Monday, April 30, 2018

Shhlack, message encryption for Slack

A common problem about centralized messaging solutions is the sharing of sensitive information during day by day use, preserving, at the same time, message integrity and privacy.

Sometimes two parties may need to share some information that is confidential and should not be accessed by a third party.

A third party could be, for example:
  • a service provider
  • an external attacker
  • a malicious operator of the platform

Conversations may be exposed to third parties, for example, in case of account compromise or by storing Slack backups insecurely.

How many users share passwords directly via Slack private messages?
I hope just a few, but the sad truth is... probably many.


Protecting Slack users Privacy after Policy Update

Scenarios are getting more complex after the introduction of GDPR and new Slack privacy policy.

Starting April 20, under the updated privacy policy, Slack compliance reports are being discontinued and the downloading options expanded. Those who buy the Plus plan can request access to “a self-service export tool” to download “all data from their workspace.” This includes “content from public and private channels and direct messages.

And most important:

Automatic notices to employees will be discontinued. The employer will now decide whether users will be told their conversations are being exported.

Employers may decide to not inform users about conversation export; therefore company Slack users may not be informed of the export with a result of not being alerted of the potential data exposure.

Even if this feature could have its benefits, it could also be abused by a malicious third party to access conversations without alerting company users.

For more information regarding the analysis of Slack privacy policy update:

Summing up the latter news and our previous concerns about centralized storage of sensitive information, we decided to create something on top of Slack in order to add per message encryption via pre shared keys, that's why Shhlack was created.

 Shhlack is an opensource tool available on GitHub:

Shhlack: Welcome to the era of encrypted Slack!

Shhlack is an extension for Slack and brings end-to-end encrypted messages in Slack workspaces.

Shhlack is available as

Shhlack is not a Slack bot. Instead it injects itself in the Slack web UI and uses Slack internal client APIs to encrypt/decrypt messages on the fly by choosing a passphrase from a set of stored keys owned by the user using cryptojs.AES JS library.

When a user receives an encrypted message and owns the correct PSK, message will be shown as preformatted text:

On the other hand any user that receives the message but hasn't Shhlack installed or doesn't own the correct PSK, will see the content as a bunch of base64 encoded "garbage":

It supports the usage of multiple keys, meaning that a user can have more than one key that can be shared with other users.

At the moment Shhlack relies on pre-shared keys that need to be exchanged between users to get the ability to send and receive encrypted messages.
To facilitate PSK exchanging it is possible to import/export the keys as base64 encoded JSON object.

Creating Messages 

In order to create a new message click on the Shhlack icon near the message bar or press Alt+S and a dialog box will appear:

  • To give Slack the opportunity to index some clear text data for future text based search it is possible to add a title that will be kept as clear text
  • then the user can choose a particular PSK from the storage
  • finally the super secret message can be written and sent.
Slack servers won't see anything in clear text, nor Slack Bots. Only users - and bots - owning the correct PSK will be able to get the unencrypted content.

Improvements and Future Expectations

If, as we hope, this project will get some traction from the public and a community will help us maintaining the code and add new features, there's a very exciting TODO list such as:
  • Use of browser WebCrypto features to encrypt the PSK set on the client itself with a secret masterkey.
  • Per channel encryption
  • Improve message rendering features, encrypt snippets and releated
  • Asymmetric message encryption via public/private certificates
  • your feature request!
Enjoy Shhlack and experiment as much as you want!

We'll be looking forward to get your feedback.


  1. How about releasing iOS and Android apps for this please?

  2. ...and also supporting Code Snippets?

  3. @Lee Wei if there's enough interest we might release a mobile version.
    about code snippets is in the TODO list :)