Bring back avatars, redaction & modifying member list to unencrypted chats

Coming from 2.x breaks plain email group conversations a lot · Issue #5387 · deltachat/deltachat-desktop · GitHub and 2.x breaks plain email group conversations a lot · Issue #3871 · deltachat/deltachat-android · GitHub

Since I’ve got that horrible 2.x update from F-Droid, the quality of the group conversations with my fellows has been degraded so much that I struggled to go back to 1.x. As you can see on Github, avatars are gone, adding members are gone, and a few other features that I was used to are gone. And so my good mood since today’s morning till at least the end of the day. Adbenitez and nicodh just closed the issue because it’s not a bug, but a feature.

I must tell that I always was a big fan and advocate of DC. The unique thing that caught my attention towards this IM is the userbase of all e-mail users. That was the times when there was no Chatmail yet and XDC was only experimental, you had to upload the xdc file. Then I saw how DC evolves, how it becomes more usable (e.g. cross-device sync has improved a lot) and convenient. I even managed to bring here almost all of my family, which wasn’t the case with Matrix, just because they didn’t have to install app. Some of them decided to jump onboard and some stayed with plain, unencrypted e-mail, and I am ok with that.

I even wrote an article-tutorial on my blog about how special DC is, it is refered on mailchat.pl homepage, and planned to start a video channel on PeerTube about „alternative internet” (freedom, opennes, decentralization, education, innovation, etc.) and DC was planned to be the first topic, as it is probably the best practical example of these ideas. Yet it was still changing very quickly before I am able to finish.

Now it seems like the days of support for classic e-mail are counted. That means that we lose our main selling point and are going to be no different than Matrix, Session, SimpleX, Tox, which all require one to install an app to be able to communicate. And you know what? People around me don’t like installing apps – they prefer to stick with their Messenger, WhatsApp or whatever-they-use – and convincing them to something else just for me, is too hard. Believe me, I tried to pursue it very strongly and it is just too hard, people are too stubborn, they’re not going to switch for „better privacy”, „no ads” or „decentralization” some random guy talks about.

Up until know I didn’t realize that it was going to wrong direction. Here are few examples:

Guaranteed encryption stuff. Another day DC received professional security audit (I was amazed!) and did several improvements. About that time SecureJoin appeared. Though the name „guaranteed encryption” was misleading: with the QR code, anyone could start a conversation without me veryfing their identity, their pubkey, etc. It wasn’t clear to me how it works, and what does it protect from, even after reading the documentation. But after all, joining groups became easier.

Introducing chatmail. Well, chatmail makes it easy to setup DC in seconds. Despite the fact that DC followed Mastodon’s way to put their flag instance in the app as default with a single click, I said to myself: „well, that’s probably for convenience and there is a chance it will change over time if we have more Chatmail instances”. They have one more advantage: push notifications for Apple users. Hopefully, I am not an Apple user, so I can have notifications and participate in unencrypted chats altogether.

Also, Chatmail is incompatible with plain mail. „Well, it’s to combat SPAM. We can still setup DC with our mail accounts” – that was the way I runned my profile. Meanwhile I checked that chatmail can receive unencrypted e-mails, but not send them. Well, if I have an account on Chatmail and I receive an email from someone, I could respond then, because no one starts conversation with a SPAM account, right? Well, no, that is not the case.

Removing key import was the next thing made „for security” (not to have to deal with complex key structures). At least I can export my key and inspect message content, so it’s not a blackbox (yet). I believe some people used this feature and was disappointed. I can imagine I had my whole message history encrypted in my mailbox, then, I only need to backup the key to restore the messages. One day I lose my phone, have no backup, but the key… and I can’t import it, because the developer said so.

WebRTC in XDC. Sure, it is good to have an additional outband realtime channel. However I don’t know how RTC actually works. Does it require some central server to establish the connection? Is it possible that some external bad actor join the channel and spy on what the users are doing in the app? At least good that it’s optional, so we can disable it. Would be even better if I had better understanding.

You know, DC had a good habit of putting experimental features behind a toggle. But that has changed with 2.x update, we should put it behind a toggle, or ask users if they are okay to get rid of these features in unencrypted chats. I am not, and I am utterly disappointed and angry that it was forced on me without asking or warning. I haven’t been given a chance to go back to 1.x, did it myself with a backup of 2.x risking breakage. I must’ve said to my fellows: „guys, you must stop updating DC and not let 2.x in, it will break our conversations”. Arcane and other forks blindly followed it, unfortunately, like hardly all Firefox forks blindly and thinklessly copy code from Mozilla.

Now, I managed to go back to 1.x somehow, but what about Apple users who have no choice but to use the latest, official version?! Please, I beg you, bring it back. Source code freedom is not enough, we need runtime freedom and data freedom. Don’t turn DC into yet-another-IM. Don’t do EEE for the sake of security. Btw, so many restrictions these days are put on users „for my security”, so I’m not too far from believing that if I stop updating my software, which I always did, I’ll be more safe… at least there will be no more unpleasant surprises.

Importing a key never allowed to restore message history from the mailbox. Inbox is treated as a feed and not as a storage. It is possible with some hacks to cause processing of old messages again, but is not guaranteed to have the same result because SecureJoin messages are unconditionally deleted after processing, there is no order between DeltaChat folder and INBOX etc.:

Generally common advice for backups is to test recovery when you take them. Otherwise you might be surprised later that you cannot recover the backups or recovery does not result in your devices being in expected state.

If you manually downgraded to 1.x while keeping the database that was already upgraded to 2.x, it is not going to work as expected. When 2.x upgrade is run, there is a database migration that splits existing contacts into address-contacts and key-contacts. After migration you might have multiple contacts with the same address, some of them having a key fingerprint and some of them not. 1.x is not aware of the “fingerprint” property of contacts and will select one of these split contacts arbitrarily. And if you later import a backup into 2.x or upgrade your setup to 2.x, database migration will not run again and all the changes to encryption state done by 1.x will not be used by 2.x because it stores encryption state differently.

This is why in desktop announcement says that you should not downgrade:

On Android and iOS downgrade is generally prevented by the operating system.

This is not because we want to prevent you from downgrading or force everyone to upgrade to 2.x. As Delta Chat is a primarily a private messenger, someone or some group deciding to use an old version cannot cause any problems to other groups of users. If you have 1.x backup, feel free to restore it and keep using it. Using 2.x database with 1.x client will likely cause unexpected problems that we cannot debug.

@Dhammanana if you don’t want encryption, why don’t you just use a normal email client??? the whole and sole purpose of Delta Chat is to provide a secure e2e encrypted solution, you come here flooding the forum with super long blocks of text really hard to understand and often not so friendly, we are not forcing you to use Delta Chat, my friend, be free, uninstall it, fly

Be especially aware of the mandatory backup (!) this time
since during upgrade your account data is migrated to a new state and you should not downgrade again with the migrated accounts.

So the developers actually announced it. That’s fair, but in my opinion, wasn’t enough, because many (including myself) don’t follow changelogs of every piece of software they have installed, or do backups before upgrade, or they have automatic upgrades. Before I realized what’s going on, it was too late for: me, mother and a friend of mine. A warning should be shown after upgrade and before migration, clearly explaining the consequences and suggesting to make a backup just in case, let such a huge change not be overseen.

Now if I want to stick with 1.x, my only choice is to use broken database, which indeed causes problems (i.e. double chats). There’s no tool or instruction to reverse the migration (prior to my knowledge, I assume it’s reversible). Apple users are in even worse situation, as they have no word about what version to use.

The Dhammanana’s writings are really hard to read and understand, written most likely using some poor machine translation, with a lot of political phrases in it. If I understood the intention well, the DC community has divided by the ideas how DC should evolve and 2.x update is the most controversial one in the history. In the Drop classic email support - #21 by adbenitez forum thread we can see many responses of people who disagree with the new direction in favor of so-called security but against interoperability. One way was chosen officially and many are upset. If the project maintainers won’t find a way to satisfy both groups, while not perfect – maybe it’s time to run a fork…

Actually there’s already Arcane, WhatsDown, also unofficial clients with its own codebase. They exist for a reason. We could reach them to save the effort of running and maintaining a completely new fork.

I don’t assume, despite my feelings, developer’s bad intention and especially I’d rather avoid using political labels, but I’d like to be heard.

See also Chatmail: Clients.

(By “actual”, the page means “actively maintained” [because English stupidly disagrees with most living European languages and Latin about what that word means, creating a particularly vexatious false cognate])

I personally disagree with that statement. Encryption is good and we should use it, but interoperability, user freedom and general usability are important as well. DC used to find a good balance between these. I say none of these goals should be taken at all costs. Even the built-in help said:

Sometimes remaining in contact is more important than end-to-end encryption.

What is this telling me, is that if encryption isn’t possible, I should still be able to communicate normally. I found that statement in 1.58.4, but it was removed later between 1.58.4 and 2.8.0. Like DC changed its policy?

Note that the discussion started with me asking kindly to bring back avatars, updating group membership, etc. Avatars for example, have little to none to do with encryption, so I can’t get the reason I can’t have them. And I’d like to add people to my group, so they receive messages and announcements as well. It’s just a matter of adding someone to “To” field. Removing is more difficult, like nicodh said:

If you remove a user the other users won’t see that and if they respond with the old recipient list the user is back in the group immediately.

That’s fair point, but now if a member says “I don’t want to be on that group anymore, I’m getting a lot of messages. Can you please remove me?”, we must say “we can’t, the app won’t let us”. Or we create a brand new group and have chat history splitted, maybe several times with each member update.

Speaking about security, I wonder whether DC signs messages and verifies the signatures. I think that think might slightly improve the security of the unencrypted groups. A group of 20 people where just 5 don’t have DC is unencrypted, but the other 15 who does could be notified if one of them have wrong signature or unexpectedly change the key or drop it.

Or another idea, some (optional just like ephemeral timer) HTML+CSS scrambling-escaping mechanism, to make it hard for provider bots to scan the text in search of keywords, but the content is rendered so that email users see no difference? Just thinking.

Oh, or maybe: detect if among participants some mail server is used only by DC users and if that makes sense, construct 2 messages: encrypted for some servers and plaintext, for the rest. For example:

• all members @a.com use DC
• all members @b.com use DC
• few members @c.com use email

What each server could and could not see in this situation:

• a.com: encrypted from b.com, plaintext from itself and c.com
• b.com: encrypted from a.com, plaintext from itself and c.com
• c.com: all plaintext

Assuming they have different owners who doesn’t cooperate in spying, at least some parts of the conversations are protected. It may even be major part, for example: if only a.com talks, b.com see no plaintext. If b.com responds, it can see only that, which can be as meaningful as “ok” or “I agree with that.”. Better than nothing. What do you think?

Delta Chat, or rather Chatmail core, only supports signed e-mails if they are also end-to-end encrypted (including encrypted Subject). This stems from the UX goal of providing private instant messaging with the least user-side frills possible, which in turn stems from an orientation towards mass users not hackers or expert users. We are very aware of the all the flexibility that is in OpenPGP and other protocols, but are very selective which parts we use, also to reduce the overall attack surface that needs to be analyzed in independent security audits.

OpenPGP is indeed complex, all these subkeys with their use cases and expiration, keyservers, trust levels, collecting certifications, revokations… As compared to that, digital signature without encryption (already done automatically by mail clients such as Thunderbird) plus remembering members’ state and showing a warning if they stop signing or change the key, doesn’t seem to be so hard to explain or implement. I believe parts of the code does exactly that if the encryption is present.

Thanks for your interest and support over the years!

If you appreciate Delta Chat as a nice (clear-text) e-mail client, like also @Raiden and others expressly do, then it’s understandable that recent directions of the project, including V2 releases, raise concerns and objections. Up until May 12th 2024 the Delta Chat home page advertised with “ Message anyone with an e-mail address even if they don’t use Delta Chat”. With the Instant Onboarding and instant message delivery release end May 31 2024 the primary communication had changed. No longer was Delta Chat trying to be an e-mail client but an easy-to-use instant messenger with onboarding that requires no private data (like e-mail address and password). This was the new home page (and still is, largely unmodified):

image821×356 52 KB

This revised home page mentions e-mail only in a secondary note, even thought chatmail is still using many e-mail standards but in the background, not foreground, and tuned and refined to nurture a strictly end-to-end encrypted federated ecosystem with chatmail relays in Banghalore, Johannesburg, Teheran, Montevideo or Kamtschatka as well as in numerous European countries and North-American states. Any chatmail relay beats expensive classic e-mail providers in terms of performance and avoidance of keeping any data for longer times. In the last year usage has dramatically increased, as have contributions and overall ecosystem happenings. So that bigger project change was not all for the worst.

Personally, i use delta a lot for un-encrypted communications from my classic profile and see all of its shortcomings and can thus easily sympathize with your or @raiden 's frustrations. Still, i think it’s the right direction for the delta project to focus on chatmail instead of classic e-mail. For what we are trying to do, it doesn’t matter that much if I and probably you and a few others, as hackers or expert users, have some troubles in using delta for e-mail tasks or with non-dc contacts. I can also use mutt (which i still do) after all. There are no precise numbers but the vast majority of users onboards via chatmail relays, even a majority of Fediverse users . The default onboarding chatmail relay processes 2.3 Million messages a day, with around 500K active addresses. Our discussions and next development targets aim to lay the ground for billions of people onboarding into the chatmail ecosystem. Call us crazy if you will

Be assured that there is a vivid discussion in contributor circles about classic e-mail use cases, and several are interested to see that side improve. Delta Chat is, after all, a pretty well working e-mail client even with all the shortcomings and the horror of gray mail icon avatars. When and how we get to do improvements to classic e-mail usage, we’ll see. Not soon, likely. If there is a UX/UI-developer team that would like to fork delta chat and boost its classic e-mail side, with a new branding, we’d be willing to support that. We generally are welcoming to forks if there is potential mutual benefit and good faith. Antagonistic forks are only a last resort and carry a high risk to fizzle out, so usually it’s better to try mutually beneficial forking first.

Thank you. Now I believe that in the future, when we decide what to do next with DC, we will take into account cleartext mail user’s needs and use cases as well to keep this messenger not only secure, but compatible with those billions of mail users who don’t use DC (at least for now, let us hope).

I understand that the development state of core V2 might not allow for that right now and it may take some time until it’s ready to bring back missing features. I’m not a programmer, but I’d be glad if I could help somehow. Let’s investigate together what can be done to improve the situation, like reaching maintainers of forks, unofficial clients (if they use Rust core), or finding out how to “convert” backup file from V2 to V1.

the whole and sole purpose of Delta Chat is to provide a secure e2e encrypted solution

I completely disagree with this statement.

There are plenty of secure e2e encrypted solutions out there (Signal, Matrix, Whisper, Tox, Wire, XMPP, SimpleX, Session, Threema, Briar, Mattermost, etc.).

Sure, each has its differences but if Delta Chat focuses completely on encryption it becomes “just another” in that group, another app which fragments the userbase and which my grandma won’t install since “everyone’s on WhatsApp, why would I get your weird app with none of my friends on it?”.

Interoperability was what differentiated Delta Chat from all the others. The fact that you didn’t have to pester friends and family to adopt a whole new network was revolutionary.

Opportunistic encryption is not the alternative to true unfailing e2e, it’s the alternative to everything staying cleartext or worse, on Facebook Messenger.

I have a lot of respect for all the Delta Chat devs, they’ve created something great here. I’d hate to see all that thrown away and Delta Chat become just another FOSS e2e chat app. That would mean a small-but-dedicated userbase trying futilely to push their friends to adopt its closed system, and that’s a battle which Big Tech’s massive marketing budgets will win every time.

you and @anedroid may disagree, but then you can do a friendly fork and take care of maintaining that, we are a small team, we even almost went bankrupt recently, some of us were working half the salary, some even for free, even when full, the salaries are not super high for the high amount of ours we donate to work on this project, there is a limit to how much one can do, and having too broad goals can be our doom, and burnout our team with too complex problems and constant requests.

if some of you are rich and can pay extra developers or champion such “unencrypted email client with chat interface” efforts that would be great, it could then compete with Spike app that already offers unencrypted email view as chats more flexible and with more features for email users than delta chat.

I personally am not interested in wasting my time in such project and prefer to focus in contributing to a secure decentralized chat messenger solution, since for unencrypted/insecure communications I already have enough options

Hey @adbenitez, there are at least 2 forks of DC out there, one of them is Arcane. It already have some nice features such as extended XDC API. The other is WhatsDown - Arcane’s fork which only changes icon and UI (but the maintainer says they have some great plans for it).

Since you maintain Arcane, I’d like to ask you first:

• What would it take to put a fork on Apple App Store? Are there any fees? What about 3rd party stores?
• I guess you’re not going to add any new changes to Arcane other than upstream, right?

WhatsDown is just some half-AI-generated stuff I don’t even know how did they accepted it in the store, even the screenshots etc. are displaying ArcaneChat, the change of colors made the app actually worse than an improvement, but anyways, lets hope the author actually does something interesting and might then even get ported back to ArcaneChat or even Delta Chat

this is a hell lot of effort, to start with you even need to buy apple devices to develop etc. and even afterwards it might not be possible to get a fork in the store at all, plus push notifications will not work at all since apple have push notifications in a centralized way and the solution we have doesn’t allow this

shipping apps to several stores and platforms is a lot of effort and requires several people and expertise and time, and money, that is why I only ship ArcaneChat to Android, besides the fact that it would be too much for me to have to maintain so many apps for different platforms all on my own

I keep adding new changes to ArcaneChat, several of them end up in the official app pretty quickly tho, so it is not that I am not adding new stuff it is that I contribute it to the official app, only when the feature is rejected in the official app then I add it only to ArcaneChat, but this is getting offtopic here, if you are an arcanechat user you can talk in the ArcaneChat forum or in ArcaneChat’s social network for public interactions PixelSocial

Thanks for the offer of help, appreciated. For your info, there is also feedback like this

image1024×376 47.5 KB

I suggest to try to not talk so much about V1/V2 but about the precise things that would be helpful to improve cleartext e-mail usage with the current releases. From my own usage that’s being able to add/remove recipients, as a primary thing. I’d maybe expect it to produce a system message “Added recipient X for the following messages” or something like that. Adding/Removing would not cause any outgoing message. Only actually sending a message would add it to CC. This is a real functional limitation i hit in real email conversations. It requires work in chatmail core mainly plus in all UIs.

General note: All User interfaces known to us, either maintained or supported by us, will use V2 going forward, and compatibility with prior releases might degrade over time. That’s a feature because it guarantees cross-client consistency, while allowing the whole chatmail ecosystem to move, which both were key critical inhibitors for XMPP adoption. Matrix was founded to do better and appears to suffer similar consistency/friction issues.

From https://delta.chat/en/2025-08-04-encryption-v2#classic-email-usage-was-enhanced-but-requires-opt-in:

chat messages in mail chats will never become end-to-end encrypted.

I wonder why was it taken away. That was a good feature. I could talk to a friend via email and as soon as the encryption becomes available, it was enabled. IMO it should go back.

Also I realized the ephemeral is not available. But that’s probably not the most important thing to have… I guess.

I have understood now that forks and independent clients aren’t really as independent as they used to be. They mostly use single Rust core, now called Chatmail core. The whole thing isn’t Delta Chat anymore, it is Chatmail. Somewhat similar to web browsers and their relationship with Chromium. That being said, it’s harder for them to do things differently (though Arcane has a customized core). I suppose any attempts to reach them all and warn from V2 is not the best way. What about opening new threads/issues per feature to find out whether and how to add them to V2? What’s the best place to discuss it – GitHub, this forum, Chatmail?

1. User/group avatars – already discussed at: Alternatives to gray email avatars
2. Adding/removing group members
3. Editing/deleting messages
4. Ephemeral timer
5. Automatic activation of encryption

Each has its own nuances regarding UX, compatibility and implementation details.

Huh? How do you suggest to have ephemeral messages timer with non-dc e-mail clients, or editing/deleting messages? How do you want to get implemented any of that in gmail, posteo, gmx and tons of other classic e-mail providers and different email clients and web interfaces?

In any case, please don’t explode this cleartext topic overly. I won’t follow up (going to vacation) myself, and i think most things have now been said. Any improvements will come slowly. If you need an e-mail client instead of an instant-messenger, then please consider using a classic email app for that purpose.

I understand the time and effort involved with maintaining software; I maintain a couple of projects in my spare time for no money. I’m not trying to “burn out the team with too complex problems and constant requests”, but rather to secure the future of the project by ensuring it doesn’t lose what made it valuable.

for unencrypted/insecure communications I already have enough options

I see the opposite situation - there are plenty of secure FOSS apps/protocols to choose from, and none have any users. Delta Chat had billions of users through interoperability with email. I could persuade friends to adopt it one-at-a-time, as their other friends were already reachable through email too.

With the recent changes, these friends aren’t switching to Chatmail - they’re switching to Facebook Messenger.