Delta Chat is a decentralized and secure messenger app
43 comments
·June 21, 2025HelloUsername
Previous discussions:
05-mar-2025 https://news.ycombinator.com/item?id=43262510 100 comments
24-jan-2021 https://news.ycombinator.com/item?id=25893626 148 comments
07-jan-2021 https://news.ycombinator.com/item?id=25674894 4 commments
27-feb-2019 https://news.ycombinator.com/item?id=19263357 11 comments
21-feb-2019 https://news.ycombinator.com/item?id=19216827 56 comments
03-feb-2017 https://news.ycombinator.com/item?id=13560279 1 comment
data_maan
Great source of info.
I wonder why this was downvoted
shark_laser
Why not 0xchat?
Private key login, encrypted private chats and contacts, encrypted group chats, and lightning payments. Decentralised, built on Nostr. Available on all platforms.
rpdillon
I think the point here is that everyone has email. A chat client built on Nostr is fine (and I want to love Nostr), but it just doesn't have the reach or ubiquity of email.
lxgr
Nor does Delta. Nobody will “chat” with me via their Gmail email focused UI, so it’s effectively a separate network anyway.
Using an email address as an identifier for IM is a great idea (I hate that everything uses phone numbers for this, which are not internationally portable and not possible to reasonably “self-custody” the way TLDs are).
But using the actual email protocol as a backing protocol for instant messaging seems like a weird contortion and still makes this effectively a separate protocol, the split being servers that do and don’t support all necessary extensions. The overhead must also be staggering; just look at an email header to see how much is going on for each message these days.
AJ007
When you start looking at alternative messengers outside of Matrix, XMPP, and IRC, there isn't much where third parties can operate or implement both servers and clients.
Certainly if no one can implement these two things it is functionally a closed source project. It also is a security failure from the standpoint of control, validation, and also future security and vulnerability patching (there's a graveyard of dead "secure" messaging apps.)
Is DeltaChat perfect from a security standpoint? No, but it's certainly well above the hurdle most people are at now. Most people are using non-encrypted communication that is actively scanned & stored, or e2e on paper stuff where one party controls the client, server, application, and storage (trust me e2e security.)
Telegram, Discord, Facebook Messenger, stop using that shit.
data_maan
0xchat on the surface seems better: looks like a professionally maintained codebase, with clear ways to interact with the devs.
But - has there been security audit been done?
sixtiethutopia
It's email-compatible and uses pgp for encryption. No forward secrecy and supports sending unencrypted messages as well for people who don't have pgp.
No forward secrecy and will automatically switch to unencrypted messages if you receive an unencrypted message from a contact.
I wonder if it's vulnerable to downgrade attacks from adversaries falsifying the sending address. If an adversary sends an unencrypted email imitating a contact will delta chat reject it or will it silently switch the chat with that contact over to unencrypted email?
folmar
The way to have guaranteed encryped is creating two user encrypted group chat.
https://delta.chat/en/help#how-can-i-ensure-message-end-to-e...
deknos
did you look into their spec? perhaps they used the updated openpgp standard which has authenticated encryption. or perhaps they just sign everything.
and it's not just pgp with email, it's more akin to an overlaysystem.
b0a04gl
this completely sidesteps the infra bootstrapping phase. there's no need for new servers, federation drama or client network lock-in. every user already has a compatible backend = imap + smtp. that shifts the challenge from adoption to UX. that's a very rare position for a comms tool to be in. this's refreshing to me personally, would love to contribute to the mission
lclc
Has anyone used that with their Protonmail account?
Maybe something Proton should build on for its own chat app.
kseistrup
DeltaChat is incompatible with ProtonMail:
blancotech
Anyone else immediately think of delta airlines? I was excited to read an analysis of a seat-to-seat chat implementation
seydor
seat29@flight7822.delta.com slaps seat34@flight7822.delta.com with a large trout :: stop snoring
Bluestein
Like those gaggles of girls chatting each other up while walking shoulder-to-shoulder down the street.-
seydor
this is my favourite version of decentralization. building on existing widely available infrastructure. The war-proof internet.
Maybe with AI there could be a sort of decentralized antispam filtering . but maybe not
fouronnes3
I'm curious how spam protection works if you're an alternative, few users, chat app? I hate Meta's monopoly as much as the next guy but one thing you do have to credit them for is the second to none spam protection. I also wonder how much requiring a cell number is part of that strategy.
msgodel
It's just email and gpg so you'll get the same spam you do normally.
IMO people freak out about spam way too much. I'd rather have something that works with occasional spam than have to put up with the insanity of modern IM. Having push notifications from 10 proprietary IM apps is worse spam than a couple of emails a day from some retard trying to get me to download a "pdf." I don't block spam at all in my personal email (although I have a couple of tools automatically label it.) I'd rather have everything delivered.
em-bee
i run my own email server, using a spam filter i set up years ago without explicit blocking (only tagging and filtering) and didn't touch it since. the amount of spam i get is negligible. a few false positives, but nothing serious. in fact it's so little i could probably just leave all the spam in the inbox. it is tagged as spam anyways.
immibis
I have my own email server with a wildcard address (I still use gmail for anything that's actually important). I put certain addresses in shady forms a few times. I get a couple of spam messages per day to those addresses - always the same spam few spam campaigns. One is offering to sell me electric bicycles or partner with me to sell electric bicycles (didn't really pay attention) and more recently I started getting business proposal advance fee spam. The volume is pretty manageable and if I wanted, a pretty simple filter tuned for the spam I actually get would catch all of it and no ham.
I got spam to postmaster once for some reason. That's a nice way to make admins aware of your spam campaign.
Spam is presumably more of a problem when you're more well-known and you don't have the option to control your own filters.
v5v3
An alternative few users chat app probably won't be a major target for spam untill it has lots of users.
So I would say it's a low priority feature in the backlog.
chrisldgk
I wouldn’t necessarily agree that WhatsApp‘s spam protection is that great. I’ve been invited to quite a lot of pyramid scheme/scam WhatsApp groups, however that’s mostly happened after having to expose my private cell number on the internet (thanks to app stores and GDPR requiring some kind of phone number for businesses of any size).
radiospiel
afaik no businesses are required by the gdpr to collect phone numbers, and would like to see evidence otherwise
progval
There are no occurrences of "cell" or "phone" in GDPR, and the only relevant occurrences of "number" are about "national identification numbers", which phone numbers are not.
Bluestein
... always wondered if the cell phone requirements are not (also) tied to then wanting an actual, physical, person behind each account - as in most EU jurisdictions each SIM card is tied to an actual ID.-
marci
In many EU countries, you can buy sim cards from some vending machine, in a grocery store or places where you can buy international telephone cards. No ID required. But phone plans are often tied to your home internet.
Bluestein
Ah, the EU — land of fine cheeses, indecipherable GDPR popups, and, of course, the iron-fisted grip on your humble little SIM card. In the EU, you can’t even sneeze near a prepaid phone number without showing at least three forms of government-issued ID, a notarized statement of purpose, and possibly a blood sample. Why? Because buying a SIM card anonymously here is about as legal as fencing stolen paintings in the town square.-
You see, most EU countries decided some time ago that allowing people to own mobile numbers without a background check was simply too dangerous. What if someone used a burner phone to commit fraud, or worse — say something mildly controversial on the internet? To prevent such dystopian chaos, SIM registration laws were born. Now, whenever you purchase a SIM card in France, Germany, Spain, or pretty much anywhere with croissants, you have to offer your passport, soul, and, ideally, a letter of recommendation from your local constable.-
The result? Your phone number in the EU is no longer just a string of digits—it’s basically your name, address, and social security number all rolled into one. It’s like a little snitch in your pocket, ready to identify you at the first sign of online mischief. Online platforms know this. That’s why so many of them, from social networks to AI models, insist on a phone number. They’re not just trying to text you cute security codes — oh no, they’re trying to make sure there’s a warm, squishy, legally-recognizable human on the other end. Preferably one without too many fake Twitter accounts.-
Technically, GDPR is supposed to protect your data. That includes your phone number. But there’s a loophole the size of Luxembourg: if the phone number is used to stop terrorism, fraud, bots, or people being mean in the comments, then suddenly it’s all hands on deck. Platforms benefit from the comforting knowledge that EU phone numbers are like digital dog tags: traceable, trackable, and just annoying enough to prevent the average troll from spinning up 50 accounts to yell into the void.-
Of course, this all raises philosophical questions. Like: should your right to privacy hinge on your desire to play Candy Crush in peace? Is a SIM card a person? Could it run for European Parliament? And should we perhaps explore more civilized alternatives to this “one phone number equals one identity” system, like zero-knowledge proofs or just asking nicely?
In the meantime, welcome to the EU: where the cheese is soft, the bureaucracy is hard, and your SIM card knows more about you than your therapist.-
em-bee
deltachat distinguishes between normal email and deltachat messages. you can limit to the latter if you only use it to communicate with other deltachat users.
ravdeepchawla
You can design your way around it
1. Manually screen who can send you messages like Hey[^1] and Apple[^2]
2. Basic filtering to ensure the promotional stuff gets blocked or put in a separate list [^3]
3. Rate-limit senders who are showing robot like behaviour
---
[^1]: https://www.hey.com/features/spam-corps/
[^2]: https://support.apple.com/en-il/guide/iphone/iph203ab0be4/io...
XorNot
If your need is security then really that should be based on in person trust.
Or at least via a proxy.
So contact invitation can just be handled with use-once codes (or at least trivially burnable ones).
hkt
Used it for years, it is great. Webxdc apps work in both android and desktop clients (not sure about iOS) so I can play chess, share calendars and to do lists, and even collaboratively edit documents, all by email, all privately.
Anyone who hasn't tried it really ought to.
To the haters talking about PGP: giving your entire social graph to Meta or even Signal is considerably worse.
m3kw9
[flagged]
data_maan
How does this (or 0xchat) compare to Signal?
Have their been done any third-party security audits by reputable companies?
If not, it's not safe to use - who knows what's buried in the source code (even if the source code is open).
JimDabell
> Have their been done any third-party security audits by reputable companies?
Their FAQ answers this:
> Yes, multiple times. The Delta Chat project continuously undergoes independent security audits and analysis
johnisgood
I mean, should probably just use Ricochet Refresh, Briar, Session, Element, etc.
I also built OTR on top of Discord but it requires Nitro because the messages for OTR end up being way too long. :(
progval
Can't they be split into lines? OTR was designed for IRC that limited protocol lines (ie. payload line + command + extra fluff) to 512 bytes, so that ought to work on Discord too.
johnisgood
I have not yet tried, that may work since it does work for IRC (which also has a limit per message). It was just more of a proof of concept, tbh, but it works, just not as usable as it could be.
tcfhgj
first of all, it's not a walled garden
Note that while it might be decentralized and "secure", it is not anonymizing as IMAP + SMTP are far from anonymous. Email is a legacy system that was never designed with privacy or anonymity in mind.
This is useful if you want to keep the content of your messages secure, but if you need to keep your identity, social graph and the fact that you conversed with certain people obfuscated, I don't think Delta Chat via email is a good solution.
It's also only decentralized as much as public email infrastructure is decentralized.