Post · bonfire.cafe

Post

Don't believe those who loudly claim email can not avoid metadata! They are ignorant of our continuous works on minimizing metadata:

DONE:

- no phone number other identifying data needed
- no cleartext "Subject"
- no cleartext "To"
- randomized "Date"
- no IP addresses
- group/avatar/attachment/etc metadata only contained in encrypted message parts

Upcoming:

- servers to never see cryptographic ID metadata
- remove "threading" and auxilliary headers
- experiment with Sealed Sender

RE: https://chaos.social/@delta/115842446685941927

extreme coping because of https://gpg.fail and @soatok's blog post lol

Delta Chat

@delta@chaos.social replied · 3 weeks ago

@16af93 @soatok why do you say coping?

If in 2026 you make generic claims against the feasibility of using #email and #openpgp for secure decentralized messaging, there hardly is a way around taking a deeper look at RFC9850 and RFC9788 and the minimalist Rust-based approach https://chatmail.at takes. Hammering away at gpg and other crimes of how email-encryption doesnt work well ... frankly does not cut it for making a generic "it can not work" claim. See also https://chaos.social/@delta/115796626066185436

Soatok Dreamseeker

@soatok@furry.engineer replied · 3 weeks ago

@delta @16af93 My blog post was about encrypting emails.

People generally use OpenPGP because they want to encrypt emails, so the topics intersect a lot, but it was about the challenges one faces when trying to use encryption with their mail client software.

If that's not what your team is doing, then the post doesn't apply to you, so there's no need to subtoot about it.

Delta Chat

@delta@chaos.social replied · 3 weeks ago

@soatok @16af93 are you are aware that chatmail.at is about openpgp-encrypted email, on a technical protocol and IETF specs level?

Soatok Dreamseeker

@soatok@furry.engineer replied · 3 weeks ago

@delta @16af93 Do you want me to look at it?

Because this is how you get 0days dropped publicly if I look at it

Delta Chat

@delta@chaos.social replied · 3 weeks ago

@soatok @16af93

we welcome scrutiny but prefer co-ordinated security-disclosure via

https://github.com/rpgp/rpgp/security/advisories/new and

https://github.com/chatmail/core/security/advisories/new

We'd be surprised if you find a "0day" exploit against standard #deltachat users but certainly prefer you finding something than eg putin/khomeini-aligned hackers.

Soatok Dreamseeker

@soatok@furry.engineer replied · 3 weeks ago

@delta @16af93 My rules of engagement are simple:

If I'm to look at something, I get to do whatever I want with whatever I find. And that means the developers find out when the rest of the world does.

Otherwise, don't bother me.

1 more replies (not shown)

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.2 no JS en

Automatic federation enabled