.
Read how to enable e2ee here.
Signal is probably more secure. The chat server only needs to be compromised once and all the data is compromised, whereas Signal is distributed. Also a thing to consider is that Signal has the option to auto-delete messages which is a very good thing.
PGP encrypted email is probably also more secure. However, this requires you to properly take care of your private key.. so.. yea maybe not in practice but in theory perhaps.
Riot.im/matrix is also nice, looks very promising and has advantages over rocket.chat but we tested it and found it too user unfriendly.
Mattermost is probably a reasonable alternative to Rocket chat but it did not have the option to enable e2ee and it is not completely open source.
Slack. Can not be self hosted. Can not be encrypted. Has USA jurisdiction.
Discord. Can not be self hosted. Can not be encrypted. Has USA jurisdiction. The company is known to violate your privacy and is generally anti-privacy.
Obviously the best way to keep information safe is to keep it off the computer and off the internet. But we have to organize! This is why we use the chat server.