uKnowva Messenger’s security strategy covers all aspects of our product and business. Making sure your information stays protected is our highest priority.
Security basics
- All uKnowva Messenger clients (web, mobile, desktop, terminal, and integrations) require TLS encryption and authentication over HTTPS for all data transmission between clients and the server, both on LAN and the Internet. Encryption-at-rest is available with uKnowva Messenger on-premise, via hardware and software disk encryption of the database and other data storage media.
- uKnowva Messenger’s on-premise offerings can be hosted entirely behind your firewall, or even on an air-gapped network (disconnected from the Internet).
- Every uKnowva Messenger authenticated API endpoint has built in rate limiting to prevent DoS attacks.
- Connections from the uKnowva Messenger servers to Active Directory/LDAP can be secured with TLS. If uKnowva Messenger is deployed on multiple servers, all connections between parts of the uKnowva Messenger infrastructure can be secured with TLS or SSH.
- Message content can be excluded from mobile push notifications, to avoid displaying message content on locked mobile screens, and to comply with strict compliance policies such as the USA’s HIPAA standards.
- uKnowva Messenger operates a HackerOne bug bounty program to reward hackers for finding and responsibly reporting security vulnerabilities in uKnowva Messenger. Our completely open source codebase means that HackerOne’s white-hat hackers can audit uKnowva Messenger for potential security issues with full access to the source code.
Configurable access control policies
- uKnowva Messenger supports private messages (to one or more individuals), private streams with any number of subscribers, as well as public streams available to all organization members. We also support guest accounts, which only have access to a fixed set of streams, and announcement streams, where only organization administrators can post.
- By default, users can maintain their own names and email addresses, but uKnowva Messenger also supports restricting changes and synchronizing these data from another database (such as LDAP/Active Directory).
- uKnowva Messenger provides many options for managing who can join the organization, supporting everything from open to the public (e.g. for open source projects), to requiring an invitation to join, to having an email from a list of domains, to being a member of a specific organization in LDAP/Active Directory.
- uKnowva Messenger also supports customizing whether non-admins can create streams, add custom emoji, add integrations and bots, edit or delete messages, and more.
Authentication
- uKnowva Messenger supports integrated single sign-on with Google, GitHub, and Active Directory/LDAP. SAML and Okta authentication are coming soon. With uKnowva Messenger on-premise, we can support any of the 100+ authentication tools supported by python-social-auth as well as any SSO service that has a plugin for Apache.
- uKnowva Messenger uses the zxcvbn password strength checker by default, and supports customizing users’ password strength requirements. See our documentation on password strength for more detail.
- Users can rotate their accounts’ credentials, blocking further access from any compromised uKnowva Messenger credentials. With uKnowva Messenger on-premise, server administrators can additionally revoke and reset any user’s credentials.
- Administrators can deactivate any user, bot, or integration.
- With uKnowva Messenger on-premise, session length and idle timeouts can be configured to match your organization’s security policies.
Integrity and auditing
- uKnowva Messenger administrators can configure users’ ability to edit or delete messages, and whether deleted messages are retained in the database or deleted permanently. uKnowva Messenger by default stores the complete history of all message content on the platform, including edits and deletions, and all uploaded files.
- uKnowva Messenger’s server logging has configurable log rotation policies and can be used for an end-to-end history of system usage.
- uKnowva Messenger stores in its database a permanent long-term audit log containing the history of important actions (e.g. changes to passwords, email addresses, and stream subscriptions).
- uKnowva Messenger’s powerful data exports (on-premise, cloud) can be imported into third-party tools for legal discovery and other compliance purposes. uKnowva Messenger’s enterprise offerings include support for integrating these with your compliance tools.
- uKnowva Messenger supports GDPR and HIPAA compliance.
The little things
Many products talk about having great security and privacy practices, but fall short in actually protecting their users due to buggy code or poor operational practices.
Our focus on security goes beyond a feature checklist: it’s a point of pride. uKnowva Messenger founder Tim Abbott was previously the CTO of Ksplice, which provided rebootless Linux kernel security updates for over 100,000 production servers (now the flagship feature of Oracle Linux).
Here are some security practices we’re proud of, all of which are unusual in the industry:
- The uKnowva Messenger server’s automated test suite has over 98% test coverage, including 100% of uKnowva Messenger’s API layer (responsible for parsing user input). It is difficult to find any full-stack web application with as complete a set of automated tests as uKnowva Messenger.
- uKnowva Messenger’s python codebase is written entirely in statically typed Python 3, which automatically prevents a wide range of possible bugs.
- All access to user data (messages, streams, uploaded files, etc.) in the uKnowva Messenger backend is through carefully-audited core libraries that validate that the user who is making the request has access to that data.
- Only a small handful of people have access to production servers or to sensitive customer data.
- Our error handling systems are have been designed from the beginning to avoid including user message content in error reports, even in cases where this makes debugging quite difficult (e.g. bugs in the message rendering codebase).
- uKnowva Messenger has a carefully designed API surface area of only about 100 API endpoints. For comparison, products of similar scope typically have hundreds or even thousands of endpoints. Every new API endpoint is personally reviewed for security and necessity by the system architect Tim Abbott.
These security practices matter! Slack, the most popular SaaS team chat provider, has needed to award hundreds of bounties for security bugs found by security researchers outside the company.
Further reading
- Detailed security model documentation