Delta Chat
Transparency report: #deltachat gave out data for the following number of users in the last years: 0, nada, zilch.
granted, it helps to not have data to begin with :)
#Telegram is the exact opposite: they have _all_ the data about users, message histories, contacts, group and channel memberships, phone numbers, media files, bot interactions etc .... all in the clear on their central server, ready to be grabbed.
https://www.404media.co/telegram-gave-authorities-data-on-more-than-20-000-users/
feld
F. Maury ⏚
> What does PFS have to do with minimizing metadata?
Absolutely nothing. You are correct.
The thing is the research behind this talk is an unpaid independent research, done on my free time. So I had to set some arbitrary criteria to filter the dozens of applications to study. If people want me to study a specific application, my rate is 500€/day (which is lower than my standard rate; a sacrifice I am willing to make because I think there is a social value to this work).
My belief is that E2EE, PFS and ephemeral messages are the minimum requirements for a secure messaging application to be taken seriously.
These are beliefs. Some people might have different beliefs and that's obviously OK.
So when people ask me "Have you considered Delta Chat?", my answer is "lol, no, they don't even have PFS; let's talk about serious applications".
The truth is I did fund Delta Chat, studied it and even contributed to its translation. There is value in Delta Chat, and I am not denying it. But if I have to use an application to secure my communications, Delta Chat is not a valid option for me. Sorry.
---
> Can you link a real-world case where PFS played a role and protected someone from repressive persecution?
PFS protects against the recovery of past communications that were recorded and ultimately decrypted after the attacker gets access to the key material. People able to setup dragnet surveillance are generally working for intelligence services and law enforcement. They don't tend to brag about their methods in the press.
Still, the NSA (Prism) showed to the world that there are nations recording large amount of Internet traffic. Pegasus showed that mobile phone surveillance and key extraction are a thing.
The (almost) general adoption of ephemeral messages shows that the public is aware that when law enforcement forcefully unlocks your phone, you don't want to have your personal conversation lying around. But what about your key material?
Well, if you don't have PFS, law enforcement will get their dirty hands on it... and with that, they will get access to all past conversations that you thought were confidential because you used ephemeral messages.
My point is ephemeral messages are pretty much useless if your adversary recorded your encrypted conversations and you don't have PFS.
So do I have a real-world case where PFS played a role? No.
Do I know real-world cases where ephemeral messages prevented law enforcement from accessing someone's data? Yes.
Do I know real-world cases where traffic was recorded and decrypted on the side thanks to the lack of PFS? Yes. I even worked for a company building surveillance appliances that do that... (not being too proud about that but hey... not having PFS is a serious flaw in my book).
F. Maury ⏚
@delta Good attempt, but I'll resist the urge of adding you to my talk :D Please implement PFS to be a candidate for the next one: https://cfp.pass-the-salt.org/pts2025/talk/7K9MEV/ ;)
Delta Chat
@x_cli two questions:
What does PFS have to do with minimizing metadata?
Can you link a real-world case where PFS played a role and protected someone from repressive persecution?
vic
every time some new super duper secure chat comes out, we find out it was actually the CIA the whole time
Hoss Delgado
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.