I think the point here is that everyone has email. A chat client built on Nostr is fine (and I want to love Nostr), but it just doesn't have the reach or ubiquity of email.

▲

lxgr a day ago | parent | next [-]

Nor does Delta. Nobody will “chat” with me via their Gmail email focused UI, so it’s effectively a separate network anyway.

Using an email address as an identifier for IM is a great idea (I hate that everything uses phone numbers for this, which are not internationally portable and not possible to reasonably “self-custody” the way TLDs are).

But using the actual email protocol as a backing protocol for instant messaging seems like a weird contortion and still makes this effectively a separate protocol, the split being servers that do and don’t support all necessary extensions. The overhead must also be staggering; just look at an email header to see how much is going on for each message these days.

	▲	em-bee a day ago \| parent [-]
		you got a point with the overhead in email headers. also an email is sent not only for every message but also status updates. that adds up to a lot of emails.

▲

AJ007 a day ago | parent | prev [-]

When you start looking at alternative messengers outside of Matrix, XMPP, and IRC, there isn't much where third parties can operate or implement both servers and clients.

Certainly if no one can implement these two things it is functionally a closed source project. It also is a security failure from the standpoint of control, validation, and also future security and vulnerability patching (there's a graveyard of dead "secure" messaging apps.)

Is DeltaChat perfect from a security standpoint? No, but it's certainly well above the hurdle most people are at now. Most people are using non-encrypted communication that is actively scanned & stored, or e2e on paper stuff where one party controls the client, server, application, and storage (trust me e2e security.)

Telegram, Discord, Facebook Messenger, stop using that shit.

▲

maqp a day ago | parent | next [-]

>Is DeltaChat perfect from a security standpoint? No, but it's certainly well above the hurdle most people are at now.

It's less safe compared to Signal, and Signal is the gold standard recommendations for average Joes. "Better than Telegram" is a low bar.

▲

em-bee a day ago | parent [-]

telegram is the most user friendly chat out there. the only ones that compete in usability are wechat (yes, the chinese one) and, deltachat. signal just got a bit better by finally allowing me to hide my phone number. of all these, deltachat is the only one that doesn't require a smartphone and a phone number.

▲

eMPee584 9 hours ago | parent | next [-]

Telegram indeed does have excellent UX, speed and multi-device support.. as all clients are open source, there should be a (convoluted, rocky) way to port them to use the matrix protocol (an idea I've had a couple of months back).. or, instead of one-time porting, insert a protocol bridge running as sidecar in order to be able to keep in sync with upstream TG code (Pavel himself seems to be doing _immense_ amounts of coding on it)..

Anyone up to the challenge?

	▲	em-bee 4 hours ago \| parent [-]
		being able to use a telegram client for matrix would be great, but the problem with matrix is not so much the UI but the complex handling of encryption which can sometimes fail. unlike deltachat which downgrades on failure, which is bad, matrix stops working on failure, which for the average user is worse. a better UI won't fix that unfortunately. still i like the idea. but deltachat also has a nice UI, and for matrix i use fluffychat which is also quite nice.

▲

maqp a day ago | parent | prev [-]

>telegram is the most user friendly chat out there.

Telegram is a walking time bomb with 900 million users' data waiting to be leaked from the servers.

>and, deltachat.

That must be why I've never heard of anyone using it.

>deltachat is the only one that doesn't require a smartphone and a phone number.

It leaks the IP-address to the server, which by default (defaults matter) is nine.testrun.org. That server can amass metadata about users conversing, and any government entity that comes knocking can look at TelCo records about to which user the IP-addr was assigned at the time.

If you're going to try to address metadata privacy against service provider, you're going to have address it properly, and DeltaChat isn't the one at that point. Neither is Signal. You'll want Cwtch for that.

▲

nottorp 10 hours ago | parent | next [-]

> Telegram is a walking time bomb with 900 million users' data waiting to be leaked from the servers.

Russia probably has all the Telegram data, considering they officially intervened in the recent Romanian presidential elections taking the side of the local MAGAs.

https://www.reuters.com/world/europe/telegram-founder-says-h...

What the article doesn't say is they sent a message in romanian to all romanian telegram users with the above claim, signed Durov.

So I don't think their "security" can be trusted.

▲

em-bee a day ago | parent | prev [-]

nine.testrun.org is owned by deltachat developers. it is about as trustworthy as, say, matrix.org. the only better alternative would be self hosting.

the question is not what is the best, most secure, most private, option, but what has the right balance between easy onboarding, ease of use, security and privacy. and maybe deltachat is not the best possible, but it is pretty good. remember, when security and privacy are to onerous then you don't have security or privacy because people will refuse to use the tool.

▲

maqp a day ago | parent [-]

>the only better alternative would be self hosting.

Which doesn't really work in practice. The closer you move to the user, the more the threat of creepy buddy watching over metadata of people they know grows. Medium sized institution like university or a company might run their own, but that's also somewhat risky.

>the question is not what is the best, most secure, most private, option, but what has the right balance between easy onboarding, ease of use, security and privacy.

No. The question is, given an architecture that imposes fundamental limitations on what can be achieved, which tools under that domain have best privacy by design system, where the UX and features are maximized with ingenious design, is the best.

Fundamental architectural limitations:

Does Delta Chat use data diodes? No? Then it can't have key exfiltration security, but it can have message forwarding.

Does Delta Chat use Tor Onion Services? No? Then it can't have proper metadata privacy for users' identity from the server, but it can have offline messages.

These are fundamental trade-offs.

DeltaChat is content-private by design. It might be metadata-private by policy (internal policy that server on nine.testrun.org does not collect metadata), but until that is tested in court like Signal is, we can't know for sure.

Signal is content-private by policy. Cwtch uses Tor Onion Services so it's metadata-private by design.

Now, it's fine to argue which is the best inside one league.

Element/Matrix is E2EE with double ratchet protocol, so it has both forward secrecy and future secrecy, which DeltaChat doesn't have.

It's only once security is more or less exactly on par, that you should be comparing general UX. Really usable but insecure tool might turn into really unusable tool when you sit in prison for your political opinions, or because you revealed your ethnicity and ICE caught on.

>maybe deltachat is not the best possible, but it is pretty good

It's not the worst out there. At least it tries to do things properly. It's just that given that there's insane obstacle of moving people to a safe platform, DeltaChat is just another distraction. Until it does what competition does security wise, and improves on their UX, it doesn't get the top podium.

>when security and privacy are to onerous then you don't have security or privacy

Sure, but when you're in prison for using crap tool, you won't have liberty, security, or privacy.

	▲	em-bee 4 hours ago \| parent \| next [-]
		The closer you move to the user, the more the threat of creepy buddy watching over metadata of people they know grows. actually i don't follow that argument. it is more likely that my data gets caught up with someone accessing a larger server than my own server. if someone targets my own server they may as well target all my messaging clients and get all the data from there.
	▲	em-bee a day ago \| parent \| prev [-]
		It's only once security is more or less exactly on par, that you should be comparing general UX. ideally yes, but that is not what the average user will do, and it is not what i can use as an argument to get people to switch to something more secure. convenience over security is still a user preference. i get your point, but that falls on deaf ears among family and friends. especially using prison as an argument is really not helping. i mean by the same argument we should not be having this conversation on hackernews, because clearly we are trying to subvert the authorities by suggesting that people should keep their communication secret.

▲

promptdaddy a day ago | parent | prev [-]

Apologies for any nativity here, but wouldn't storing encrypted messages on a blockchain be a robust solution for this?

	▲	heavyset_go a day ago \| parent [-]
		Why would you want that? The last thing I'd want in a secure messenger is a permanent ledger that holds message content and associated metadata which anyone can analyze. edit: I didn't downvote you and I don't think someone asking an honest question like this should be downvoted