Is Delta Chat any good?

It seems like a neat concept to me, but I don’t have much knowledge of it.

I’m referring to this https://delta.chat for the record.

Thanks in advance!

i see it like email client…but require both have same app & it just look more like modern chat like discord (that what i see)

In 2013, the Snowden leaks showed everybody how insecure e-mails are. Even if you encrypt your e-mails using OpenPGP, they contain lots of unencrypted metadata.

Delta Chat takes e-mails, adds some automatic encryption and marketing lingo, but doesn’t change anything about issues with metadata of e-mails. The encryption of Delta Chat is based on Autocrypt Level 1, a document developed by a small team. It is currently only fully supported by Delta Chat itself.

Relevant quotes from https://delta.chat/en/help:

Delta Chat implements the Autocrypt Level 1 standard and can thus E2E-encrypt messages with other Autocrypt-capable apps.

Delta Chat apps (and other Autocrypt-compatible e-mail apps) share the keys required for end-to-end-encryption automatically as the first messages are sent. After this, all subsequent messages are encrypted end-to-end automatically. If one of the chat partners uses a non-Autocrypt e-mail app, subsequent messages are not encrypted until an Autocrypt-compliant app is available again.

If you want to turn off the end-to-end-encryption, use the corresponding setting in “Settings / Advanced settings”.

If end-to-end-encryption is not available, is the connection not encrypted at all?

No. With most mail servers will then use transport encryption (TLS).

So there is some automagic encryption based on a standard that is only fully supported by Delta Chat. Encryption isn’t obligatory and can be disabled, and if something fails you have to rely on transport encryption – which is out-of-scope of the application and hard to check.

Relevant quotes from https://autocrypt.org/level1.html:

[…] Autocrypt Level 1 only defends against passive data collection attacks.

Protection against active adversaries (those which modify messages in transit) is the aim of future specifications.

Level 1 focuses on the use of Autocrypt on a single device. Users get rudimentary support on using Autocrypt on more than one device or mail app.

Then, there are some SHOULD recommendations in this document regarding metadata. So most metadata is likely still exposed (and can’t be hidden by design) while the threat model of using Delta Chat/Autocrypt is not clear. It seems to be some form of automatic OpenPGP setup.

Well shucks. Guess it isn’t that secure.
Still, I like the idea of an instant message email. But then again, there’s Discord/Wire/Riot.

Thanks for the reply!