Mattermost Peer-to-Peer Forum

Security feature listed in about.mattermost.com


#1

Can someone shed some light on this section in the info page
"Modern security standards – Client-server data transmission deploys
with end-to-end encryption using AES-256 with 2048-bit RSA. Account
creation uses scrypt key-derivation with per-user salt to produce
hard-to-compete shared secret."
I am not able to find any such implementation on the source code.

Thanks


#2

I also am interested in this issue, as security is the main reason I am considering Mattermost.


#3

Hi @chintan, can you let us know where you found that information?

It seems out-of-date, we now use the bcrypt module included in Golang. For end-to-end encryption please see the production install guides on how to securely deploy the system.


#4

Hello, @it33
I cannot find any information about end-to-end encryption on the provided link, there is only SSL by the means of NGINX. Mattermost docs here say that it supports disk-level encryption and TLS. Is that true? How can I configure such an encryption? Can I use database-level encryption or something alike?


#5

Yea, is e2ee implemented by using TLS or how is it implemented?
And one more question, if you may. Is it possible to do public key pinning via nginx headers, if the iOS app renders WebView, data for which comes from server?
Thank you


#6

@it33 Could somebody answer this? It’s quite important and I cannot start using mattermost without knowing if this feature is really implemented or it’s under consideration or it won’t be implemented in near future.


#7

Hi @Darya, @shikata-ga-nai

Please see security overview in the documentation for an overview of security features–please let me know if the documentation doesn’t answer your questions above?

Also, I wondered if you could share more about your requirements–are they requirements from internal security policy or external regulators (or both)?

Just curious, since SSL with NGINX seems to work for most users…


#8

@it33

TLS for communication with server is a must everywhere you use credentials

e2e encryption should provide private messages. sometimes you just don’t want your admin read the messages. being one of a few sysadmins that control the server you would like to have a possibility to send OTR messages that couldn’t be picked up by your fellow admins (sorry guys:)). sending passwords without e2ee is not wise as it could end up in some logs/backups/mail notifications… if you communicate with your coworkers via mm on daily basis – why should you look for alternative method for password sending?

it shouldn’t be so hard to imagine many more examples


#9

Hi @rmielnik,

Please take a look at our encryption options we have today:

Let me know if one of them is what you’re looking for.


#10

not really. there are many cases when i’d like my message to stay private. it won’t be private as long as somebody else (except the recipient of course) can read it (either sniffing on the network or looking into database). TLS and encryption at rest are NOT the solution

rocket.chat has it. riot.im has it. mattermost should have it too (IMHO)


#11

Hi @rmielnik,

Would you like to contribute this in the feature idea forum so it can be discussed, upvoted and considered for a help wanted ticket?

Please include a link back to this Forum Issue. If you’re interested in implementing, please say so and we’ll prioritize the review.

You get 10 votes in the feature idea forum, and each one influences the future of the project.


#12

i guess https://mattermost.uservoice.com/forums/306457-general/suggestions/12818799-off-the-record-messaging is high enough in voting :wink: unfortunately still “under review”. not a programmist so i won’t help in developing e2ee, sorry

btw. about “matermost should have it too” sentence… i suppose that more accurate phrase is: mattermost WILL have it too (the question is when)