DC in Mike Kuketz messenger overview

Hello ,
I just saw that Mike Kuketz updated his messenger overview.

He asks his followers to check the information again, especially the entries about the messengers they use themselves. Fortunately, DC also appears in this overview.
I’m unsure about some of the DC entries there.
But before I report anything, I wanted to reassure myself here first.
Here are the entries in question:

• Tracker → Opt-in
  I don’t know which tracker he means.
  Maybe Mapbox in DC-Desktop?

• Note if contact fingerprint changes?
  According to this overview, only in verified group chats. But as far as I know, this now also applies to verified 1:1 chats?

• Audio/video chats → No
  In my opinion this is misleading because audio and video chats can be started from DC.

• Avoids/protects metadata during use → No
  I think “partially” would be more accurate here, as it depends a lot on how DC is used.
  The multi-account capability is an advantage. In addition, disposable accounts are possible.
  The chatmail servers are another way to reduce metadata. As far as I know, these servers only store metadata as long as necessary and the registration is anonymous.

• *Usability → Advanced users
  What’s easier than scanning a QR code or simply entering the email address and password?

The more detailed review is here

In DC Android there is “Send statistics to Delta Chat’s developers”

IDK about this

Hmmmm IDK IDK. On one hand the fact that external services are used can be compared to the fact that relay servers could be used by other messengers to perform calls, i.e. it can be said that video chats are supported.
On the other hand, is it much different from sending a video chat link through an email that truly doesn’t have built-in video chat feature?

In the full review I assume the biggest argument is

Each email server can use the To and CC fields to find out who is sending a message to whom and when

I guess email addresses here are compared to phone numbers personally-identifiable-information-wise, i.e. you can’t send / receive a message without revealing your email address.
For Simplex and Briar, which received the “Avoids/Protects metadata during use” check-mark, it’s said

This is exactly what Briar does with its peer-2-peer network approach. Due to the lack of server infrastructure and the use of the Tor network, it is virtually impossible to find out who is communicating with whom and when.

SimpleX can be configured to route all communication over the Tor network. In combination with the missing (unique) identifier and the Simplex Messaging Protocol (In my opinion, SMP) can be used anonymously, which makes it difficult or impossible to find out who is in contact with whom using metadata

So I think it’s fair to say that Delta Chat is less private in this regard.

I’ll have to agree here.

• Nobody really uses email addresses as much as phone numbers, you wouldn’t ask your aunt or a grill in a park for her email address. Chances are all they have is a phone number plus an Instagram.
• The log in screen is hard to understand, it takes mental effort to realize that it’s asking you for your Gmail address.
  An then oh — why would I give my Gmail password to a random app that I just installed?
  Hold up, where is the “Sign Up” button?
  Alright, whatever, I’ll log in with Gmail. What’s that you said? I have to go to advanced settings and turn on aouth or MTSP or enable “less secure apps”?
  Nah thanks.
• You have to “Add second device” to log in on another device, which is not super reliable and is not always possible.

thanks for the writeup! - and thanks to Mike Kukets for the overview!

sending a single message manually is nothing what fits to the common definitions of “tracker”.

so, it is still an open question, what is meant by “tracker”. others have more statistics just by the centralised protocol

for “Advanced Users” wrt “Login”: i agree with the analysis of @WofWca, the Login experience depends hugely on the chosen provider - with chatmail we aim to improve that, and we’re not yet done with that part

I just tested it. A warning is also displayed in verified 1:1 chats.

Fingerprint Changed1273×340 53.6 KB

Fingerprint Changed Info1000×434 41.1 KB

Regarding usability:

On the other hand, everyone is likely to have at least one email account and therefore have set up an email client at some point. Actually, DC shouldn’t be a problem for most internet users. But of course one can try to make it even easier.

Those Messenger Matrices in general are really subjective and appear more useful than they really are.

Some concrete examples

• Why is second device setup / transfer to a new device not a factor for example? signal does not show a progress bar (& does not transfer messages to desktop) and I heard of many problems with WhatsApp when it comes to moving to a new device.
• Metadata on a single server is sth different than metadata in federated systems.
• I can not take any recommendation to Briar seriously, because Briar has hard restrictions. AFAIK (correct me if I’m wrong):
  • like groups only work if the admin/creator is online
  • in practice it goes nearly always over tor
  • does only federate via bluetooth with devices that you have in your contacts, so the “mesh” aspect is really limited
  • don’t get me wrong I like the briar project and team behind it but you can not really recommend it to anyone without explaining those restrictions.
  • with briar you get maximum security at the expense of usability
• Briar desktop is not easy downloadable, because it is not linked on the website yet, also in my experience (from last summer) it is standalone and does not need a phone.
• DeltaChat: defining Mapbox as a tracker is rather weird, it’s not like we or mapbox get your personal info, they can just get your IP address, the lib also create a user id for some telemetry, and the tiles you access, and that you access from deltachat (because of the api token); it’s nothing like a Facebook or Google tracker → anyways we are aware of this and are working on switching the map implementation to leaflet
• …

Thanks to Kuketz anyways for trying to make an overview over all the messengers to make them comparable.

Mapbox in android & in desktop, some automated privacy scanners detect it. We also had issues with f-droid over this in the past. We are working on switching to leaflet to resolve this.

maybe he expected it to also appear in all group chats.

we have the option to send a fancy link, but that is not calls with a ringing push notification, so I can understand the choice of saying no. Though since iMessage says third party app in that row, the sending video chat links feature could also be mentioned, I guess? (though that may be a stretch as the feature is experimental/opt-in → you first need to set your instance, on android there is only the input field, no default instances to choose from)

Another problem with such comparisons is that security is often only understood as protection against espionage.
In my opinion, three types of security should be distinguished when it comes to messengers:

1. Security against espionage
2. Security against data loss
3. Security from embarrassing yourself

Most of the time people only talk about protection against espionage.
Signal (iOS), for example, attaches great importance to this, but neglects protection against data loss because the chats cannot be exported and are always tied to one device.

Phone is broken? → You are unlucky!
Did you lose it? → Shit happens!
You changed the OS? → That’s your problem, we don’t care!
But hey, your data was always super encrypted.

Unfortunately, these problems do not play a role in most comparisons.
DC is far superior to other messengers in this area.
The DC backup is not encrypted, but this can easily be done with an additional tool.
Actually, the only thing missing is the option to export the chats as a text file, as not everyone can handle a SQLite database.

A feature that helps to increase security in point 3 is the support of multiple accounts. This allows users to better separate different areas of their lives and thus reduces the likelihood of sending a message to the wrong person. In this respect, DC also performs better than many other messengers.
Subsequent deletion or editing could further improve security in this area. But of course that would only make sense until the message was seen by the recipient.

It can now be downloaded from the website.

Not under Download Briar - Briar where I would expect it. sure the beta is linked from the blog, but I wouldn’t call this easy to find.

I’m not saying delta chat would be superior to some other messenger, I’m saying the in my opinion those messenger matrices appear more useful than they are.

Also ask you pointed out there are different factors that are important to different users, also security and espionage don’t tell you about the concrete threats yet:
A jealous ex-partner that spies on you, corporate mass data collection and processing (big data), secret services or criminal organisations all have quite different resources and means.
Example: your ex partner might still be in your cloud accounts (or know your passwords), and criminals, states and secret services might have access to zero day exploits that hack your whole phone with a single text message, only requiring your phone number (see Operation Triangulation - media.ccc.de) and once someone has administrator/root access to your device it’s game over already anyways.

So the term “security” always needs context to be meaningful, if you don’t have context you will be easily mislead by it (German talk about the use of the term “security” as an excuse to get people to tolerate things they wouldn’t tolerate otherwise: Aus Sicherheitsgründen muss das Grundgesetz leider abgeschafft werden - Schluss mit dem Sicherheitstheater - media.ccc.de).

I think a more useful approach would be something like https://distrochooser.de for messengers, but that will probably mean that people will gravitate to convenience, because that’s what’s important to most in practice. (so the result could often be WhatsApp, telegram or the like, provided that normal people take the test, nerds often care more about fancy crypto protocols)

Apart from the other issues mentioned above by @WofWca and @r10s, Delta Chat unfortunately makes it very easy to shoot yourself in the foot by accidentally sending unencrypted messages due to the “opportunistic” encryption. This can be mitigated if/when DC implements forced encryption (or at least the option for forced encryption).

The message padlocks are so small that you need to be both an advanced and vigilant user to know if you are sending encrypted or unencrypted messages, as I don’t think Delta Chat displays any warnings if you’re about to send an unencrypted message.

Moreover, you can even be caught out when you scan someone’s QR code. After you have already scanned someone’s QR code, you might reasonably assume that E2E encryption should apply, but this isn’t actually true until both parties come online and do the hidden key exchange. Unfortunately none of this is intuitive or properly explained in the app and even relatively advanced users can easily slip up here.

For example Alice could scan Bob’s QR code, then send him the message “Hi Bob, can you read this E2EE msg?” and only later realize that she sent it in the clear (maybe also compromizing Bob’s identity if he was using a pseudonymous account)!

If it’s expected that Alice has read how the key exchange protocol used by Delta Chat works before she starts using the app, it’s probably fair to call Alice an “advanced” user.

As a user it’s not clear to me what would happen in the scenario that Alice and Bob are introduced to each other by a mutual contact, Bob’s fingerprint changes, and the mutual contact verifies Bob’s new fingerprint — would Alice be notified about the fingerprint change or not?

It has also been pointed out by others elsewhere that the wording used by Delta Chat when a fingerprint changes (e.g. “setup changed” or something like that) might be too vague for users to understand the implications.

I think there is some mixed truth to this. As @Raiden says “everyone is likely to have at least one email account” and in my experience, 100% of people I’ve asked have an email address, even if they don’t use it as their primary communication channel. Unfortunately, some emails, including from the “privacy-focused” providers Proton and Tuta, don’t let you use IMAP with a free account, which disqualifies them from Delta Chat.

As you point out, in many situations it feels more natural or normal to ask for a phone number or an Instagram than an email address, but that’s really just a matter of social convention and stigma, and we can help to change that.

Also depending on where you live in the world, your economic situation, etc, phone numbers might be much less accessible than email addresses, and we shouldn’t assume that just because a certain type of demographic tends to use phone numbers more often than email, that this is true for everyone. If we all go along with the narrative pushed by apps like Signal that “we live in a phone-first world”, we might just end up inadvertently creating a world like this!

Ideally he would separate “tracker” and “telemetry” into different categories, but many less scrupulous apps (and operating systems) use “telemetry” as a euphemism for “trackers”, so this could get quite confusing and it’s not always clear where you draw the line, as data used for statistics can sometimes also be used for tracking.

I agree that chatmail is a big improvement. The flexibility which chatmail provides, the ability to easily sign up for a chat-optimized account or even multiple accounts without needing to provide personal details is a game changer. But the experience would be much smoother if the UI included something like a “generate chatmail address” or “sign up with chatmail” option. Firstly this would help people who use the Tor Browser, which doesn’t allow the chatmail webpage to open the Delta Chat app. Secondly, it would help to onboard new users and solve the “Hold up, where is the “Sign Up” button?” issue described by @WofWca.

I look forward to seeing how chatmail evolves in the future!

The multi-account capability is definitely an advantage, but still the fact that you access all your accounts at the same time and from the same IP address means that if your accounts are hosted on the same server, the server could associate your different accounts. To reduce this risk, Delta Chat would need to stop automatically checking all accounts simultaneously (currently an experimental feature for desktop only) and use Tor circuit isolation for each of your accounts.

ftr, there was a recent security milestone that should be mentioned in context of encryption & co. see Guaranteed End-to-End encryption and many other good news - Delta Chat - which solves a lot of issues and goes even beyond “forced encryption” and comparable suggestions of “modes” and “options”

It seems that you have listed this as a disadvantage, but I actually think it is an advantage that a desktop app does not force you to use a phone the way apps like Signal do. And DC for desktop doesn’t need a phone either if I’m not mistaken. (Unless your complaint is that the Briar desktop app can’t sync with the mobile app, but that’s something different.)

But they can be a good starting point for further investigation

Yes it has restrictions which are inherent to P2P messengers, but comparing P2P messengers to server based messengers is like comparing apples to oranges. Its good for what it does IMO

I haven’t tested but I assume the groups also work if the admin self hosts a Briar mailbox, but this isn’t practical for everyone

Maybe the mesh aspect is underutilized but if your going to use internet anyway its better to default to Tor then to clearnet.

That’s fair. If people want a drop in replacement for WhatEver they will run into some issues with Briar so its important they understand the differences

I think both the DC and Briar projects and teams are awesome and if they teamed up to share their skills and experience that would be really cool IMO. For example if DC defaulted to routing everything over Tor that would be amazing!

no I was just saying that the messenger matrix got that wrong at that time, seems that was already fixed so nvm that point.

we thought about integrating tor, but the rust implementation of tor was not complete enough last time we checked.

Guaranteed E2E encryption is a significant improvement, but I don’t believe it goes beyond forced encrytion as it’s still easy for users to slip up with this, as per my above example, which I’ll outline again below:

1. Alice scans Bob’s QR code
2. Delta Chat displays Bob’s address to Alice, so she thinks that the conversation is end-to-end encrypted because she heard that scanning a QR code gives you E2E encryption
3. Alice sends Bob the message “Hi Bob, we attack at dawn!”
4. Bob comes online and receives Alice’s invisible key exchange request as well as the unencrypted message “Hi Bob, we attack at dawn!”
5. Bob sends Alice his key so that Alice can encrypt future messages

However, if there was an option for forced encryption which Alice enabled, she wouldn’t be allowed to send the unencrypted message in the first place.

A similar situation occurs when people add contacts at a distance and may expect messages to be automatically encrypted because Delta Chat claims to encrypt messages automatically as long as the email servers support autocrypt, without realizing that the first message they send to a new, unverified contact will always be unencrypted.

My point is that casual users may have expectations about automatic encryption and guaranteed encryption which do not reflect how Delta Chat actually works. For advanced, vigilant users this might not be a problem, but for casual users, I think it would be helpful for Delta Chat to display warnings and ask for confirmation before sending unencrypted messages, and guaranteed E2E encryption doesn’t eliminate the need for a forced encryption mode.

It seems that some categories in the matrix have already been ammended for Delta Chat like the “tracker” and “notify of fingerprint change” cagegories. So I guess he has already received and acted on some feedback, which is great.

I appreciate Kuketz for making an effort to present this information in an easily accessible manner, though some of his reasoning about the matrix seems really inconsistent to me. This isn’t directly relevant to Delta Chat, but here are some of my thoughts about the reasoning he presents:

For inclusion criteria he dismisses forks, which seems highly arbitrary to me, since some projects (like Session, which he expressly excludes for this reason) can diverge significantly from upstream and potentially distinguish themselves with significant improvements such as decentralized servers or UnifiedPush.

I assume that Molly is also excluded for the same reason, though Kuketz apparently finds Molly noteworthy enough to dedicate a blog post to.

It’s like writing a browser comparison guide which excludes the Tor Browser because it’s derived from Firefox and excluding Chrome and everything else because they’re derived from Chromium.

He says that “open source” is criteria for the inclusion of new messengers but doesn’t mind keeping existing closed source messengers in the matrix.

And he seems to overate the value of perfect forward secrecy but that’s open to debate.