End-to-end Encryption for Chat

Continuing the discussion from Introducing Discourse Chat (BETA):

Just wanted to separate this out as a feature request: implementing end-to-end encryption in the new chat feature.

I think this could be a game-changer, in terms of me as an admin not wanting to have access to people’s personal chat messages, me as a member not wanting other admins to have access to my personal chats, and also in how Discord, Slack, and most others don’t offer this as an option.

I imagine it may not be a first priority, and yet hope it’ll come in the next 7 months :slight_smile: Thank you for all you do with Discourse and the new chat function.

17 Likes

This is already fully implemented with Discourse Encrypt (for Personal Messages)

Works awesome.

I can confirm the encrypt plugin makes private messages between users impossible to read without decryption keys. No admin snooping is possible.

Matrix, Signal, Rocket.chat, Wire offer e2e and are open source. Then there is Whatsapp and Telegram. Just to be clear for anyone else reading this.

Be sure to try out Discourse Encrypt. Works great! Full encryption you add to your session in order to access your encrypted messages between you and x other people. No dependence on categories or other functionality, which is how the chat works. Zero complaints!!!

4 Likes

Ah yes, I could have been more clear: I love that it exists for private messages (topics) and I also want it to exist for the new real-time private chat messages.

I also could have more clear on this. What I meant was that I don’t think private message e2e exists much in the more community-/forum-oriented platforms: Discord, Circle, Slack, Teams, Guilded, Zulip, etc. Yes many primarily 1-1 or group chat platforms have it, as you mentioned. Maybe Matrix, Rocket.chat, and Wire are used similarly for community management but I don’t think they have as many community features.

Anyways, I also love it for private topics and am excited for it in private chats as well :slightly_smiling_face:

5 Likes

I would love end-to-end encryption in real time chat!

:star_struck:

But here’s the thing: encryption for private messages drastically reduces the uses for those messages.

It isn’t always obvious at first. You can add and remove people from private messages, you can use them in your editorial workflow (I use them to capture notes, before sharing them more broadly!), all kinds of things. Encrypt them and suddenly a lot of what we can do is not longer appropriate, given the nature of the encryption involved.

Okay, so now apply that to real time chat.

Uh oh! We are suddenly going to lose a lot of not only what makes a chat channel interesting, but we’re also going to lose what makes Discourse chat interesting: advanced features that are developing as we figure out how to integrate chat into the knowledge capture processes folks already use Discourse for; adding encryption to that will drastically reduce the usefulness of chat, in this case.

I’m a supporter of encrypt-all-the-things! I use OMEMO for all my personal chats, on a server I control. But there are trade-offs, and they are not what I’d want to apply to Discourse Chat. What we’ve got is going to be something very cool on its own. :sunglasses:

Also, encrypted PMs are like, already real time chat channels, so there’s that!

2 Likes

I see Discourse as being divided into such parts:

Email-like—“Topics”

  • Public—“Topic” (with default category security settings of “everyone”, fully public if the site is not login required)
  • Semi-public—“Topic” (with category security settings restricted to groups)
  • Private—“Personal Message” (restricted to invited individuals only, I believe)

Chat-like—“Chats”

  • Public—“Channels” (open to registration but hidden by default, not fully public because not available to non-logged-in users)
  • Semi-public—“Channels” (with category security settings restricted to groups, I think)
  • Private—“Personal Chat” (restricted to invited individuals only, I believe)

As you mentioned, I can see such downsides of using encryption for private topics (personal messages), as I see them very similar to sending a private email: sometimes they’re used for drafts, sometimes we want to cc people to bring them into the loop, sometimes we want to forward it, turn it into a public discussion, etc. I still like the benefits of knowing that something is labeled personal is not readable by an admin, but can see some of the tradeoffs.

I also can see the downsides of encryption for public and semi-public chats (channels), as it would make it hard to quote chats into a topic, and even the old, maybe-new-again feature to move chat messages to topics. I like those abilities and wouldn’t want to hinder them; plus, with them being public and semi-public, I have more of an expectation that an admin should be able to read them all.

I strongly still desire e2ee for private chat (personal chat). I rarely if ever will bring another person into a specific chat, instead starting a new group chat. I rarely will use them as drafts or want to convert them into something in a public/semi-public chat channel. I guess I see them as the most intimate form of communication we have online and FB and other platforms don’t have default e2ee on their private chats and many people don’t mind, I think the risk is much higher on smaller communities, as it’s harder to hide in the crowd of millions/billions of people.

I do work with emotions, helping people deal with conflict and say how they’re feeling, and I’ve turned on encryption for private topics and will probably try to turn off the ability for people to send private chats to anyone but me until e2ee exists for it, because I want them to be fully aware that any chat they send, I can see.

So yes, I can see why it may limit other functions on private topics and public/semi-public chat channels, I just really want the most private space on the platform to be as private as it can be.

7 Likes

Continuing the discussion from Federation support for Discourse and from Discourse Chat Beta:

Perhaps Discourse chat could consider supporting Matrix federation and e2e encryption (based on Signal). See this post about Rocket.chat formally announcing they will support Matrix standards moving forward.

Personally, I find Matrix fantastic. So, certainly worth considering a possible path; at least it makes for interesting conversation. :smile:

4 Likes

Any updates on whether e2ee for chat messages is still on the roadmap?

1 Like

This is not yet something we plan to do in the near term.

6 Likes

Ah, I’m really bummed to hear that. I was really excited for this feature because as a user, I rarely use chat platforms that don’t have e2ee because I don’t want the company having access to one of the most intimate conversation formats, and as the admin, I really don’t want to see what people are sending each other or be legally responsible for it.

If it won’t be something in the near term, I probably see myself disabling personal chat for all the forums I manage, unless I specifically start the personal chat with a person or people so they are fully aware that I’m always privy to the conversation.

3 Likes

One option that may address your needs is to set the retention very low

3 Likes

That might get around it for some things. Is retention still a system-wide setting? Or could people choose their own retention for each personal chat a la WhatsApp/Signal?

2 Likes

It’s still a system wide thing. There is one setting for channels and one for direct messages.

I do think it makes sense to make it a per channel thing in the future, but it’s not something high on our list at the moment.

3 Likes

Ah OK, then I think I’ll still turn off direct messages (personal chats), as if I set retention really low, I think some people might get really annoyed that their personal chats keep disappearing and have no control over it as they do on other chat platforms.

Also, I’m really curious about the development of the chat plugin, is there anywhere I could go to learn what features are high on the list for development? Is there any type of public roadmap, even if buried in GitHub? :slight_smile:

2 Likes

We should be updating the topic for the next release in the next month or so to better reflect our high level plans for the next release of Discourse as a whole, but we haven’t been maintaining a public roadmap for chat or other particular features.

You may be able to make some sense of what’s getting attention by lurking on the discourse/discourse repo and the chat tag here.

Happy to share more informally about what our current priorities are for chat in a separate topic.

5 Likes

I’ll check those three places you mentioned, thank you!

Also, I’ll start a separate topic focused on the current priorities for chat.

Lastly, regarding e2ee for chat, any suggestions on how one might go about building a plugin to do it and in theory, how difficult or expensive it might be to build and maintain? Would the suggestion be to adapt the Discourse Encrypt plugin or some other plugin/library?

2 Likes

We too would love encryption in group chats. This would help us eliminate use of 3rd party applications where we need to discuss something very sensitive and want it to never make to any servers in a raw form. We have to do it anyway, be it in Discourse or somewhere else. Being able to elimintate the use of a 3rd party app while we do already use Discourse, would be a win for us.

Are chat messages removed from database completely 100%?

Also, it’s worth mentioning that the unencrypted chat message will live in backups as well.

1 Like

I haven’t seen discourt encrypt for personal messages covers this use case for me. I don’t actually see the use case for e2e in terms of the real time chat, because that breaks the entire intention of chatting about the forum and replicates the existing encrypt plugin.

Exactly.

But why not achieve this using existing trust system and group restrictions of Discourse first?

We were able to resolve this using opt-in / opt-out groups. Really helped and allowed everyone else to never see such messages while using the forum.

Before thinking things must be e2e (breaking the entire structure of the forum) really consider how far you can get with group restrictions. :heart: Highly recommended.

My .02 is e2e is used when you cannot trust you admin maintaining the system hosting your forum, as opposed to privacy of user posts and interactions (which can be handled already).

1 Like

If it were just to hide chats from other users, then yes I think the group/trust permissions work well.

For me, it’s more about hiding the chats from the admins/server. With this in mind, I don’t think the group/trust permissions will work as the chats will still be plain-text on the server.

Why does this matter? In my context, if Alice is talking with Bob about deep emotional issues in her life in a personal chat, I as the admin don’t want to have the ability to snoop on such a conversation and want Alice and Bob to both feel safe that I’m not snooping. Same reason I prefer Whatsapp or Signal and really don’t like IG or FB messenger, as I prefer knowing (strongly believing) that the admins can’t just read everything I type.

1 Like

To be fair, the experience is very different. The chat is:

  • more compact visually, which is exactly what is needed for chats
  • faster
  • can be in a popup window while you’re at some topic - so you can edit long-term memory topics while discussing it with someone in a chat in the same screen

:bulb: A philosopy of where Discourse is going according to my observation from its very beginning is that topics, PMs, and chats are all converging into the same thing and share more and more features (it can be either planned/conscious or unconscious). So if I we can get PMs that “float” like chat windows, are more compact in that “chat” mode, and are super fast, then yes we do not need chat with encryption, we’ll be just using encrypted PMs.

3 Likes