Friendica Social Network (Leipzig)

#openpgp traditions and #signal both bind a cleartext identifier, phone number or email address, to a cryptographic key. It opens up attack vectors as the servers/orgs controlling this binding can interfere.

#deltachat avoids such cleartext identity bindings by creating random #chatmail addresses, as transport only. The cryptographic key becomes the identifier and we want it hidden from the transport layer. Only people being in end-to-end encrypted chat need to identify each other, after all.

Ruarí Ødegaard 1 Woche her •

is this true after the change to PNP with @signalapp ?

@Signal

Delta Chat 1 Woche her •

could you provide a pointer to "PNP" regarding signal? Do you mean user names/nicks?

Martin Schmitt #NochNieCDU 1 Woche her •

That sounds like a bit of a confusing statement to a traditional PGP user, especially the last two sentences. Delta message bodies expose the recipients' key IDs as has always been the case when encrypting without hidden recipients.

Delta Chat 1 Woche her •

there indeed are a lot of details to consider -- key IDs are relatively simple to fix though ... currently tracked in https://github.com/rpgp/rpgp/issues/507 -- We were just trying to express the general direction of our current security/privacy related work for those curious.

Use anonymous recipient for generated packets · Issue #507 · rpgp/rpgp

Currently rPGP supports receiving packets with "anonymous recipient" (all-zero wildcard keyid/fingerprint), but I have not found any way to generate them. But key_id is always included in the gener...

^GitHub

Delta Chat 1 Woche her •

Some of you may have heard of #simplex which likes to elevate itself as "the first messenger without user-ids" ... a goal, similar to ours, of not letting the transport layer know about who talks. Only we are doing it in the email system, fully interoperable with tens of thousands of existing email servers and other #openpgp endpoints. The email system is much more than SMTP/IMAP or even openpgp btw ... there is plenty of room for radical shifts and new takes. We are just starting :)

#openpgp #simplex

Dieser Beitrag wurde bearbeitet. (1 Woche her)

Delta Chat hat dies geteilt

Blake Leonard 1 Woche her •

You imply Chatmail is interoperable with non-Chatmail email. My understanding so far has been that Chatmail -- the newly-default mode of DeltaChat that runs on specially-configured servers -- breaks DeltaChat's core benefit of being able to communicate with anyone with an email address; this is due to Chatmail's mandatory encryption and novel key exchange protocol that isn't widely supported or used. OpenPGP and AutoCrypt do enjoy some support in niche MUAs, but most email users are on Gmail or Outlook¹ which don't support either. It may be possible to do this excruciatingly manually or with a specialized external tool (which doesn't exist), but for most people, this breaks the main reason anyone would choose DeltaChat over, say, XMPP+OMEMO.

¹ okay maybe Outlook does, if you configure it, maybe only if you're a paying enterprise user, and only OpenPGP and not AutoCrypt.

Delta Chat 1 Woche her •

1) Many people want end to end encryption by default and only. Signal has dropped SMS chats three years ago. Mixing cleartext and e2ee is problematic from a usable security pov

2) Several #chatmail operators in repressive situations/environments want to be sure their servers do not contain data that can hurt people. Strictly requiring end to end encryption helps.

3) We use IETF standardized protocols for interoperability and discuss with other MUA devs and help where we can.

#chatmail

Matthias 1 Woche her •

"this breaks the main reason anyone would choose DeltaChat over, say, XMPP+OMEMO."

I think if people use xmpp and delta chat for a while, the reason why they keep on using delta chat is not email compatibility. People should just try out.

(I still keep on using xmpp next to delta chat because I think it can be useful to have more than one open protocol)

Blake Leonard 1 Woche her •

Whether or how often you use a certain chat app depends on who you can talk to with it. For example, I wouldn't use WhatsApp if I didn't have a friend whose parents won't let them use anything else. And I would use Signal, DeltaChat, or Conversations/XMPP if someone I knew also used that app. (There are actually a couple people I know on Fedi I use Signal with from time to time.)

Now, assuming you and all your friends have both apps, which one you'd use then depends on how comfortable those are to use. For example, if your friends are in a group chat and group chats tend to break on one (cough cough XMPP), you'd pick the other one. If one is slow and drops messages, or is missing some important feature the other one has, such as anonymous¹ messages, chat apps, or formatting, you're going to use the other one. You're right that there is an edge towards DeltaChat on this one, though on occasion XMPP does still win (and Signal sits in the middle).

¹ XMPP MUCs have a semi-anonymous mode where the group's admin can see the members' real JIDs, but other members can't. Maybe you're a woman and you don't want men from your group chat sliding into your DMs. DeltaChat could possibly recreate this using the mailing-list pattern, but standard DeltaChat group chats can't support it.

Delta Chat 1 Woche her •

there are many dynamics why people choose to use X or Y or both. Delta is used increasingly by families, friends, organizers and activists in repressive contexts but it can not convert "the masses". We intentionally stay clear from VC funding even if it could help buy hype and mind share and accelerated developments like it did with matrix. Our approach aims to reliably function in an increasingly fragmenting/splintering Internet, where other solutions fail, now or in the future.

lps 1 Woche her •

at one point I WS very interested in simplex, but that changed once VC became involved...hard pass!

ex_06 1 Woche her •

what does it mean creating email address in the case of which delta chat is just a client? is it a feature for chat mail servers only?

Delta Chat 1 Woche her •

yes, creating chatmail addresses on the fly is a core feature of chatmail relay servers ... See https://delta.chat/en/2023-12-13-chatmail for the original announcement and more details.

Delta Chat: Chatmail - replicable, fast and secure chatting infrastructure for all

Today, we are unveiling chatmail services, making onboarding with Delta Chat a breeze, with peace of mind: Convenience: Get a chatmail address in a few seconds Privacy: No questions asked, no name,...

^delta.chat

Dieser Beitrag wurde bearbeitet. (1 Woche her)

Spacewizard! (Ed H) 1 Woche her •

you might want to drop a note on that page about the whole "sign up for newsletters" thing not being possible anymore, since chatmail servers can now only receive encrypted messages. That obsolete capability is pretty loudly advertised in that post and I was pretty confused when I tried experimenting with sending real email to a chatmail address and it was rejected.

Delta Chat 1 Woche her •

this is updated/fixed now, thanks for the note!

Haelwenn /элвэн/ :triskell: 1 Woche her •

As if DeltaChat wouldn't be using SMTP as transport layer and so is also dependent on the underlying architecture of servers and DNS.

And all transport protocols use cleartext identifiers.

Delta Chat 1 Woche her •

sure, we are depending currently on SMTP and IMAP for sending and receiving messages. But the email system is not exhaustively described by it. There have been many transports, for example UUCP (there is an interesting new take called NNCP) or contemporarily the Hermes project which uses long range radio specific transports in remote rain forest and African regions. There also are r&d directions here wrt onion routed chatmail relays https://github.com/chatmail/relay/issues/487

Internet Mail 2000 · Issue #487 · chatmail/relay

We want to be able to accept mails from .onion domain. We cannot have DKIM authentication as there is no support for DNS (see https://forum.torproject.org/t/mock-dns-records-for-onion-services/4671...

^GitHub

Linux Is Best 1 Woche her •

You should also add that Signal's development, servers, foundation, and business are all in the United States, and all subject to US Jurisdiction.

#Signal

#signal

Avitus 1 Woche her •

Any significance of this is negated because Signal has very little data about users.

https://signal.org/bigbrother/

The cops have to provide a phone number, and in all cases Signal can only say "yes, this number was registered". They don't know the identity of the number owner, who they talk to, what they've said, where they're located etc. unlike WhatsApp, Telegram, Facebook Messenger etc.

Government Communication

When legally forced to provide information to government or law enforcement agencies, we'll disclose the transcripts of that communication here.

^{Signal Messenger}

Dieser Beitrag wurde bearbeitet. (1 Woche her)

Delta Chat 1 Woche her •

sure signal is so far the best central messenger when it comes to handling privacy on potentially hostile infrastructure. However any seized phone can reveal phone numbers of group members. Collecting IP addresses are another attack vector. Cloudflare which serves encrypted blob files may be able to identify IP addresses of all signal group members who download an encrypted file. It's not data that the signal organization itself has access to but certainly an attack vector.

⇧