GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Delta Chat (delta@chaos.social)'s status on Wednesday, 09-Apr-2025 01:57:12 JST Delta Chat Delta Chat

    #openpgp traditions and #signal both bind a cleartext identifier, phone number or email address, to a cryptographic key. It opens up attack vectors as the servers/orgs controlling this binding can interfere.

    #deltachat avoids such cleartext identity bindings by creating random #chatmail addresses, as transport only. The cryptographic key becomes the identifier and we want it hidden from the transport layer. Only people being in end-to-end encrypted chat need to identify each other, after all.

    In conversation about a month ago from chaos.social permalink
    • Johnny Peligro likes this.
    • Embed this notice
      Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 09-Apr-2025 02:34:22 JST Haelwenn /элвэн/ :triskell: Haelwenn /элвэн/ :triskell:
      in reply to
      @delta As if DeltaChat wouldn't be using SMTP as transport layer and so is also dependent on the underlying architecture of servers and DNS.

      And all transport protocols use cleartext identifiers.
      In conversation about a month ago permalink
      Johnny Peligro likes this.
    • Embed this notice
      Delta Chat (delta@chaos.social)'s status on Wednesday, 09-Apr-2025 03:31:59 JST Delta Chat Delta Chat
      in reply to
      • Blake Leonard

      @blake

      1) Many people want end to end encryption by default and only. Signal has dropped SMS chats three years ago. Mixing cleartext and e2ee is problematic from a usable security pov

      2) Several #chatmail operators in repressive situations/environments want to be sure their servers do not contain data that can hurt people. Strictly requiring end to end encryption helps.

      3) We use IETF standardized protocols for interoperability and discuss with other MUA devs and help where we can.

      In conversation about a month ago permalink
      feld likes this.
    • Embed this notice
      Blake Leonard (blake@infosec.town)'s status on Wednesday, 09-Apr-2025 03:32:00 JST Blake Leonard Blake Leonard
      in reply to

      @delta You imply Chatmail is interoperable with non-Chatmail email. My understanding so far has been that Chatmail -- the newly-default mode of DeltaChat that runs on specially-configured servers -- breaks DeltaChat's core benefit of being able to communicate with anyone with an email address; this is due to Chatmail's mandatory encryption and novel key exchange protocol that isn't widely supported or used. OpenPGP and AutoCrypt do enjoy some support in niche MUAs, but most email users are on Gmail or Outlook¹ which don't support either. It may be possible to do this excruciatingly manually or with a specialized external tool (which doesn't exist), but for most people, this breaks the main reason anyone would choose DeltaChat over, say, XMPP+OMEMO.

      ¹ okay maybe Outlook does, if you configure it, maybe only if you're a paying enterprise user, and only OpenPGP and not AutoCrypt.

      In conversation about a month ago permalink
    • Embed this notice
      Delta Chat (delta@chaos.social)'s status on Wednesday, 09-Apr-2025 03:32:01 JST Delta Chat Delta Chat
      in reply to

      Some of you may have heart of #simplex which likes to elevate itself as "the first messenger without user-ids" ... a goal, similar to ours, of not letting the transport layer know about who talks. Only we are doing it in the email system, fully interoperable with tens of thousands of existing email servers and other #openpgp endpoints. The email system is much more than SMTP/IMAP or even openpgp btw ... there is plenty of room for radical shifts and new takes. We are just starting :)

      In conversation about a month ago permalink
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 03:41:37 JST feld feld
      in reply to
      • Blake Leonard
      @blake IMO the main reason you choose DeltaChat over XMPP+OMEMO is that the XMPP clients are all terrible and inconsistent. DeltaChat's clients are all very good on every platform, *and* you get reliable push notifications delivered by Apple/Google if you are using a Chatmail server.
      In conversation about a month ago permalink
      Johnny Peligro likes this.
    • Embed this notice
      GNU Too (gnu2@gnusocial.jp)'s status on Wednesday, 09-Apr-2025 03:47:05 JST GNU Too GNU Too
      in reply to
      • feld
      I've had no problem getting push notificatoins on Android/Linux using Monocles Chat
      In conversation about a month ago permalink
      Blake Leonard likes this.
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 03:48:44 JST feld feld
      in reply to
      • GNU Too
      @gnu2 how does the XMPP server know to send your push notification through Google's FCM?
      In conversation about a month ago permalink
      Johnny Peligro likes this.
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 03:51:48 JST feld feld
      in reply to
      • Avitus
      • Linux Is Best
      @delta @Avitus @Linux all it takes is the IP address of one identified Signal user participating in a group and then send a warrant to CloudFlare for their logs and you can then find the IP addresses of all other members in the group. More warrants to ISPs/mobile providers and now you've identified the humans that were all in contact with the user.
      In conversation about a month ago permalink
    • Embed this notice
      Avitus (avitus@ioc.exchange)'s status on Wednesday, 09-Apr-2025 03:51:50 JST Avitus Avitus
      in reply to
      • Linux Is Best

      @Linux @delta Any significance of this is negated because Signal has very little data about users.

      https://signal.org/bigbrother/

      The cops have to provide a phone number, and in all cases Signal can only say "yes, this number was registered". They don't know the identity of the number owner, who they talk to, what they've said, where they're located etc. unlike WhatsApp, Telegram, Facebook Messenger etc.

      In conversation about a month ago permalink

      Attachments


    • Embed this notice
      Delta Chat (delta@chaos.social)'s status on Wednesday, 09-Apr-2025 03:51:50 JST Delta Chat Delta Chat
      in reply to
      • Avitus
      • Linux Is Best

      @Avitus @Linux sure signal is so far the best central messenger when it comes to handling privacy on potentially hostile infrastructure. However any seized phone can reveal phone numbers of group members. Collecting IP addresses are another attack vector. Cloudflare which serves encrypted blob files may be able to identify IP addresses of all signal group members who download an encrypted file. It's not data that the signal organization itself has access to but certainly an attack vector.

      In conversation about a month ago permalink
    • Embed this notice
      Linux Is Best (linux@mk.absturztau.be)'s status on Wednesday, 09-Apr-2025 03:51:52 JST Linux Is Best Linux Is Best
      in reply to

      @delta@chaos.social You should also add that Signal's development, servers, foundation, and business are all in the United States, and all subject to US Jurisdiction.

      #Signal

      In conversation about a month ago permalink
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 03:56:02 JST feld feld
      in reply to
      • Blake Leonard
      @blake That's not true, there are alternative DeltaChat clients. (chatmail is only the server infra)

      https://support.delta.chat/t/list-of-all-known-client-projects/3059

      Building a new client is actually quite easy compared to other chat platforms as you don't have to waste any time implementing the protocols -- you just wrap the Rust core library / JSON-RPC server that handles everything for you.
      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: support.delta.chat
        List of all known Client Projects
        Official These are the officially endorsed clients. These clients are the most “complete” in terms of functionality. Except for deltatouch all of them are maintained and published by merlinux. deltachat-android Official android client, the first app that ever existed for deltachat. fun fact: UI was originally forked from signal and then adjusted to look more like telegram. (at some point we also tried working with telegram’s ui, but their code was too strange for us to understand) language: ...
    • Embed this notice
      Blake Leonard (blake@infosec.town)'s status on Wednesday, 09-Apr-2025 03:56:03 JST Blake Leonard Blake Leonard
      in reply to
      • feld

      @feld That's a pretty good point. There are some okay XMPP clients, and a lot of dated and shit ones (much like IRC!), but there is only one Chatmail client -- it's like Element is for Matrix, but with no alternatives!

      DeltaChat is also a lot like Element in that it is or at least feels like a fragile web-wrapper. (To be fair though, I've only tried it on Linux, where it actually is an Electron app, and Android, where it mostly just feels like a dated demo app.)

      In conversation about a month ago permalink
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 05:12:34 JST feld feld
      in reply to
      • Blake Leonard
      @blake you don't need the FFI when you can just use the JSON-RPC to do everything. I have a super basic example of some JSON-RPC calls for writing a bot here:

      https://blog.feld.me/posts/2025/03/deltachat-bots-made-easy/
      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: blog.feld.me
        DeltaChat Bots Made Easy – Makefile.feld
        If you have started down the path of exploring DeltaChat you may have wondered about the difficulty of integrating any automations or bots with the platform. There do exist some nice libraries like the Python deltabot-cli-py, but what if you don't want to use Python? Requiring robust SMTP/IMAP and …
    • Embed this notice
      Blake Leonard (blake@infosec.town)'s status on Wednesday, 09-Apr-2025 05:12:35 JST Blake Leonard Blake Leonard
      in reply to
      • feld

      @feld Wrapping the Rust core library and getting it to work is a battle too. IPC/FFI is not for the faint of heart, and integrating with strongly-typed languages is another story. I do understand Chatmail is more or less a standard and not a concrete implementation, though DeltaChat does offer a standard distribution.

      I have a DC fork ArcaneChat alongside vanilla DeltaChat. I'll definitely take a look at that list, though. I have ideas about bridging and a standalone watch client rolling around in my head, though I'm not sure I want to be held responsible for maintaining it...

      In conversation about a month ago permalink
    • Embed this notice
      Matthias (ulfi@nerdculture.de)'s status on Wednesday, 09-Apr-2025 06:05:18 JST Matthias Matthias
      in reply to
      • Blake Leonard

      @blake @delta
      "this breaks the main reason anyone would choose DeltaChat over, say, XMPP+OMEMO."

      I think if people use xmpp and delta chat for a while, the reason why they keep on using delta chat is not email compatibility. People should just try out.

      (I still keep on using xmpp next to delta chat because I think it can be useful to have more than one open protocol)

      In conversation about a month ago permalink
      feld likes this.
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 06:13:30 JST feld feld
      in reply to
      • Matthias
      • Blake Leonard
      @blake @ulfi @delta Personally I have a strong desire for both privacy and sovereignty. Most of my chats are secure but don't really need to be. Better that they are, though. I want to be able to easily send people files and information securely and never wonder if there's a copy floating out there on a server I don't control.

      And also just owning my data. I have a group chat with a couple friends that we have maintained for well over 10 years. There is an incredible amount of useful information in there spanning science, technology, politics, and finance. We migrated it to Telegram in 2019 and as of last month it's on DeltaChat.

      My backup of that chat on Telegram was over 30GB and 250,000 messages. There's another chat we have specifically about finance and it was about half that size.

      But at any time Telegram could decide to delete all history older than a couple months because it's too expensive to host for free. Now I have an option where I truly have full control of the data and server infra but get a clean modern chat UX across multiple devices and OSes. It's everything I wanted, and any missing pieces can be filled in later.
      In conversation about a month ago permalink
      Johnny Peligro likes this.
    • Embed this notice
      Blake Leonard (blake@infosec.town)'s status on Wednesday, 09-Apr-2025 06:13:31 JST Blake Leonard Blake Leonard
      in reply to
      • Matthias

      @ulfi @delta Whether or how often you use a certain chat app depends on who you can talk to with it. For example, I wouldn't use WhatsApp if I didn't have a friend whose parents won't let them use anything else. And I would use Signal, DeltaChat, or Conversations/XMPP if someone I knew also used that app. (There are actually a couple people I know on Fedi I use Signal with from time to time.)

      Now, assuming you and all your friends have both apps, which one you'd use then depends on how comfortable those are to use. For example, if your friends are in a group chat and group chats tend to break on one (cough cough XMPP), you'd pick the other one. If one is slow and drops messages, or is missing some important feature the other one has, such as anonymous¹ messages, chat apps, or formatting, you're going to use the other one. You're right that there is an edge towards DeltaChat on this one, though on occasion XMPP does still win (and Signal sits in the middle).

      ¹ XMPP MUCs have a semi-anonymous mode where the group's admin can see the members' real JIDs, but other members can't. Maybe you're a woman and you don't want men from your group chat sliding into your DMs. DeltaChat could possibly recreate this using the mailing-list pattern, but standard DeltaChat group chats can't support it.

      In conversation about a month ago permalink
    • Embed this notice
      Johnny Peligro (mischievoustomato@tsundere.love)'s status on Wednesday, 09-Apr-2025 06:15:12 JST Johnny Peligro Johnny Peligro
      in reply to
      • Matthias
      • Blake Leonard
      • feld
      @feld @delta @blake @ulfi i want the same, but i currently don't care since i can't afford having my own stuff, but my endgame is to have 80% of the things I use be MINE only.
      In conversation about a month ago permalink
      feld likes this.
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 06:20:09 JST feld feld
      in reply to
      • Avitus
      • Linux Is Best
      @Avitus @Linux @delta Several examples over the last few years showed governments gaining access to Signal chats and interrupting illegal activities. How did they do it? Simple device seizure.

      It doesn't matter how secure your chat app is or that it has the greatest key exchange algorithm and implements Perfect Forward Secrecy if you don't immediately delete the chat history off your device.

      Literally nobody is being attacked by their government with a MITM. Instead, they're coming for your device which nobody properly secures but encryption enthusiasts always stay focused on the network protocols. Even TLS would be sufficient to stop them from snooping, every additional layer is just bragging rights IMO.
      In conversation about a month ago permalink
    • Embed this notice
      Avitus (avitus@ioc.exchange)'s status on Wednesday, 09-Apr-2025 06:20:10 JST Avitus Avitus
      in reply to
      • feld
      • Linux Is Best

      @Linux @delta @feld We went from talking about if Signal is safe to now talking about serving subpoenas to organizations other than Signal, and gaining physical access to devices. That in itself is a testament to how safe Signal is. Whether a subpoena is served to CloudFlare, or what a given person's threat model is, is irrelevant to what Signal itself does to protect its users.

      In conversation about a month ago permalink
    • Embed this notice
      Linux Is Best (linux@mk.absturztau.be)'s status on Wednesday, 09-Apr-2025 06:20:11 JST Linux Is Best Linux Is Best
      in reply to
      • Avitus
      • feld

      @feld@friedcheese.us @delta@chaos.social @Avitus@ioc.exchange CloudFlare is also not secure in the way people imagine it to be. Many people use CloudFlare, thinking it will mask their server. It does not.

      This provider here, will show you the real server of every site behind CloudFlare https://search.censys.io/

      In conversation about a month ago permalink

      Attachments


    • Embed this notice
      Avitus (avitus@ioc.exchange)'s status on Wednesday, 09-Apr-2025 09:59:51 JST Avitus Avitus
      in reply to
      • feld
      • Linux Is Best

      @Linux @delta @feld "That you know of" doesn't apply when Signal reports the subpoenas they receive and their responses with the data they provide:

      https://signal.org/bigbrother/

      This is going in circles. No service is Fort Knox. You have to accept some level of risk whether that be the service itself going bad or some outside force prying sensitive information from the service.

      Signal, as shown at the link I've now provided three times and has been totally ignored throughout this conversation, mitigates first and third-party risk by collecting as little data as possible so they don't have it to give.

      In conversation about a month ago permalink
      Doughnut Lollipop 【記録係】:blobfoxgooglymlem: repeated this.
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 09:59:51 JST feld feld
      in reply to
      • Avitus
      • Linux Is Best
      @Avitus @Linux Why does Signal try so hard to hide that Moxie's original funding for Textsecure / Open Whisper came from the CIA?
      In conversation about a month ago permalink
      Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this.
    • Embed this notice
      Linux Is Best (linux@mk.absturztau.be)'s status on Wednesday, 09-Apr-2025 09:59:53 JST Linux Is Best Linux Is Best
      in reply to
      • Avitus
      • feld

      @Avitus@ioc.exchange @delta@chaos.social @feld@friedcheese.us That you know of. -- That is the point.

      When in doubt, pick a provider outside US Jurisdiction.

      In conversation about a month ago permalink
    • Embed this notice
      feld (feld@friedcheese.us)'s status on Wednesday, 09-Apr-2025 10:02:09 JST feld feld
      in reply to
      • Avitus
      • feld
      • Linux Is Best
      @Avitus @Linux Also did anyone ever conclude why in 2021 it was observed that safety numbers were not changing when uninstalling and reinstalling Signal which should have wiped all Signal data from the device? How is that even possible unless Signal has a copy of the keys?

      I genuinely do want to know wtf is going on here:

      https://403forbiddenblog.blogspot.com/2021/06/signal-safety-numbers.html
      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: blogger.googleusercontent.com
        Signal safety number privacy issues
        kelly kaoudis: application security, hacking, software engineering blog
    • Embed this notice
      Delta Chat (delta@chaos.social)'s status on Thursday, 10-Apr-2025 07:28:52 JST Delta Chat Delta Chat
      in reply to
      • Blake Leonard
      • feld

      @feld @blake the list of clients and bots is better curated at https://chatmail.at/clients

      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: chatmail.at
        Chatmail: Clients
        Chatmail provides FOSS infrastructure for interoperable, secure, speedy and reliable end-to-end encrypted messaging. Check out clients as Arcane Chat, Bots or Delta Chat today!
      feld likes this.
    • Embed this notice
      Delta Chat (delta@chaos.social)'s status on Monday, 14-Apr-2025 07:07:36 JST Delta Chat Delta Chat
      in reply to
      • rohden

      @rohden as official as it gets, yes :)

      In conversation about a month ago permalink
      feld likes this.
    • Embed this notice
      rohden (rohden@fe.disroot.org)'s status on Monday, 14-Apr-2025 07:07:38 JST rohden rohden
      in reply to
      @delta
      chatmail.at is the official domain of chatmail?
      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: chatmail.at
        Chatmail
        Chatmail provides FOSS infrastructure for interoperable, secure, speedy and reliable end-to-end encrypted messaging. Check out clients as Arcane Chat, Bots or Delta Chat today!

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.