Post AzsVK3suvsLNtDWl8a by lexinova@mas.to
(DIR) More posts by lexinova@mas.to
(DIR) Post #AzpnddzI8uTV3z7HDU by delta@chaos.social
2025-11-02T12:01:15Z
0 likes, 0 repeats
@darkcat09 @shuro we are working on randomizing onboarding to the growing set of chatmail relays. See also https://chaos.social/@delta/115362144863345662
(DIR) Post #AzpnfFvsY9AB2MHxmS by jae@darkdork.dev
2025-11-02T12:07:42.318616Z
1 likes, 0 repeats
@delta @darkcat09 @shuro excited to see it. ive got some ideas on this too.
(DIR) Post #AzsKkUFCS71ffvLcn2 by delta@chaos.social
2025-11-02T09:28:14Z
1 likes, 0 repeats
We hereby challenge _all_ other messaging apps, FOSS or not, to provide a more convenient private onboarding experience than #deltachat 1. Install app 2. "Create new profile" 3. Enter nick name, tap "Agree and continue"4. Tap "+" and "new contact" and provide/scan qr code/linkVoila! A secure private chat, familiar to those coming from Whatsapp or Telegram (without "AI", with #a11y).Note: chat identities are private and can not be queried or discovered. Servers keep no track or metadata
(DIR) Post #AzsVK3suvsLNtDWl8a by lexinova@mas.to
2025-11-02T11:21:00Z
0 likes, 0 repeats
@delta i would use you ... if you had Perfect Forward Secrecy.Until them don't expect me to use or recommend your app
(DIR) Post #AzsVK4lVeu0qcX4MEK by adbenitez@mastodon.social
2025-11-02T14:57:43Z
0 likes, 0 repeats
@lexinova you don't need perfect forward secrecy... first of all, it is useless if you don't use short-term disappearing messages, second, it is useful if you can have only a single profile like on Signal, where you mix sending memes to your mom with planing a government boicot in the same account, any serious activist will use a dedicated profile they can just throw away, together with all its suspicious chats, this is super easy to do in Delta Chat, impossible with Signal@delta
(DIR) Post #AzsVK5ZUf3zl7YSH8i by adbenitez@mastodon.social
2025-11-02T15:02:55Z
0 likes, 0 repeats
@lexinova (and by "you don't need" I mean this shouldn't be the reason for you to not use Delta Chat, PFS is appealing on paper but hardly ever useful in practice, more in chats with family and friends where you want to keep chat history, not everything to disappear)
(DIR) Post #AzsVK6LLn8HBVyqUjY by lexinova@mas.to
2025-11-02T15:19:27Z
0 likes, 0 repeats
@adbenitez It's not because YOU want chat history that everyone want it.Me and my familly all use 1 week auto deletion.if we need something we save it ....
(DIR) Post #AzsVK6aEtmBaG9oNwO by adbenitez@mastodon.social
2025-11-02T15:26:32Z
0 likes, 0 repeats
@lexinova glad you have such a privacy conscious family, most people don't want to put the efforts of saving every family photo or important message in Saved Messages, and then you are not protecting those with PFS anywaysalso, for PFS to work your enemy needs to control or have access to the server you use, which is easier with a centralized server but not so much with decentralized platforms like Delta Chat, can you point out when PFS saved anyone? never
(DIR) Post #AzsVK6yLS9T5Sv5dVw by lexinova@mas.to
2025-11-02T15:31:41Z
0 likes, 0 repeats
@adbenitez never say never, and again because you don't need it does not mean it's not good.Also you put a little too much trust on the operator of your decentralized server of the one that relay it.operator can go rogue, or the server can be seized and run (many federal agency trough the world take over and run the server to catch as much as possible).But what do i know i'm only a CISO after all
(DIR) Post #AzsVK7EIUqEEGOYNNY by adbenitez@mastodon.social
2025-11-02T15:38:28Z
0 likes, 0 repeats
@lexinova I didn't say it is not good to have, I say it is not a reason for you to upfront reject any solution if it doesn't have the typical fusswords out of contextabout the operator of the relay I use, yes, I trust him, it is MYSELF, I don't need to trust a 3rd party...if I would need to do some dangerous business I would create a new account which takes 3 taps and use that then easily delete it with all its chats and contacts, you never replied to this point of using multi-account, well
(DIR) Post #AzsVK7imfUcBmwoitk by lexinova@mas.to
2025-11-02T15:40:40Z
0 likes, 0 repeats
@adbenitez No self deleting message and PFS, also protect from the crap of a phone many contact have by making sure it's deleted after a time, and not brokable later on with PFS, so your example fail both thing i'm protected from with autodeleted message + PFSBut i will stop to answer as you don't understand that your threat model cannot work on everyone
(DIR) Post #AzsVK81vWJvYkJm0jg by adbenitez@mastodon.social
2025-11-02T15:43:59Z
0 likes, 0 repeats
@lexinova ok, thanks for replying so far, I am left pondering what your threat model actually is
(DIR) Post #AzsVK8X7eKsgJ4MvMO by lexinova@mas.to
2025-11-02T15:46:14Z
0 likes, 0 repeats
@adbenitez you can resume it in one sentence :"if it does not break it secure it", so if it does not hinder the convenience of normal people and do not prevent the system to work it must be added.and for why the answer is simple, i was born and lived in the russian federation before comming to EU freedom so security and privacy is non negociable for me.
(DIR) Post #AzsVK8iSy9xGsFfz2e by feld@friedcheese.us
2025-11-02T20:41:45.956839Z
0 likes, 0 repeats
@lexinova @adbenitez how is anyone in Russia going to get your key though
(DIR) Post #AzsVK9Df6AuOR0GtfM by lexinova@mas.to
2025-11-02T20:51:52Z
0 likes, 0 repeats
@feld @adbenitez since i don't talk to people in russia anymore it's not a major problem 😅
(DIR) Post #AzsVK9MAaXiKrOFgvY by feld@friedcheese.us
2025-11-02T21:02:47.071928Z
0 likes, 0 repeats
@lexinova @adbenitez even if you had a state level attacker coming after you they're more likely to compromise the software supply chain and backdoor your virtual keyboard or be able to screenshot and exfiltrate without you knowing. Then they don't need your key anyway because capturing the traffic is so much harderWith delta, your client to server is TLS 1.3 with PFS anyway so they gotta break that first
(DIR) Post #AzsVK9lL4xqa7S1n9s by lexinova@mas.to
2025-11-02T21:05:51Z
0 likes, 0 repeats
@feld @adbenitez was not thinking of state attack, just that many unknown are generated trough email relaythat mean (for example) if half the user use relay that run on AWS, amazon can theorically shadow copy them crack them, no pfs = everything is cookedagain it's a threat i took out of my pocket and i'm pretty sure pfs also protect other kind of attack i didn't think off.
(DIR) Post #AzsVKA3lyQan2ceVtI by feld@friedcheese.us
2025-11-02T21:07:29.070396Z
0 likes, 0 repeats
@lexinova @adbenitez I will gladly give anyone my encrypted at rest messages. I publicly posted my keepass database too. Good luck cracking it, see you in 100 years 😊
(DIR) Post #AzsVKALqtD3Pwh6x4S by lexinova@mas.to
2025-11-02T21:14:43Z
0 likes, 0 repeats
@feld @adbenitez or in a week if in 2 day we find a flaw or bug in how keepass handle something, that made it easy to guessNever think your encryption is flawless or you might be cooked if some flaw like this appear.
(DIR) Post #AzsVKAgPelV6ySjN7Q by feld@friedcheese.us
2025-11-03T18:58:40.379517Z
0 likes, 0 repeats
@lexinova @adbenitez if some flaw like that appears, it's not me that's cooked -- it's the entire internet, corporations, governments... encryption HAS to withstand being in the hands of an adversary. Otherwise what good is full disk encryption? If they have their hands on your disk and you really think that it could get cracked in a week or a year, why waste your time? It would be better to just take extreme caution to physically protect access to it.I trust the math. And I also don't have any faith at all in quantum CPUs. Until I can order one and it does EXACTLY what they claim it can do, it's a fantasy. I say this all the time: the quantum CPU is the new cold fusion.
(DIR) Post #AzsVKBEnav0Sh6opiS by lexinova@mas.to
2025-11-03T18:59:34Z
0 likes, 0 repeats
@feld @adbenitez not really already happened in the past, never blindly trust encryption (even more if only one is done), and never trust the network.it's security 101
(DIR) Post #AzsVKBSGmpmXMt7aiG by phnt@fluffytail.org
2025-11-03T19:26:03.762598Z
0 likes, 1 repeats
@lexinova @feld @adbenitez Look at it this way, if AES-256 wasn't random enough, banks wouldn't use it to secure connections your TLS sessions and likely communications between them. There are known attacks against AES-128 which leak information in a few rounds and are very far from working at full 10 rounds. They don't completely break the encryption. There are known attacks against Chacha20 which leak information at ~6 rounds, far from the full 20 rounds. The reason why you can blindly trust modern-enough encryption is because it is known how hard the math problems are. Same with large primes (like in RSA) and EC cryptography. It is approximately known how difficult the discrete log problems are. And the reason why some people are freaking out about quantum computers is because there are known algorithms that can potentially break RSA far quicker than regular computers and cut security of AES by half at best. But quantum computers capable of running those algorithms are at best 5+ years from even potentially existing at best. If they will ever exists, nobody knows yet.
(DIR) Post #AzsWITewESyBCdnUQK by feld@friedcheese.us
2025-11-03T19:32:13.343432Z
1 likes, 0 repeats
@phnt @lexinova @adbenitez > And the reason why some people are freaking out about quantum computers is because there are known algorithms that can potentially break RSA far quicker than regular computers and cut security of AES by half at best.but ONLY if quantum computing can leave the "theory" stage and we can produce a real CPU with enough qubits to do the work and store the state duplicated across enough other qubits for error correction purposes. And keep them in the state we want. Which will require extremely clean and reliable power.> New research: RSA-2048 encryption keys can be broken with single qubit and 3 oscillators. The catch? You’ll need about 10 followed by 45 million zeros joules of energy—roughly comparable to several medium-sized stars, or 10^44,999,986 Hiroshima bombs. Good luck! https://arxiv.org/pdf/2412.13164And people think AI is a waste of fucking energy? I'm not holding my breath.
(DIR) Post #B0AWo11k4nNcGQMGWG by delta@chaos.social
2025-11-02T16:10:22Z
0 likes, 0 repeats
@lexinova @upofadown FWIW there are some non-electron clients https://chatmail.at/clients and an upcoming post about an experimental Tauri one. The current #deltachat desktop electron-based client tries to both size-bloat/ram wise do better, and also e.g. bars the frontend rendering process from doing any Internet connections which are purely done via the Rust core library, for all #chatmail clients.
(DIR) Post #B0AWqmFTTkyBIX69AG by d1@autistics.life
2025-11-02T09:37:50Z
1 likes, 0 repeats
@delta I agree, #Deltachat is awesome for superfast account creation, then sharing the account by QR code. No password set or stored, no phone number or email given, no password manager grumbled about necessitating