Skip to content

Mattermost

Mattermost is an open source, self-hostable online chat service with file sharing, search, and third party application integrations. It is designed as an internal chat for organisations and companies, and mostly markets itself as an open source alternative to Slack and Microsoft Teams.

Notable Features

  • Mattermost has "channels", which let you keep different discussions separated by topic, working group, etc. You can control who has access to which channels.
  • Mattermost has mobile apps for Android and iOS

Evaluating

You can test Mattermost with a free 1 hour trial by signing up here

Data on a trial server is not private

Only input dummy values like "John Doe", "My Test Group" or "XYZ".

Installing

Use Co-op Cloud to install and host Mattermost using this recipe

Best Practices

Consider using Single Sign-On to manage user accounts

If you think you might want to host other services alongside Mattermost (for example document sharing, database, or project management), you should set up Mattermost from the beginning to use Single Sign-On.

Have an organizational process for adding users and granting access

  1. Which people have Administrator privileges?
    1. Ideally a small number of people should have Administrator privileges
    2. They should be highly trusted people who have the time to handle tasks like adding and removing users
  2. How does the organization decide if a new person should be given access to Mattermost?
    1. Do people have to be vetted, and if so how is it done?
    2. Is being added to Mattermost part of officially joining the organization? Is Mattermost open to any member of the public?
  3. How are the Administrators notified that a new person should be added?
  4. How is it decided which channels a user should have access to?
    1. Consider having a policy about when a user should be removed from a channel, or have their account deleted entirely. Some possibilities:
      1. If a user was added to a channel a long time ago but isn't active, they should be removed from the channel.
      2. If a user is no longer part of the organization, or doesn’t use their account, it should be deactivated.

Security

Overall Evaluation

Mattermost is a secure application. It undergoes third party security audits every year and is used in high-security industries like banking and healthcare. It has existed since 2015. The main security concerns are around misconfiguration of the software or breaches of the server running the software.

What’s at Risk?

Mattermost holds your organization’s communications, which can include very sensitive private discussions. Mattermost user accounts may contain private information about members of your organization, like email addresses, phone numbers and photos If your organization depends heavily on Mattermost to communicate, losing access to the platform could be very disruptive to operations

Specific Concerns

  • All chat history and private information in Mattermost is stored unencrypted, so a server administrator can access everyone’s data.
    • Mitigations
      • Only grant admin privileges to a very few trusted people who need that level of access
      • Ensure that Mattermost is hosted on a server with full disk encryption
  • Mattermost allows restricting certain channels to certain users, but it’s easy to accidentally give access to a channel that was intended to be private
    • Mitigations
      • Have your Mattermost administrators read this: Managing Access in Mattermost
      • Set a recurring task at least every couple months for an administrator to review the members in each channel and remove or update them as appropriate
  • By default, Mattermost keeps all messages forever, making it difficult to enforce a data retention policy.

Notable Past Security Issues

More Information

https://docs.mattermost.com/about/security.html

https://trust.mattermost.com/