Notices by Delta Chat (delta@chaos.social)

#deltachat is secure against server-side group membership changes but for a very different reason than #signal which keeps encrypted group membership data in a central store.

Delta Chat has _no_ central store but implements a rigidly tested #p2p group membership model where servers play no role https://github.com/chatmail/models/tree/main/group-membership

Both signal and delta chat are safe against recently published attacks against #whatsapp that can add members to chats, breaking end to end encryption. https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic-management-for-group-messages

Tomorrow our ten day #DIFF gathering in Freiburg in the black forest starts. Around 40 people from various projects, contexts and countries are joining ... And would you believe it? There is no date/clock scheduling to speak of, no hour slots etc

On Friday the 13th we might do live streaming sessions with talks and demos but the focus generally is on in-person hanging out and work, in a relaxed manner. Its still possible to join if you are of the spontaneous kind https://delta.chat/en/2025-05-12-diff-invitation

@david_chisnall for.this character limit issue alone we are also considering moving instances. its a weird artifact ... nobody is forced to follow profiles that post longer things, and also the fediverse user interface can hide it behind a "show more" button. there is no real problem today that warrants a 500 char limits (and don't get us started on blue sky's limit of.300 chars)

@ParetoOptimalDev @arianvp
SimpleX Chat uses APNS too:
https://github.com/simplex-chat/simplexmq/blob/stable/protocol/push-notifications.md

@pekka @feld @arianvp @ParetoOptimalDev Feld was right even if a bit brief: The push notification message does not contain any content and purely serves to wake up the delta app on your device which then fetches the message from the email server without google/apple knowing about even which server you are using.

Since June 1st there is a big sudden surge of new Delta Chat users and so far things are going pretty smooth. We are happy that our #chatmail infrastructure is holding up and that there is growing recognition that #deltachat is a ready-to-use and resilient chat solution. Some stats from the last days, a brief discussion of centralization risks and what we plan to do about it, also introducing a brand-new chatmail OpenCollective with a european fiscal host.

https://delta.chat/en/2025-06-04-surge-donations

our friends over at @rpgp just published a monster milestone, humbly tagged 0.16 😍 with

- streaming decryption and encryption

- post-quantum-cryptography

- API streamlining.

#rPGP is a full Rust implementation of #openpgp which counts among the fastest and most compliant implementations today, and includes security audits. Note: #deltachat uses a restricted subset of OpenPGP, and follows best practices (eg using the same ed25519 keys implementation as #signal) https://github.com/rpgp/rpgp/

By design, end-to-end-encrypting #deltachat and #webxdc apps only need ephemeral transport. It's a big deal. Let's compare:

- #matrix home servers maintain a cryptographic forever-chain of cleartext social-graph metadata.

- #WhatsApp servers maintain cleartext metadata visible to Meta.

- #Signal keeps encrypted metadata, hosted at GAFAM

#chatmail relays do not persist any social graph state, also not in encrypted form. A key goal of our designs: chatmail operators can sleep well at night :)

@Irishmasms @Dendrobatus_Azureus verification takes place between cryptographic identities. https://securejoin.readthedocs.io/en/latest/

The last two days saw the number of push notifications spike. Sometimes 80K Google Play push notifications happened per hour, while the baseline was more around 10-20K. These spikes probably indicate Internet availability. #deltachat is offline-first: you can write messages and attach media, create groups, use #webxdc apps, setup a second device etc. all without any Internet. Once it returns queued messages are sent out and cause push notifications. #OfflineFirst is crucial for resiliency.

#deltachat Desktop can now run on #Firefox and Safari, entirely avoiding #Electron and Chromium! It's an intended side-effect of the "porting Desktop to #Tauri" effort led by @treefit which aims to provide a non-Electron packaged version of the Desktop. Here is a video and deep dive into what's working on regular browsers now, and what's missing for a full Web version: https://delta.chat/en/2025-05-22-browser-edition

@x_cli two questions:

What does PFS have to do with minimizing metadata?

Can you link a real-world case where PFS played a role and protected someone from repressive persecution?

Transparency report: #deltachat gave out data for the following number of users in the last years: 0, nada, zilch.

granted, it helps to not have data to begin with :)

#Telegram is the exact opposite: they have _all_ the data about users, message histories, contacts, group and channel memberships, phone numbers, media files, bot interactions etc .... all in the clear on their central server, ready to be grabbed.
https://www.404media.co/telegram-gave-authorities-data-on-more-than-20-000-users/

It had to happen: in-chat multi-player #Quake III Arena #webxdc app, running over @n0iroh and using the fine work of https://ioquake3.org/ folks. Quake3 app is 1.2MB but you need to download once a game file of ~50 MB. It's only one level.

Realtime-P2P-networked multiplayer gaming arranged through securely end-to-end encrypted email, from a group chat!

Both Quake3's in-game chat as well as game play messages have forward-secrecy. What a weird future, eh? :)

https://webxdc.org/apps/#wofwca-quake3

In the bottom left corner of Germany, we are staging a cross-community gathering called "DIFF" during June 7-17th. See our invitation video and blog post. It's probably the best opportunity so far to become part of what is happening behind the scenes ;)

https://delta.chat/en/2025-05-12-diff-invitation

We increasingly hear about China travellers who use #deltachat successfully where Whatsapp and Signal fail to work. Recently a family onboarded including a 85 old mother, to prepare for China travel. Everbody succeeded, no troubles!

#deltachat is all about resiliency and "just works" user experiences. Despite ongoing and prospective network blocking attempts, our apps manage to mitigate and remain working everywhere. Meanwhile we are preparing some next level resiliency/security features ;)

@fastfinge @clv0 @pixelate No, Delta does not need a central server. One can use any #chatmail or classic e-mail server. Moreover, there is a P2P-system in-built, see https://delta.chat/en/2024-11-20-webxdc-realtime

Last week four new #chatmail relays popped up from four different continents from four different entities.
Permission-free interoperability based on #cryptography ... That's how we like it and how it generally is with the email system: separation of transport and apps. App developers can't access messages, and relay operators can not break e2ee encryption. Fwiw May 14th there is another round at a #Moscow court where our lawyers will convey this impossibility for #deltachat to hand over data.

Many larger FOSS projects publish team profiles with titles and roles, presidents and heads, and leads of this and that.

Does a FOSS community need that to thrive and deliver?

We work in in public: Git repositories, PR flows, conference talks and sessions, support forum discussions, blogs and fediverse posts.

There are also many private invite-only contributor group chats, invisible to attackers, where people typically have met in person and know each other.
No kings or votes ;)

Some of you may remember posts where we talk about #deltachat being hardened to work under bad and adverserial network conditions where other messengers fail. Examples were Georgia, Russia and Iran at the time. But hardened network handling can be useful also during non-political turmoil like currently in Spain where there are some reports that DC messages get through where WhatsApp failed .... https://sonomu.club/@icaria36/114417052677227592

In any case, wishing all the people in Spain and Portugal quick recovery!