Questions from Security team

Hi,

our company consider HipChat as a possible messenger for some of the teams. Could you please explain more fully a few points to our Security team:

1. Encryption of messages during sending.

2. Encryption chat history stored on the server and the client.

3. Monitoring / reporting on the established client connections.

4. Ability to manage (reset) client connections.

5. Control of devices, which allow connections.

6. Domain authentication.

7. Ability to use two-factor authentication.

8. Automatic updates and changes in the client software settings without the need for administrative privileges.

 

Thank you.

1 answer

1 accepted

Accepted Answer
0 votes

Hi Dmitry - the basic information about HipChat security can be found at https://confluence.atlassian.com/hipchatkb/security-of-hipchat-755337914.html. To some of your questions in particular:

  1. All communication between the client and server is sent and received encrypted over https (TLS in the older versions of the clients)
  2. Chat history is not stored on the client. On the server, it's stored unencrypted to support searching.
  3. Users can view their own client connections at hipchat.com/account/sessions. There is not currently any support for admin-level viewing of other users client connections
  4. Like above, users can disconnect sessions at the given URL. No admin-level support for performing this on other users.
  5. We don't restrict any devices from connecting to HipChat, but all connections must be over a secure channel (TLS/SSL). This includes 3rd party XMPP clients as well as all HipChat-built ones.
  6. I'm not sure exactly what you mean by domain authentication. We confirm emails as a general process of security, but don't restrict them to certain domains based on the account they're accessing.
  7. 2FA isn't something we currently have, but certainly something we hope to add in the future (along with SAML-based authentication, which often comes with its own 2FA support)
  8. Assuming clients are installed by a non-admin user, they can also be updated by the non-admin user without requiring escalated privileges. If you are being prompted to enter administrator credentials when updating, it's likely that the app was initially installed by an administrator account.

 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 10, 2018 in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

506 views 1 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you