As many of you know we've been looking at messengers for nearly 6 years now, trying to find 'the one'! But while some are better than others and can even be described as great we cannot come out and say that any one of them is perfect.
So today we're looking to a new entry, one we didn't look at in our 2019 or earlier editions of the Messengers series, 'Secure or Not Too Secure?'
Introducing Delta Chat!
Delta Chat was born out of Merlinux GmbH in Freiburg (Germany), it has clients on Desktop Linux (Flathub, Debian/Ubuntu, AUR and AppImage), Mac (Mac App Store or DeltaChat.dmg file) and Windows (Microsoft store or .exe file).
The desktop client looks very similar to Telegram. Additionally, Delta Chat offers an iOS client but is also in GooglePlay, Amazon AppStore and the privacy friendly f-droid store in Android. Delta Chat is fully open-source, which is great news as anyone can check the code. I did not found any audit on Delta Chat what is a bummer, but not necessarily the end of the world. Delta Chat is financed via donations, while OTF and Merlinux also got some funds from NEXTLEAP
Unlike many other chat services we have reviewed, Delta Chat does not rely on a telephone numbe nor even an username. All you have to do is attach your email address and use Delta Chat as your new email/chat client. Yes, you read that right! Delta Chat uses your existing email structure, SMTP and IMAP to get and send messages. This all sounds extremely interesting doesn't it? After all your email is already in the hands of someone else anyway e.g. Gmail with Google etc.);-).
Delta Chat also supports OAuth2, which means that if your email provider supports OAuth2 you only need to add a security token, but not your actual password, for your email to the client. However, since the client is not an online version, but live only on your device this shouldn't be an big issue, after all most email clients would need your logins anyway.
Delta Chat uses your existing SMTP and IMAP server to send and receive emails/chats. This is all done over E2EE (End-to-End-Encryption). Delta Chat is using OpenPGP-Standard. So a pretty good way to introduce you to using PGP for all your emails. Delta Chat generate all this for you, but if you do own an existing PGP Key, you can easily import and use it! Therefore your existing encrypted email partners can just go on and keep sending you encrypted chats/emails.
Sadly there is no PFS (Perfect Forward Secrecy) as in Signal, so you can never be really sure if the other end is actually who they claim to be. However Delta Chat has a solution for this via QR-Codes. This is basically like a fingerprint of your device which you should exchange with your chat partner and which, in turn, will also show your chat partner as verified!
If your chat/email partner uses Delta Chat or has a known PGP Key your chats/or emails are automatically encrypted. If the other side has no PGP encryption key then the email will be sent in plain sight, just like any other email you send. However, remember that this looks like Telegram, so it appears as a chat (even though it is an email) so make sure it has the lock logged. Otherwise it's more like an email dressed as an SMS ;)
You can check on existing emails/chats to see if they been sent encrypted or in plain text, this can be determined by the open or closed lock symbol in the chat.
The good news is that Delta Chat has no centralized servers as, already explained. it all runs over your existing SMTP/IMAP protocol. Your chat partner has their own SMTP/IMAP protocol and so on. All keys are in your hands and/or in your device only, which means that your email provider can not read the encrypted emails, however they do have access to none encrypted emails/chats!
You can also see in the CC field who received your emails/chats. Another prositive aspect is that your contact lists are just like your key and only on your device!
Bear in mind Protonmail or Tutanota do not provide SMTP/IMAP, so you need a provider like mailbox.org or any other privacy respecting email solution to make this work. The Privacy Advocate will cover email providers and self hosting emails in the Privacy Cookbook soon.
Now as we already mentioned Delta Chat is available on f-droid, so if you are an Android user, do not download Delta Chat on the Google Playstore, but use the Google free solution of f-droid. Remember the less metadata you leave behind the better it is for your privacy. Also worth mentioning is that Delta Chat does not use GCM (Google Cloud Messaging) or APNS (Apple Push Notification Service).
Delta Chat has group chats which is great especially these days. Unlike Threema where you have an administrator who is the only one who can add or remove users, on Delta Chat any user can do that. Yes...in other words, anyone in the group can add or remove anyone else...which is good and bad at the same time. The good news is you do not need to ask anyone to add someone, the bad news is you can add someone who doesn't want to be in the group (I remember on BBM that was a big pain in the...).
On top of this everyone in the group gets an notification with the email of the added person. So if someone didn't ask to be added and then gets added, everyone in the group now has their email. Not the most privacy friendly solution. Now think of someone who might even own newsletters and just add your email.
Call and Video
Sadly this will and can never happen, as it uses your own SMTP/IMAP server and those are text only, so we will never see these options available on Delta Chat.
This is an interesting approch, it is more an email client than it is a chat, but it looks like and behaves like a chat so you can use it both ways. Will it be an easy way to convince your grandmother to use a more secure chat service than she has now? That's probably a hard sell, but it is surely something to keep an eye on.
Let's see where this development takes us in the future.