How Secure is Zulip?
Zulip is an open source group chat software which is widely used by companies and organizations. What sets Zulip apart from Slack and other IRC Clients is it’s topic based threading model. Every message has to have a topic which makes it easier for people to find relevant messages instead of having to browse through a plethora of messages. Simultaneous conversations on multiple topics can happen without creating a new stream.
If your organization is considering to make the move to Zulip, it is necessary to understand how secure it is.
All Zulip clients use HTTPS for any communication between the server and the clients. Zulip provides login using SSO options such as Google Auth, Github login, and Microsoft Azure Active Directory. It also supports traditional email and password authentication. The password is stored using PBKDF2 (Password-Based Key Derivation Function 2). It is a pseudorandom function which inputs a password along with a salt value to produce a derived key. Ideally, we iterate a minimum of 1000 times to reduce the vulnerability to brute force attacks. The password strength is checked using the zxcvbn library. Password strength is usually estimated using the count of Uppercase, lowercase, special symbols, and digits. However, it can be ineffective. zxcvbn is an alternate used for estimating the strength of passwords. It can accurately predict today’s best guessing attacks within the range of an online attack. It can be easily integrated with a few lines of code and can perform 10³ guesses with 29kB storage space.
Zulip server versions 1.5x, 1.6x and 1.7.1 had a few XSS scripting vulnerabilities which were fixed with the 1.7.2 Security Release. The release fixes XSS vulnerabilities in the frontend markdown processor, muting notifications, user uploads and stream names in topic typeahead. Zulip uses a special markdown parser for rendering messages which escapes content to protect against XSS attacks.
Zulip supports both public and private streams.
- Any non-guest user can view all the messages of any public stream within an organization.
- A guest user can only access streams to which he/she is added.
- Organization admins cannot see messages sent on private streams or post if they are not added to it. They can, however, view the subscribers list, traffic and remove subscribers.
- Non-admins cannot see private streams unless they are added.
Zulip supports file uploads like other applications. The files are hosted on a separate domain from the main Zulip server to protect against same domain attacks. They can either be stored in S3 backend or in a directory on the Zulip server’s filesystem. It uses long, random strings as URLs to access the uploaded files which adds a layer of security.
Zulip does not implement an end to end encryption as organizations usually require features such as full-text search, shared history of streams, etc. These features are difficult to implement with E2E encryption. Messages in Zulip are stored as plaintext in the Postgre SQL database. As Zulip does not implement E2E encryption, the admin with access to the backend server or the database will be able to access all unencrypted messages which makes it similar to a company mail server where the root user can access all messages.
Overall, Zulip is extremely secure with no known security bugs as of now. It serves as a secure and efficient app for team chats for large organizations.