HighSide vs. Slack

Leading apps offer their users limited privacy & security

Slack HighSide
End-to-end encrypted?
Each msg/file cryptographially signed?
User identity authentication?
Built-in MDM & DLP
Relies on passwords for security? Yes No
Relies on SSL/TLS for security? Yes No
Users must trust provider? Yes No
Provider can access your data? Yes No
Max file transfer size? < 1GB 1,000 GB+
Man-in-the-middle SSL attacks? Vulnerable Protected
Phishing attacks? Vulnerable Protected
Spoofing attacks? Vulnerable Protected
Web-based attacks? Vulnerable Protected
Server-based attacks? Vulnerable Protected
Msgs/Passwords previously compromised? Hacked Never

Summary of HighSide features compared to known Slack features as of April 13, 2020.

Frequently Asked Questions

What's the difference between “end-to-end encryption” and the encryption my current service provider uses?

Encrypting data is easy; with the keys, decrypting data is also easy. When your provider talks about protecting your data with in-transit (SSL/TLS) and at-rest encryption, by default that means that they themselves (or their servers) have access to the encryption keys. This means your messages and files are necessarily decrypted and re-encrypted by the service provider, giving them full access to your messages and files. With end-to-end encryption, your data moves through HighSide's servers encrypted, and is stored encrypted. HighSide never has access to your data, only you and your intended recipients have the ability to decrypt your messages/files.

What does, “users are authenticated” mean?

Encrypting data is easy, authenticating users is not. This is where most other “secure” messaging apps let you down. Users are authenticated when you can verify their identity. Because things like email addresses and websites are easily spoofed, it's very difficult to verify someone's identity through most email, web, and even mobile applications. Even PGP struggles when it comes to easily verifying identities. HighSide users can rest assured that the people they think they're talking to are actually the correct parties (and not impersonators/hackers).

What's wrong with password-based security?

A lot. For starters, people don't use strong enough passwords. People tend to use passwords they can easily remember, even though they know they shouldn't. Even using complex multi-character passwords often isn't enough - in 2013, publisher Ars Technia hired hackers to try and crack 16,449 hashed passwords and they did so with a 90% success rate in less than an hour (including passwords up to 16 characters long).2 People also tend to reuse the same passwords on multiple websites, meaning if one website they use gets hacked their password becomes exposed across many. Additionally, because 97% of people can't consistently tell the difference between real email and phishing scams, people regularly just give their passwords away to hackers.3 Concerned with password security? Subscribe to our blog for tips on how to stay secure online.

What does, “users must trust provider” mean?

With most service providers you must “trust” them on multiple levels. You must trust that they are not accessing your data (even though many of them openly do). You must trust that they are able to adequately limit employees' access to your data. You must trust that they don't sell your information to the wrong parties. Because many apps maintain your list of contacts and send out invitations on your behalf, you must trust that their server hasn't been hacked and people's contact information changed (so that you send messages and files to hackers thinking they are the intended recipients), etc. With HighSide, you don't need to trust our server. Your team maintains its own list of verifiable contacts (authenticated users), and always maintains complete control of your own data.

My service provider has access to my private data?

Yes. Because most providers don't use true end-to-end encryption, they have (at one point or another) full access to your unencrypted data. That means they have access to your messages and files and can read them, sell them to marketers, spy and collect data on you, etc. Many providers intentionally have backdoors built into their security methodologies so they can scan your messages and files and collect data on you.

What do you mean, “provider uses data for marketing?”

Many providers scan and read every message or file you send or store on their platforms with the purpose of collecting data on you and selling it to third parties (often marketing companies).4

What are custom data retention policies?

For a variety of reasons, you (or your team) may wish to have your data stored for a very long period of time, or a very very short period of time. With HighSide, your team has the power to decide how long your data will exist on our servers (whether that's hundreds of years, or just hours). Additionally, each and every HighSide user has the ability to individually delete any message or file they have ever sent, at any time.

What are man in the middle SSL attacks?

TLS/SSL is the primary way most of these providers encrypt and protect your data. The problem with this method (aside from the necessity to then decrypt and re-encrypt it on their servers), is that it can be intercepted and decrypted by hackers with enough resources. This type of attack has even been successfully perpetrated against Google Gmail users.5, 6 For more information, read this blog post.

What are spoofing and phishing attacks?

A phishing “attack” is when hackers defraud people or companies by posing as a legitimate company and confusing people to the point where they can't tell the difference. Phishing is often combined with spoofing, which is when the hackers imitate the company they are posing as by making their website, email address, or even caller ID appear to be coming from the legitimate company. Because it's so hard to authenticate who the real sender of a message is through these apps, hackers can use unsophisticated attacks to dupe perfectly competent people into downloading malicious software or just plainly giving away sensitive information. 97% of people can't consistently tell the difference between real email and phishing attacks.3

Provider X was previously hacked?

If they are listed as hacked in this table, yes. And we're not talking about superficial hacks like websites or blogs being defaced, we're talking about stolen customer passwords or data, and breaches of the applications themselves.5, 6, 7, 8, 9 Hacks that potentially give attackers access to decrypted customer conversations and files.

1. Chart updated 3/6/17. For additional information, please see: HighSide Blog
2. Victoria Woollaston, Daily Mail, "Think you have a strong password? Hackers crack 16-character passwords in less than an hour," 2013
3. McAfee, "97% of People Globally Unable to Correctly Identify Phishing Emails," 2015
4. HighSide, Inc. HighSide Blog
5. Elinor Mills, CNET, "Fraudulent Google certificate points to Internet attack," 2011
6. Heather Adkins, Google Online Security Blog, "An update on attempted man-in-the-middle attacks," 2011
7. Greg Kumparak, TechCrunch, "Slack Got Hacked," 2015
8. Paul Ducklin, Naked Security by Sophos, "Hackers breach password database at Atlassian's 'HipChat' collaboration service," 2015
9. Ed Bott, ZDNet, "Dropbox gets hacked... again," 2012

Transform your business, enhance data security, and meet compliance requirements

Book a Demo