Three encrypted Slack alternatives worth a look

Slack is not end-to-end encrypted. Here are some options that offer better security.

04 encryption
Thinkstock

It might come as a surprise that Slack, the ubiquitous collaboration tool that found success by slapping a slick GUI on top of IRC, is not end-to-end encrypted, creating a mounting pile of sensitive data on Slack's servers — data that's vulnerable to nation-state hackers, lawfare attacks by the U.S. government (think PRISM), not to mention malicious insiders (as Twitter discovered the hard way).

Companies with headquarters, or even employees, outside the United States may have particular cause to worry. According to a leaked document from the Office of the Director of National Intelligence — the Quadrennial Intelligence Review Final Report, 2009 — U.S. spies contemplated "cyber operations" to steal intellectual property (IP) from research and development centers around the world within the next five to ten years. That was nine years ago. Global companies need to consider the real possibility that U.S. spies will use mass surveillance tools to steal foreign intellectual property and share that IP with companies stateside.

A breach at Slack of either the technical or legal variety would prove catastrophic to many organizations that rely on the service.

Why not Signal? WhatsApp? Or even email?

Before we get to the Slack alternatives, you may ask, “Why not just use Signal or WhatsApp groups, or PGP-encrypted email with a long CC list?”

We can discard PGP-encrypted email. It is lacking in perfect forward secrecy and is unsuitable for both personal group collaboration and enterprise deployment.

Signal and WhatsApp both use the Signal protocol and offer similar confidentiality guarantees. But while both offer a desktop client, they are are optimized for mobile, and neither is a good fit for enterprise deployment, where compliance with relevant data retention and deletion laws requires corporate key escrow to be effective.

Meet the Slack alternatives

Keybase Teams

First launched in 2014 in a post-Snowden attempt to bring PGP to the unwashed masses, Keybase now offers a Slack alternative called (wait for it) Teams. CSO took Teams out for a test drive and found it surprisingly mature. Adoption has yet to hit critical mass, meaning Keybase is offering early adopters what sounds like a "free forever" plan, writing in their launch blog post, "We eventually want to find a way for actual enterprises to pay, while keeping personal and community use free. And any use now is grandfathered in."

porup slackalt 1 Keybase

Keybase Teams with self-destruct messages

Despite Keybase's origins in PGP land, crypto (as in cryptography) geeks will be pleased to know that Teams uses NaCl under the hood and not PGP. However, by default Keybase Teams messages do not offer perfect forward secrecy, a necessary usability trade-off, the developers argue. Teams does offer a self-destruct message feature (complete with cutsie Wile E. Coyote bomb icon) that uses ephemeral keys with forward secrecy.

For small- to medium-sized teams, Keybase feels robust enough that it deserves a close look to see if it's the end-to-end encrypted Slack alternative that's right for your collaborative workspace needs.

Semaphor

Brought to you by the fine folks at SpiderOak, who offer a zero-knowledge encrypted DropBox alternative (and there are as many reasons to drop DropBox as there are to drop Slack), Semaphor is an end-to-end encrypted Slack alternative with an enterprise edition that should satisfy most compliance departments. SpiderOak is even planning to launch in 2019 NERC-CIP compliant storage and collaboration in the tightly regulated energy sector.

porup slackalt 2 SpiderOak

SpiderOak's Semaphor, a Slack replacement

A red flag for us was SpiderOak's touting of its use of a "private blockchain," which comes across more as a marketing gimmick than a security plus. However, SpiderOak has an excellent reputation and its use of the otherwise dubious "blockchain" buzzword comes across as an honest attempt to punch up an otherwise robust suite of end-to-end encrypted collaboration tools.

Semaphor is aggressively seeking to monetize its product, and its free trial only includes a maximum of five users before the paid tiers kick in, making it a poor choice for budget-strapped small- to medium-sized organizations, but potentially a good fit for larger enterprise users looking for zero-knowledge cloud storage and collaboration tools.

Wickr

Wickr is gunning for the enterprise market and is the most successful of the three end-to-end Slack alternatives we've discussed here, with one major caveat: Unlike Semaphor and Keybase Teams, Wickr is not open source, although it has published its cryptography code for public inspection.

porup slackalt 3 Wickr

Wickr offers three-second self-destructing messages. Better not blink!

The Slack alternative also integrates with censorship-circumvention proxy Psiphon, useful for traveling executives who want to ensure always-on connectivity regardless of coffeeshop block list or Great Firewall of China deep packet inspection.

Wickr offers a free version but the company's focus is clearly the enterprise market, with compliance-friendly features that make it possible to provision/deprovision thousands of corporate mobile devices.

Mind the metadata

No current solution offers meaningful metadata protection for group collaboration (although keep an eye on mixnets in 2019.) Why is this a problem? Because often, metadata is the message. For example, in December of last year, Slack booted from their service every user who had even once used an IP address in Iran. Any of these services could have done the same.

The right choice, right now

Proactive measures taken now to ensure all enterprise workspaces are end-to-end encrypted is a huge step forward for companies looking to prevent a major breach. Using and paying money for E2EE Slack alternatives helps build a more secure internet for everyone. In an interconnected world where everything affects everyone, deploying secure alternatives to Slack isn't just a great security decision, it's a sound business decision.

Related:

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!