Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Which leads to the question if slack encrypts the chat data in the database.


That would make implementing search quite hard so I'd say - it's pretty likely they don't encrypt it.


If anyone from Slack is reading this, the encryption should be an option, even if it means disabling or substantially slowing the search feature.


If they encrypted it, Slack would have to hold the key, so that all users in an org can then read existing messages.


No, it could be a private key shared among users.


That's not right. There is no need to store text body in order to index it. Furthermore, you can implement an index of token hashes, rather than an index of tokens.


It would remove a lot of nice search features, however. If you just index tokens without positional information, you have a much harder time performing phrase matching. If you include positional information, you can probably crack the encryption because some tokens are statistically more likely to appear next to each other than others.

If you index shingles (phrase chunks) instead, you lose out on sloppy phrases...you can only match exact phrases. I imagine you can perform a similar statistical attack too.

Hell, just getting the term dictionary would probably allow you to reverse engineer the tokens, since written language follows a very predictable power law.

Hashing also removes the ability to highlight search results, which significantly degrades search functionality for an end user.

Basically, yes, you can do search with encrypted tokens...but it will be a very poor search experience.


If they dont encrypt storage they are highly negligent. Index and search are done in RAM,which is slightly harder to steal than disk data.


This reminds me of the plot of Silicon Valley


Is there a good reason to keep chat data longer than it takes to deliver it to the recipient?


They archive chat messages so that you can search through them later.


That alone would be a great reason not to use them.


It's also a great reason to use them, isn't it? Your searchable chat history basically becomes the knowledge base of your company.


And a great target for discovery in any sort of lawsuit.


As is email.


To me, that is something that you should keep internal, on internal systems with vetted free software.


https://slack.zendesk.com/hc/en-us/articles/203457187-Settin...

It's configurable for paid accounts, and can be set as low as one day. However, one of the best features of slack (and products like slack) is message history and search. Otherwise, IRC isn't all that different (WRT messaging).


It's why I love Slack. If I remember a conversation about something two months ago I go to the room, search and find exactly what I needed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: