|
Föderation EN Di 08.04.2025 17:24:38 #openpgp traditions and #signal both bind a cleartext identifier, phone number or email address, to a cryptographic key. It opens up attack vectors as the servers/orgs controlling this binding can interfere. #deltachat avoids such cleartext identity bindings by creating random #chatmail addresses, as transport only. The cryptographic key becomes the identifier and we want it hidden from the transport layer. Only people being in end-to-end encrypted chat need to identify each other, after all. |
|
Föderation EN Di 08.04.2025 17:34:49 @delta is this true after the change to PNP with @signalapp ? |
|
Föderation EN Di 08.04.2025 18:59:52 @ruario could you provide a pointer to "PNP" regarding signal? Do you mean user names/nicks? |
|
Föderation EN Di 08.04.2025 18:31:40 @delta That sounds like a bit of a confusing statement to a traditional PGP user, especially the last two sentences. Delta message bodies expose the recipients' key IDs as has always been the case when encrypting without hidden recipients. |
|
Föderation EN Di 08.04.2025 18:40:25 @unixtippse there indeed are a lot of details to consider -- key IDs are relatively simple to fix though ... currently tracked in https://github.com/rpgp/rpgp/issues/507 -- We were just trying to express the general direction of our current security/privacy related work for those curious. |
|
Föderation EN Di 08.04.2025 19:27:25 Some of you may have heard of #simplex which likes to elevate itself as "the first messenger without user-ids" ... a goal, similar to ours, of not letting the transport layer know about who talks. Only we are doing it in the email system, fully interoperable with tens of thousands of existing email servers and other #openpgp endpoints. The email system is much more than SMTP/IMAP or even openpgp btw ... there is plenty of room for radical shifts and new takes. We are just starting :) |
|
Föderation · Di 08.04.2025 20:14:07 @delta You imply Chatmail is interoperable with non-Chatmail email. My understanding so far has been that Chatmail -- the newly-default mode of DeltaChat that runs on specially-configured servers -- breaks DeltaChat's core benefit of being able to communicate with anyone with an email address; this is due to Chatmail's mandatory encryption and novel key exchange protocol that isn't widely supported or used. OpenPGP and AutoCrypt do enjoy some support in niche MUAs, but most email users are on Gmail or Outlook¹ which don't support either. It may be possible to do this excruciatingly manually or with a specialized external tool (which doesn't exist), but for most people, this breaks the main reason anyone would choose DeltaChat over, say, XMPP+OMEMO. |
|
Föderation EN Di 08.04.2025 20:27:15 1) Many people want end to end encryption by default and only. Signal has dropped SMS chats three years ago. Mixing cleartext and e2ee is problematic from a usable security pov 2) Several #chatmail operators in repressive situations/environments want to be sure their servers do not contain data that can hurt people. Strictly requiring end to end encryption helps. 3) We use IETF standardized protocols for interoperability and discuss with other MUA devs and help where we can. |
|
Föderation EN Di 08.04.2025 20:44:12 @blake @delta I think if people use xmpp and delta chat for a while, the reason why they keep on using delta chat is not email compatibility. People should just try out. (I still keep on using xmpp next to delta chat because I think it can be useful to have more than one open protocol) |
|
Föderation · Di 08.04.2025 21:42:26 @ulfi @delta Whether or how often you use a certain chat app depends on who you can talk to with it. For example, I wouldn't use WhatsApp if I didn't have a friend whose parents won't let them use anything else. And I would use Signal, DeltaChat, or Conversations/XMPP if someone I knew also used that app. (There are actually a couple people I know on Fedi I use Signal with from time to time.) |
|
Föderation EN Di 08.04.2025 22:36:45 @blake @ulfi there are many dynamics why people choose to use X or Y or both. Delta is used increasingly by families, friends, organizers and activists in repressive contexts but it can not convert "the masses". We intentionally stay clear from VC funding even if it could help buy hype and mind share and accelerated developments like it did with matrix. Our approach aims to reliably function in an increasingly fragmenting/splintering Internet, where other solutions fail, now or in the future. |
|
Föderation EN Mi 09.04.2025 04:03:24 @delta at one point I WS very interested in simplex, but that changed once VC became involved...hard pass! |
|
Föderation EN Do 17.04.2025 20:25:10 @delta |
|
Föderation · Di 08.04.2025 19:34:17 @delta As if DeltaChat wouldn't be using SMTP as transport layer and so is also dependent on the underlying architecture of servers and DNS. |
|
Föderation EN Di 08.04.2025 20:14:11 @lanodan sure, we are depending currently on SMTP and IMAP for sending and receiving messages. But the email system is not exhaustively described by it. There have been many transports, for example UUCP (there is an interesting new take called NNCP) or contemporarily the Hermes project which uses long range radio specific transports in remote rain forest and African regions. There also are r&d directions here wrt onion routed chatmail relays https://github.com/chatmail/relay/issues/487 |
|
Föderation · Di 08.04.2025 19:35:48 @delta@chaos.social You should also add that Signal's development, servers, foundation, and business are all in the United States, and all subject to US Jurisdiction. |
|
Föderation EN Di 08.04.2025 20:31:42 @Linux @delta Any significance of this is negated because Signal has very little data about users. https://signal.org/bigbrother/ The cops have to provide a phone number, and in all cases Signal can only say "yes, this number was registered". They don't know the identity of the number owner, who they talk to, what they've said, where they're located etc. unlike WhatsApp, Telegram, Facebook Messenger etc. |
|
Föderation · Di 08.04.2025 20:38:20 @Avitus@ioc.exchange @delta@chaos.social In the United States, you're responsible and potentially liable for content that transmit over your services. That is how the government in the past were able to shut down sites and services that eventually were overrun with illegal content, for example. Additionally, in the United States, you can receive a court order, ordering you not to reveal the government's involvement with your products or services. Also, how previous people who have used such products or services, still faced justice. |
|
Föderation EN Di 08.04.2025 20:49:27 @Avitus @Linux sure signal is so far the best central messenger when it comes to handling privacy on potentially hostile infrastructure. However any seized phone can reveal phone numbers of group members. Collecting IP addresses are another attack vector. Cloudflare which serves encrypted blob files may be able to identify IP addresses of all signal group members who download an encrypted file. It's not data that the signal organization itself has access to but certainly an attack vector. |
|
Föderation IT Di 08.04.2025 20:03:58 @delta what does it mean creating email address in the case of which delta chat is just a client? is it a feature for chat mail servers only? |
|
Föderation IT Di 08.04.2025 20:33:12 @ex_06 yes, creating chatmail addresses on the fly is a core feature of chatmail relay servers ... See https://delta.chat/en/2023-12-13-chatmail for the original announcement and more details. |
|
Föderation IT Di 08.04.2025 21:14:30 @delta @ex_06 you might want to drop a note on that page about the whole "sign up for newsletters" thing not being possible anymore, since chatmail servers can now only receive encrypted messages. That obsolete capability is pretty loudly advertised in that post and I was pretty confused when I tried experimenting with sending real email to a chatmail address and it was rejected. |
|
Föderation IT Mi 09.04.2025 11:49:28 @spacewizard @ex_06 this is updated/fixed now, thanks for the note! |
