You don’t actually need the Chatmail server QR code.
Pretend you have an account on the Chatmail server
a. Make up a 9-character random string, and call it your user name. If the server has the domain name nine.testrun.org, use [9-char random string]@nine.testrun.org as your email address.
b. Make up a password. A string of 12 random characters is standard.
In the DC client, pick “Create New Profile”>“Use Other Server”>“Classic E-Mail Login”
Fill in your made-up address and password.
Everything works. Except in the unlikely event that that e-mail address already exists, the server will register it on first login
If you did not fill in the “Your Name” field to give yourself a profile name before clicking “Classic E-Mail Login”, then go to the no-name profile, click on the cog icon to open settings, scroll down to “Edit Profile” and fill out your name. You can also add a bio. These can both be changed later.
The strings of 9 and 12 random characters are what would be automatically assigned if you were using the account creation code. You can choose a non-random account name, but it will be more conspicuous.
You can also use a secure passphrase instead of a password. Do not use anything that is on any of the lists of common passwords, or reused from elsewhere, or easy to guess, even if someone knows you and what you call your cat. The password will be stored in the DC client and its backups, so you probably don’t need to remember it.
Not stupid! Indeed @DELTA_MAFIA recreated a Chatmail relay server without porting the account info (not for malicious reasons) and found that users just automatically recreated their accounts as they logged in again.
You could indeed use this to try to impersonate someone, but I think when you used a wrong key the message would not even get through; the receiving client would silently drop it. And the relay server operator does not have any way to steal the correct key.
The user being impersonated would notice their logins failing, and their contacts would see no messages from them.
With the new upcoming multitransport, both clients might just silently switch to a server that works, automatically, in the background. It might not even interrupt your chat.
I’m fairly sure it would do that, because otherwise there would be little point in adding a contact (=telling your client what the key for a specific e-mail address ought to be). I could test it by hacking a contact to have the wrong fingerprint.
Malicious clients and relays are part of the threat model. Relays can grab some metadata (how big is the message, when was it sent, etc.), and they can drop or bounce messages. Remailer relay nets (nothing to do with DC) are thought by some to have been attacked using malicious relays that selectively dropped messages using better encryption schemes, to incentivise users to use weaker encryption. It is a bit hard to prove.
EDIT: I tested an invitelink with a corrupted fingerprint; the profile it is pasted into identifies it as a separate contact, and fails to establish E2EE.
From the backlinks this page is mostly used by people setting up servers and bots. It’s pretty obscure.
I don’t recommend advertising this manual creation to people, in fact rules may change in the future, and having a random generated address is a privacy feature so the server don’t know “who talks with whom” if you set some typical nick etc. you are leaking metadata
you don’t need a QR, you just need the QR data that is a link also clickable in the page of chatmail servers, copy the link to clipboard and then in the QR scanner in DC use the “paste from clipboard” option
contact’s encryption is perpetual in Delta Chat, when you get in contact with a friend and receive their key, ex. via QR scan, that contact will have forever the same key identity in Delta Chat, no server admin or anyone getting access to the email address can impersonate your friend and send messages in your chat with them, the chat will contain only messages signed with the key you known from them, any other message encrypted with other key will appear as a totally different contact and chat
that means, in Delta Chat, the identity is the keys, that is what identifies your contacts, the addresses doesn’t matter much