- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
TLDR: while deltachat isnt literally perfect, it seems to have done a great job balancing privacy and security with ease of use so that normies will find it easy to use it while the truly paranoid can still use it if they put in a little extra effort. it solved the vast majority of problems with encrypted email like slow message speed and meta data leakage with chatmail servers, and has helped develop what seems to me to be a super promising web app format. although i’ve only been using it a day and a half, ive done a lot of reading and testing on my own so im confident what im saying has a least a little merit, although i’m sure there will be at least a few things that will only become apparent after a few weeks of use. from perusing the forums and their mastodon, the devs seems very competent and engaged as well, so i have faith that issues that pop up will be fixed in a timely manner.
who it is perfect for: people trying to get their family/friends off of something like whats app, anyone who wants a privacy-focused instant messenger that just works.
who it will work for with some tweaks: someone who needs the strongest security measures like a journalist or anyone fearing repression
who it will probably not work well for (yet): someone trying to run public groups like telegram or a gaming app like discord. you can make public groups but they’re janky.
warning: this post is extremely long, which is why it’s split into spoilers.
I'm extremely impressed with it.
I’ve been using it since yesterday and it was super easy to set up, for comparison i’ve tried setting up a matrix account for my mom and she got really confused and frustrated and quit after 10 minutes, i had this up and running in like 2 minutes max. seemed very private, there was no way to even enter another email for recovery or to enter your phone number (and i think with how little information a chatmail server stores it’s not even possible), you dont have to enter your real name, and the “email” you get on the “chatmail” server is just a bunch of random letters no matter what you enter for your name.
from the reading i’ve done, it seems extremely safe and private for being based off of email because of these new “chatmail” servers they’ve developed that function less as a traditional email server that stores and serves emails and more as like a relay server in a p2p system (probably way over simplifying i will link some articles and mastodon tweets in the comments that explain stuff). i do know with the use of chatmail servers one of the biggest problems with encrypted email, that metadata is either impossible/nearly impossible to hide, is fixed when using one of these chatmail servers.
I also felt comfortable using my full name on the original profile i set up for family and friends, because the only way to see that information is if you exchange encryption keys, so if you dont join groups with random people it is nearly impossible for anyone to get access to that information, at least compared to more traditional instant messengers i believe.
however, an interesting thing to me is that it’s possible to use your own standard email server or a 3rd party one, although it doesnt work on some and some of the ones that do need extra set up. Still, if you’re technically inclined and need/want to use a standard email server the option is there!
setting up additional profiles and switching between them is super easy. finally, it has been an absolute dream getting it set up on multiple devices in comparison to something like matrix. finally, because of how adding a 2nd device works (you need the QR code or link from a client already logged into the account in order to add another device to an account) it essentially works as a 2fa that keeps normies who refuse to set up 2fa in other ways safe.
what im most impressed with though is this new web app format (webxdc) they helped develop.
the available ones work really well even on IOS and they already have many useful apps. i went shopping for my mom today and she was able to live update the list with something i had forgotten. im sure this was already possible with some external app, but being able to do it so easily inside of the messenger itself was really cool imho. there’s a scheduling app that im hoping i can get my friends that i play pathfinder with to use if i can wrangle them into using this. you can even share a TOTP app inside the group chat for something like our shared email!!! there’s also already like 20+ games, although most of them are pretty shit and/or copied from somewhere else. there’s a couple of gems in there tho, including a wordle clone. I have an iphone (but im sure this works similarly on android) and it’s awesome that i can easily put the web apps on my homepage using the widget feature.
as for cons i've noticed:
it’s not forward secret by default (more on that later). for non tech inclined it means that it is technically possible for someone to collect all of your encrypted messages and then store them indefinitely waiting for the chance to seize your device(s) to get your encryption key, and then they would be able to read all of the messages they had saved prior.
I believe they havent “future proofed” with quantum resistant encryption yet (dont quote me on this)
it’s also not well set up to handle voice/video calls by default, you need to go into experimental settings and it just opens up a jitsi meet meeting, so although that still works i can see normies freaking out when you tell them to go into “experimental” settings.
there’s a few UI/client specific issues, like being unable to pin messages inside of chats (or at least i havent figured out how to), and i cant change the notification sound on iphone which sucks cause i think the default notification sound on iphone is really hard to hear sometimes. only been using it a day like i said so im sure there’s a couple of other things i would find to nitpick in the next few days/weeks.
a couple of other things i know are lacking: there’s no easy way to make public groups like in telegram, which leads into the next problem which is that there’s literally 0 moderation, when you make a group you all equally share power and can remove each other and even delete the whole group chat unilaterally.
there’s not a stable in-browser client yet i believe
like i said it doesnt seem possible to add a recovery email or phone number based off of how chatmail servers work, so if you lose access to all the devices that are logged into your profile(s) you are shit out of luck and will never be able to access that account again.
in the rare situation that you cant get 2 devices to be on the same wifi network (idk, like you left your phone somewhere and you got a family member to send a screenshot of the qr code to log in, that would not work.
caveat to the cons
i do know the maintainers have said if they can they will look into ways to add forward secrecy if open pgp changes to the point where that’s feasible, or something like that. i will say this tho: i quite like how it is right now. like i said earlier, it’s been very easy to get deltachat set up on multiple devices and profiles, and i think part of that is because there’s no forward secrecy. seriously if you’ve never used matrix the amount of messages that get turned into “unable to decrypt this message” is utterly maddening, and often times the reason is extremely arcane to me as someone who isnt really a tech guy but is still more involved than a normie if that makes sense lol. i also think if the cops/feds are doing such heavy surveillance on me that they’re saving my encrypted messages for months on end and trying to set up a raid while i have my devices unlocked, me and most everyone i’ve talked to is already fucked anyways.
however, there is currently a way to easily achieve forward secrecy on delta chat, and that is through the web apps. there’s a setting that enables real time web apps to function and if you have that turned on and are using the p2p chatting app that is already available it easily and immediately sets up an encrypted real time p2p connection between anyone in a chat that has the same app open. i do think this leaks your IP to the other participants though, so a vpn is needed. i believe there are plans to have an option to have a relay server disguise your IP, although that just shifts to you needing to trust whoever is running the relay server. regardless, i think this serves the perfect balance for providing just below perfect protection with the benefit of being super easy for normies to use while maintaining the option for paranoid people to strive for the strongest possible technical protection possible. i also think you shouldnt write anything online that you wouldnt want read out in front of you in court but i digress.
as i said dont think they have quantum safe encyrption yet, but considering its maintained by a very small team is pretty forgivable. i’m sure when quantum computers seem much closer to viability this will be added at highest priority.
as for voice and video: i know the arcanechat dev (android client of deltachat) @[email protected] has said that integrating arcanechat with the android default phone app is currently planned, and if he is to be believed most things he adds to arcanechat should eventually get added to the first party deltachat apps. there’s also huge potential with the web apps, they’re barely a year out from “official” release (not sure how long total development time was) and there’s already been a a working prototype for a web app that does voice video, although i think that is super low priority since the 3rd party links are “good enough”. again im not exactly a computer toucher (computer admirer is a better term, probably lol) so im not sure what techincal limitations there are for using a p2p web app for this kind of thing.
client nitpicks: if more people started using this service so that more devs pay attention to it, the faster these issues would be fixed. same goes for the browser client, although since there’s a good client for windows, macos, and linux desktop it shouldnt be a big deal. for my current usecase i dont really need moderation stuff, and dont really want access to public channels. im not sure if/when there are plans to add chat rooms with different levels of access/powers, but i do know there was some talk of setting up a bot that will list public groups eventually?
finally: you can make manual backups of your encryption keys, so if you’re worried about disaster scenarios you just need to make sure to keep up with that. i think this is also how you would get a family member to send you your login information but im not sure.
This got really long my bad lol (it’s just under 1600 words not even including my final thoughts…), hopefully splitting it into spoilers helps. Why did I write this monstrosity? i was paid i just think it’s a really cool service that deserves a lot more attention than it currently has and i want people to check it out so i wrote everything down i could think of both positive and negative ( i also have adhd 
)
To try and keep the post body just a tiny bit more reasonable, Final thoughts and links to articles/mastodon tweets are in this comment here
.
i wish i was paid tbh, wtf did i just do for the last 4+ hours…
You must log in or register to comment.
bumping
UI is pretty important for new apps hopefully delta chat will continue to get better so it can displace the big tech app that all they do is steal data
i think the UI is pretty good. at least for open source devs standards. arcanechat looks even better but it’s android only and i dont have an android
final thoughts. warning: also extremely long
In comparison to other privacy focused instant messagers, i unfortunately dont have experience with hardly any of the other main ones. the only one i’ve used was matrix, any other comparisons i bring up here are what ive seen while reading about deltachat. also, i dont want to yuck on anyone else’s yum. sorry if ive misrepresented any of these other servicesi’ll start off with matrix: i think matrix is great, with the caveat that trying to get a normie set up on it was tear inducing. this could have been a skill issue on my part, but again while im not a computer toucher i would still call myself a computer admirer lol. quite frankly if im struggling with something it might be a little too hard for the average person to use (although if someone wants to throw some guide at me that explains why actually im a moron and it shouldnt break like that i’ll take it
). i also still to this day do not understand why some messages still refuse to decrypt even after i re-verify my session. i’m not sure if this is just a problem with forward secrecy or a problem with the specific server i was using but whatever it was i have yet to have any issues like that despite setting up more devices and profiles than i ever even attempted on matrix. something someone else pointed out is the way PMs in matrix work are really fucking weird, you invite someone to a “room” and then both people have to “join” the room which can be confusing to a normie when that pops up at the bottom. it’s been stupendously easy with deltachat so far, im either in person and can scan a QR code or i send someone a link through something like imessage (why i want to use this instead of imessage is a story for another day for how long this fuckin post is). one of the biggest advantages that matrix has that deltachat lacks is the moderation/admin powers.
for signal: the 3 big problems with signal are that is requires/strongly suggests (i dont remember which one at this second) you use your phonenumber, which is a security headache. it’s also a centralized server in the US that isnt “truly” open source. i dont think signal has the same problem as matrix with decryption errors although im not really sure whether what is causing those problems on matrix has anything to do with forward secrecy or not. anyways, an argument i’ve seen made is that since signal uses your phone number and associates it with some meta data in their server, it would actually be easier for cops to get you and your contacts asses, because its easier to get to that meta data by raiding signal’s central servers, and if the cops are paying attention you to the point where they’re raiding a server looking for stuff like that they dont even really need the contents of the messages. up to you how much you agree with that you suppose.
for xmpp: supposed to be much easier to use deltachat. like i said cant speak to this because i havent used xmpp. however i have seen people say xmpp is the most similar to deltachat and i’ve seen more people say it’s flat out better. however they didnt really elaborate and from my reading it really seems like deltachat is way different and way better than 2+ years ago with the invention of chatmail servers and the new web app format so im not certain they’re giving it a fair chance. i do know the web app format is supported by some xmpp clients already. xmpp is supposed to be better at sharing large files
for the P2P stuff like briar/simplex: i know the least about P2P. i know a big problem with it was that it’s very ephemeral and if no one is one to hear you your message can get eaten etc etc? idk i just remember thinking it sounded like it wasnt for me. I dont keep up with their development so i dont know what solutions have been proposed for this. i will say though, i’m not technically knowledgeable enough to check their work but if they’re to be believed you can pretty much replicate this experience using the new web app format? of course, that’s not to say this web app is going to have any where near the same kind of features for a top tier p2p chat service, but its there if you absolutely need it and is a base that devs can build on. unless someone informs otherwise i think is a strong point in deltachat’s favor for its versatility. i dont think any of the p2p clients have the ability to use this web app yet, although i dont know why they couldnt be (grain of salt not a computer toucher yadayadayada)i’m really excited to see where this project goes in the next couple of years as long as the current maintainers maintain their steam. like i said, many of the cons ive noticed in my day of use/reading/testing are things ive read mastodon tweets/lemmy comments/forum posts that they’re planning on addressing it. quite frankly there’s other stuff i could go on about, how these chatmail servers have dealt with the ever present spam problem inherent with servers but this post is already a monster. if you want to talk to people with more experience there is an active forum at https://support.delta.chat/, devs have an active mastodon account at https://chaos.social/@delta/114403352561206786, and the arcanechat dev has a community for his android client [email protected]
link dump. mostly backing up stuff i was talking about that wasnt from personal experience and was from reading other stuff, and anything i couldnt include in main post.
why signal leaks more metadata than deltachat
comparison of different messaging services. i think a couple of the boxes arent fully accurate for deltachat (for instance, server auto deletes messages)
deltachat has gone through 6 security audits, most recent was dec 2024
calls integrated with phone app are planned
lack of perfect forward secrecy not a big deal. if your encyrption key gets leaked, your messages are going to be read. PFS only matters when a device is seized while unlocked. may also be added in the future
signal (and others) do not protect againt network attacks against group chats
since signal exposes more meta data than deltachat (if a chatmail server is used), signal is actually higher risk. this is especially true if you and your contacts use separate temporary profiles when you are doing things that may bring state repression
proof of concept of web app that can handle voice and video chat over p2p, although it is not actively developed from what i can tell
devs say they are working on a way to hide who sends and receives a message
deltachat can sometimes deliver messages in difficult situations when others cant like the power outage in spain recently
“chatmail is a federated instant messaging relay more.than am email server” from the devs
article hyping up the web apps (they got me ngl its seems so cool)
article showcasing web apps p2p functionality
article explaining the new chatmail servers. notice they havent even officially been out for a year!!!
