Delta Chat, a libre decentralized Chat-over-Email End-to-End Encrypted messaging solution

Everyone has individual requirements for a messenger. For one user it is important to reach as many people as possible, while another likes to exchange messages within a group. Another, on the other hand, attaches importance to encrypted communication or the simplest possible operation. Ultimately, everyone has to decide for themselves which messenger is most likely to meet their own needs – there will never be a universal solution. We should get rid of this wishful thinking and consider the subject of messenger detached from similar emotions.

But, we all have a common desire, that is to avoid using walled gardens like Facebook and Google’s family of apps. We try to avoid these centralized services. Completely peer to peer solutions are not yet tenable for multiple reasons.

The best middle ground is that we use a Free/libre decentralized solution based on Federated infrastructure like how XMPP is.

The principle of federation works differently than centralized services. We know it from everyday life with e-mails. There are countless providers with whom we can open an account. These e-mail servers are networked with each other via a standard open e-mail protocol ( SMTP ) and it is up to you to whom you send a message. The architecture or the principle of the federation pursues an open approach of collective networking, in which nobody is excluded. Unlike a centralized service, not one provider alone determines the rules of the game. Such level of power can give fatal ideas to the controller or regulator of our personal data.

Today, let us discuss one such decentralized encrypted Chat-over-Email solution called Delta Chat. It is not a service but a standalone end-to-end encryption solution based on OpenPGP standards that uses current standard email infrastructure. So, there is no sign up or servers hosted by developers of Delta Chat. They have beautifully designed an application to make encryption of emails using OpenPGP standards easy enough for any one to use. If you hold an Email account with access to IMAP and SMTP server configuration details [which is automatically configured for most popular services], it is all you need. Either ways, it is also known as Delta Chat Messenger.

Email protocol

Delta Chat Messenger, although a free/libre project, has its origin in Freiburg, Germany and is developed by Merlinux GmbH. As of August 26, the Messenger had over 50,000 installations via the Google Play Store. The app is available free of cost for Android and iOS mobile platforms. In addition to the popular App Stores, Delta Chat is also available in the alternate privacy-friendly F-Droid Store for Android.

As said above, Delta Chat is not a service nor is Merlinux as provider of Delta Chat service, it is a standalone solution that works with your current email account. No registration or the creation of an account within the messenger is necessary to use it, only an existing email account with IMAP and SMTP access. Delta Chat uses the existing federated e-mail infrastructure to send and receive chat messages. You do not need a telephone number or access to the address book to use Delta Chat.

At first glance, using the existing e-mail infrastructure has a lot of charm. On closer inspection, however, some disadvantages become visible that can have a negative impact on the privacy and security of the user. This is mostly owing to the email infrastructure and the underlying protocols IMAP and SMTP .

Encryption or Cryptography

Delta Chat relies on end-to-end encryption (E2EE) of the message content to ensure “tap-proof” communication. The messenger uses decades old and proven OpenPGP standard for this purpose . When linking an e-mail account, Delta Chat automatically generates the necessary key material (key pairs) during the initial setup and also allows the import of existing keys. The public keys are then exchanged between the participants using Autocrypt, thus enabling E2EE communication. Unfortunately, OpenPGP does not support Perfect Forward Secrecy (PFS). The protection goals of (credible) deniability and lack of consequences can therefore not be implemented.

Those who do not authenticate their counterpart can never really be sure whether they are actually exchanging messages with the desired communication partner or possibly with an unknown third party. For this purpose, Delta Chat offers authentication based on a QR code, which is a kind of fingerprint:

Scanning the QR code ensures that the contact is then displayed as “verified”.

If the recipients of a message also use Delta Chat, the messages are automatically transmitted end-to-end encrypted, as already shown, and displayed as a chat message in the app. However, Delta Chat also allows messages to be sent to e-mail inboxes or contacts who do not use Delta Chat – similar to a conventional e-mail client. If the recipient uses an e-mail client that is not Autocrypt-compatible, messages are sent or received unencrypted or only transport-encrypted. This has the disadvantage that an email provider may be able to see the messages received / sent in this way. You should definitely consider this fact or keep it in mind when using Delta Chat.

Whether E2EE or just transport encryption is used can be checked within the app in already open or existing chat -> dot menu -> View profile -> dot menu -> Encryption as seen in the image below:

Alternatively, the use of E2EE can also be recognized directly in the chat if a small padlock is displayed within the chat bubble of a message. If this lock is missing, however, the message was transmitted unencrypted or only transport encrypted (via TLS).

Federated and Decentralized

In contrast to most messengers, the communication or exchange of messages does not take place via central servers. Delta Chat is based on the existing e-mail infrastructure and can therefore do without its own server. The use of Delta Chat therefore only requires an existing e-mail inbox, which must be linked to Delta Chat. The user is completely free in his decision with which e-mail provider to open an account (if they support IMAP) and can then use this later in combination with Delta Chat. In contrast to a centralized service like WhatsApp, Telegram and Co., it is not one provider alone that determines the rules of the game. The architecture or the principle of the federation pursues an open one Collective networking approach where nobody is excluded.

Tip: A provider database can be used to find out whether Delta Chat is compatible with the email provider currently in use.

Metadata

Delta Chat is a messenger that is based on the federal e-mail infrastructure – with all the advantages and disadvantages:

  • Messages : The messages sent / received are not visible to the Delta Chat developers, but are stored by the respective email providers of the users (E2EE). The key material (for encryption and decryption) is on the end devices of the Delta Chat users. Ideally, the messages cannot be viewed by third parties.
  • Who, with whom, when and where : Each e-mail server can use the To and CC fields to find out who is sending a message to whom, and which e-mail addresses are part of a group. Delta Chat is therefore not a suitable solution for users who want to avoid metadata as much as possible. The reason for this is that the SMTP protocol is used to send (delta chat) messages between e-mail servers – this has its origins in 1982.
  • Contact lists : At Delta Chat, these are only managed or stored on the device.
  • Key material : The key pair (required for E2EE) is generated locally on the user’s device. The private key remains exclusively on the device and is not transmitted.

To avoid metadata, it is also important that Delta Chat can be operated completely independently of Google. Delta Chat can be obtained via F-Droid independently of the Google Play Store. Delta Chat also does without push services such as Google Cloud Messaging (GCM) or Apple Push Notification Services (APNS).

When creating a delta chat chat group with several participants, I made an observation that data protection-sensitive users should not like and again has little to do with avoiding metadata. Basically, every Delta Chat user can create a chat group and add or remove group members there. The problem: Every time someone adds or removes members from a group, this is indicated by email. For participants who suddenly and involuntarily end up in a delta chat group, this can have unpleasant consequences – not everyone wants their e-mail address to be publicly visible. Think of an e-mail newsletter in which every participant is suddenly signaled which new participants (e-mail address) have joined or are leaving the newsletter.

Again, this is less due to Delta Chat itself than to the email protocol. Even without the message that Delta Chat sends when adding / removing members, you can, for example, evaluate the e-mail header via e-mail clients and find out which e-mail addresses are part of the group.

Identifier

Delta Chat uses existing email addresses as an identifier. By default, no address book data (such as telephone number) are read out or transmitted to external servers, as is the case with messengers such as WhatsApp and Co. In contrast to many other messengers, Delta Chat enables an identifier that is not linked to the telephone number. A welcome exception.

Open source transparency

The source code of Delta Chat is open (GPLv3 license) and can therefore be viewed by everyone. As a result, an independent review of security is basically possible. This openness is an essential step towards more transparency in the application and thus ensures trust. As far as I know, no security audit has been carried out to date – it is therefore not easy to make a statement about the actual security of Delta Chat.

The development of Delta Chat is currently financed through donations  and funding from the Open Technology Fund . However , Merlinux GmbH has also already received funding from the EU project NEXTLEAP . No further funding has yet been determined for the end of 2020/2021.

Interesting facts

A few points worth knowing that Delta Chat offers are summarized below:

  • Desktop version : Users can synchronize their chats across multiple devices (multiclient) – corresponding clients for the desktop (Windows, macOS and GNU / Linux) and smartphone (Android, iOS) are available.

  • OAuth2 support : If your e-mail provider supports OAuth2 , only an access token (but not the e-mail account password) is saved on the device.
  • HTML e-mails : Basically, Delta Chat is comparable to a conventional e-mail client. You can not only receive and view Delta chat messages, but also “normal” emails. HTML e-mails are then converted into text e-mails and only displayed as text in the app.

Pros and Cons of using Delta Chat

Pros:

  • End-to-end encryption for chats is active by default (if Delta Chat or Autocrypt-compatible e-mail clients are used)
  • Delta Chat can be used without linking a telephone number
  • Use of an email address as an identifier
  • The client is open source and the source code can be viewed
  • Can also be used on google-free or deGoogled smartphones
  • Does not use the Google or Apple infrastructure for push notification
  • Can be used completely without a Google account or proprietary Google libraries
  • No user tracker integrated
  • Delta Chat itself does not collect or store any metadata (no address book upload, etc.)
  • Local backups possible – unfortunately not protected by encryption

Cons:

  • Due to the e-mail infrastructure used, some metadata is generated (who communicated with whom and when)
  • No audio or video telephony (cannot work via the e-mail infrastructure)
  • In group chats, each participant is signaled to add / remove e-mail addresses (participants)
  • If my counterpart does not use a Delta Chat or an Autocrypt-compatible e-mail client, in the “worst case” the message will be routed via e-mail servers that do not speak TLS to one another . Ergo: The message is sent as a readable »postcard«
  • No security audit so far
  • Neither deniability nor lack of consequences (perfect forward secrecy) can be achieved with OpenPGP as protection goals
  • In my opinion, the e-mail infrastructure (push IMAP etc.) is not suitable for sending or receiving short messages

Conclusion

Delta Chat can be used by anyone with an email address. The messages are then simply sent to the recipient’s email address. If the user also uses Delta Chat, the message is displayed within the app – if this is not the case, the message ends up in the recipient’s email inbox. This approach solves a common problem, it is not necessary to use the same messenger. Delta Chat could therefore be called an interoperable messenger, where anyone can communicate with anyone.

Overall, Delta Chat takes an exciting approach and is particularly suitable for those who do not want to give out their telephone number, but at the same time want to keep the possibility open of being able to reach as many contacts as possible via a messenger. However, this openness comes with a price, sometimes there is no guarantee that messages sent are end-to-end encrypted. The weaknesses of the e-mail infrastructure used are also visible in the metadata. Using the To and CC fields of the e-mail header, it is comparatively easy to find out who communicated with whom and when.

No question about it, using the existing e-mail infrastructure has a lot of charm. Everyone has to decide for themselves whether the advantages outweigh the disadvantages. Overall, Delta Chat is a decent messenger rather a encrypted messaging standalone solution that is based on the federal e-mail infrastructure used and accepted world-wide.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.