>Is DeltaChat perfect from a security standpoint? No, but it's certainly well above the hurdle most people are at now.

It's less safe compared to Signal, and Signal is the gold standard recommendations for average Joes. "Better than Telegram" is a low bar.

▲

em-bee a day ago | parent [-]

telegram is the most user friendly chat out there. the only ones that compete in usability are wechat (yes, the chinese one) and, deltachat. signal just got a bit better by finally allowing me to hide my phone number. of all these, deltachat is the only one that doesn't require a smartphone and a phone number.

▲

eMPee584 7 hours ago | parent | next [-]

Telegram indeed does have excellent UX, speed and multi-device support.. as all clients are open source, there should be a (convoluted, rocky) way to port them to use the matrix protocol (an idea I've had a couple of months back).. or, instead of one-time porting, insert a protocol bridge running as sidecar in order to be able to keep in sync with upstream TG code (Pavel himself seems to be doing _immense_ amounts of coding on it)..

Anyone up to the challenge?

	▲	em-bee 3 hours ago \| parent [-]
		being able to use a telegram client for matrix would be great, but the problem with matrix is not so much the UI but the complex handling of encryption which can sometimes fail. unlike deltachat which downgrades on failure, which is bad, matrix stops working on failure, which for the average user is worse. a better UI won't fix that unfortunately. still i like the idea. but deltachat also has a nice UI, and for matrix i use fluffychat which is also quite nice.

▲

maqp a day ago | parent | prev [-]

>telegram is the most user friendly chat out there.

Telegram is a walking time bomb with 900 million users' data waiting to be leaked from the servers.

>and, deltachat.

That must be why I've never heard of anyone using it.

>deltachat is the only one that doesn't require a smartphone and a phone number.

It leaks the IP-address to the server, which by default (defaults matter) is nine.testrun.org. That server can amass metadata about users conversing, and any government entity that comes knocking can look at TelCo records about to which user the IP-addr was assigned at the time.

If you're going to try to address metadata privacy against service provider, you're going to have address it properly, and DeltaChat isn't the one at that point. Neither is Signal. You'll want Cwtch for that.

▲

nottorp 9 hours ago | parent | next [-]

> Telegram is a walking time bomb with 900 million users' data waiting to be leaked from the servers.

Russia probably has all the Telegram data, considering they officially intervened in the recent Romanian presidential elections taking the side of the local MAGAs.

https://www.reuters.com/world/europe/telegram-founder-says-h...

What the article doesn't say is they sent a message in romanian to all romanian telegram users with the above claim, signed Durov.

So I don't think their "security" can be trusted.

▲

em-bee a day ago | parent | prev [-]

nine.testrun.org is owned by deltachat developers. it is about as trustworthy as, say, matrix.org. the only better alternative would be self hosting.

the question is not what is the best, most secure, most private, option, but what has the right balance between easy onboarding, ease of use, security and privacy. and maybe deltachat is not the best possible, but it is pretty good. remember, when security and privacy are to onerous then you don't have security or privacy because people will refuse to use the tool.

▲

maqp a day ago | parent [-]

>the only better alternative would be self hosting.

Which doesn't really work in practice. The closer you move to the user, the more the threat of creepy buddy watching over metadata of people they know grows. Medium sized institution like university or a company might run their own, but that's also somewhat risky.

>the question is not what is the best, most secure, most private, option, but what has the right balance between easy onboarding, ease of use, security and privacy.

No. The question is, given an architecture that imposes fundamental limitations on what can be achieved, which tools under that domain have best privacy by design system, where the UX and features are maximized with ingenious design, is the best.

Fundamental architectural limitations:

Does Delta Chat use data diodes? No? Then it can't have key exfiltration security, but it can have message forwarding.

Does Delta Chat use Tor Onion Services? No? Then it can't have proper metadata privacy for users' identity from the server, but it can have offline messages.

These are fundamental trade-offs.

DeltaChat is content-private by design. It might be metadata-private by policy (internal policy that server on nine.testrun.org does not collect metadata), but until that is tested in court like Signal is, we can't know for sure.

Signal is content-private by policy. Cwtch uses Tor Onion Services so it's metadata-private by design.

Now, it's fine to argue which is the best inside one league.

Element/Matrix is E2EE with double ratchet protocol, so it has both forward secrecy and future secrecy, which DeltaChat doesn't have.

It's only once security is more or less exactly on par, that you should be comparing general UX. Really usable but insecure tool might turn into really unusable tool when you sit in prison for your political opinions, or because you revealed your ethnicity and ICE caught on.

>maybe deltachat is not the best possible, but it is pretty good

It's not the worst out there. At least it tries to do things properly. It's just that given that there's insane obstacle of moving people to a safe platform, DeltaChat is just another distraction. Until it does what competition does security wise, and improves on their UX, it doesn't get the top podium.

>when security and privacy are to onerous then you don't have security or privacy

Sure, but when you're in prison for using crap tool, you won't have liberty, security, or privacy.

	▲	em-bee 3 hours ago \| parent \| next [-]
		The closer you move to the user, the more the threat of creepy buddy watching over metadata of people they know grows. actually i don't follow that argument. it is more likely that my data gets caught up with someone accessing a larger server than my own server. if someone targets my own server they may as well target all my messaging clients and get all the data from there.
	▲	em-bee 21 hours ago \| parent \| prev [-]
		It's only once security is more or less exactly on par, that you should be comparing general UX. ideally yes, but that is not what the average user will do, and it is not what i can use as an argument to get people to switch to something more secure. convenience over security is still a user preference. i get your point, but that falls on deaf ears among family and friends. especially using prison as an argument is really not helping. i mean by the same argument we should not be having this conversation on hackernews, because clearly we are trying to subvert the authorities by suggesting that people should keep their communication secret.