@avalos @michal While Delta Chat is quite an “open” platform, I would not recommend it because its PGP-based encryption is not as good as Matrix/XMPP+OMEMO, let alone Signal. PGP lacks some critical features for IM platforms such as perfect forward secrecy and channel binding. PGP also has a host of other issues, including a preference for extension rather than versioning resulting in insecure configurations among “weakest link” members of chats. Authentication is also flawed: without DNSSEC, authentication is weak and tied entirely to flawed PGP.
So Delta is open but openness/freedom isn’t all that matters: security does too. I imagine that cryptographers are an underrepresented slice of its user population.
Email is excellent for public forum-like discussion–I make use of its abilities here every day–but not the best tool for secure/private messaging.
@Seirdy @avalos I was vaguely aware of this aspect of Delta Chat so thanks for clarifying. But... what if I set up an email server just for a group of friends so that the messages won't even leave the server. Will it be more secure?
I realize that a private Matrix server would be a better solution but we're talking about non-technical people. Also, they might want to use the said email in different contexts. So having an extra email account would be more practical, wouldn't it?
@Seirdy @michal @avalos note that PGP is an IETF protocol (and we have small security-audited engine in Rust for it) while Forward Security is a app feature. Messengers supporting FS do not interoperate with each other leading to silos and centralization. FWIW the likes of Snowden used PGP for their secure communications so it's maybe better to not reject it wholly :) Delta Chat uses a minimal specified subset of PGP to reduce attack surfaces and confusion, namely https://autocrypt.org
Autocrypt helps solve the fact that PGP is unversioned and extensible instead of versioned and iterable, true. Some form of cross-client negotiation of autocrypt versions could make this a useful improvement, but it wouldn’t address the other issues.
@Seirdy @michal @avalos "Messengers supporting FS do absolutely interoperate" -- you can't mean that Signal, Whatsapp and Matrix are interoperable (and whether they implement MLS with interop between messengers needs to be seen) or do you? You are right that it's more precise to talk about FS in messengers and not FS in general. However, we do not share the view that FS in messengers is a must-have feature.
@Seirdy @michal @avalos Thanks for detailing your expert view and considerations. Maybe one day Delta chat will grow FS but for now, it's not a primary concern for several reasons. We are rather focusing on preventing active attacks in a useable way, using the "countermitm" protocols which we are still evolving https://countermitm.readthedocs.io/en/latest/new.html
A general-purpose Mastodon server with a 1000 character limit.