HN Distilled

Essential insights from Hacker News discussions

Delta Chat is a decentralized and secure messenger app

Original Article

Hacker News Discussion

Here's a breakdown of the key themes discussed in the Hacker News thread:

Spam Protection Strategies for Alternative Chat Apps

The initial question probes the challenge of spam protection for smaller chat apps, acknowledging Meta's (WhatsApp) efforts while also questioning the privacy implications, specifically the requirement of phone numbers.

  • "I'm curious how spam protection works if you're an alternative, few users, chat app? I hate Meta's monopoly as much as the next guy but one thing you do have to credit them for is the second to none spam protection. I also wonder how much requiring a cell number is part of that strategy." - fouronnes3

Several users contribute strategies, referencing existing services and approaches.

  • Manual Screening and Filtering: "You can design your way around it / 1. Manually screen who can send you messages like Hey[^1] and Apple[^2] / 2. Basic filtering to ensure the promotional stuff gets blocked or put in a separate list [^3] / 3. Rate-limit senders who are showing robot like behaviour" - ravdeepchawla
  • Low Priority Focus: "An alternative few users chat app probably won't be a major target for spam untill it has lots of users. So I would say it's a low priority feature in the backlog." - v5v3
  • Email-Based Systems: "It's just email and gpg so you'll get the same spam you do normally." - msgodel

Phone Number Requirements and Security/Privacy Trade-offs

A significant sub-theme revolves around the use of phone numbers for account verification, particularly in light of GDPR and varying SIM card registration requirements globally.

  • Questionable Spam Protection: "I wouldnā€™t necessarily agree that WhatsAppā€˜s spam protection is that great. Iā€™ve been invited to quite a lot of pyramid scheme/scam WhatsApp groups, however thatā€™s mostly happened after having to expose my private cell number on the internet" - chrisldgk
  • SIM Card Registration in the EU: As Bluestein suggests, "always wondered if the cell phone requirements are not (also) tied to then wanting an actual, physical, person behind each account - as in most EU jurisdictions each SIM card is tied to an actual ID."
  • Detailed EU perspective:
    • "In the EU, you canā€™t even sneeze near a prepaid phone number without showing at least three forms of government-issued ID, a notarized statement of purpose, and possibly a blood sample." - Bluestein
    • "Your phone number in the EU is no longer just a string of digitsā€”itā€™s basically your name, address, and social security number all rolled into one. Itā€™s like a little snitch in your pocket, ready to identify you at the first sign of online mischief." - Bluestein
  • GDPR Loophole: "if the phone number is used to stop terrorism, fraud, bots, or people being mean in the comments, then suddenly itā€™s all hands on deck." - Bluestein.
  • Counter-examples: "There are several countries that didn't buy into the madness of registering SIMs, luckily. Most strangely, the UK, the master of CCTV. Apparently they realized that it's a useless measure and will just anger the people." - data_maan
  • No General GDPR Requirement: "afaik no businesses are required by the gdpr to collect phone numbers, and would like to see evidence otherwise" - radiospiel

Email vs. Proprietary IM Apps and the Problem of Spam Overload

Several users advocated for the use of email-based systems and diminished concerns about spam, emphasizing the downsides of proprietary IM apps' notifications.

  • Manageable Email Spam: "IMO people freak out about spam way too much. I'd rather have something that works with occasional spam than have to put up with the insanity of modern IM. Having push notifications from 10 proprietary IM apps is worse spam than a couple of emails a day from some retard trying to get me to download a "pdf." - msgodel
  • Effective Personal Spam Filtering: "i run my own email server, using a spam filter i set up years ago without explicit blocking (only tagging and filtering) and didn't touch it since. the amount of spam i get is negligible." - em-bee

Delta Chat Features, Vulnerabilities, and Comparisons

The thread discusses Delta Chat as a specific alternative messaging app, detailing its features (email compatibility, PGP encryption), potential vulnerabilities, and comparisons to other secure messaging apps.

  • Email Compatibility and Encryption: "It's email-compatible and uses pgp for encryption. No forward secrecy and supports sending unencrypted messages as well for people who don't have pgp." - sixtiethutopia
  • Potential Downgrade Attacks: "I wonder if it's vulnerable to downgrade attacks from adversaries falsifying the sending address. If an adversary sends an unencrypted email imitating a contact will delta chat reject it or will it silently switch the chat with that contact over to unencrypted email?" - sixtiethutopia
  • Alternative for guaranteed encryption: "The way to have guaranteed encryped is creating two user encrypted group chat." - folmar
  • PGP and Overlaysystem Clarification: "and it's not just pgp with email, it's more akin to an overlaysystem." - deknos
  • Email ubiquity point: "I think the point here is that everyone has email. A chat client built on Nostr is fine (and I want to love Nostr), but it just doesn't have the reach or ubiquity of email." - rpdillon
  • Positive Personal Experience: "Used it for years, it is great. Webxdc apps work in both android and desktop clients (not sure about iOS) so I can play chess, share calendars and to do lists, and even collaboratively edit documents, all by email, all privately. Anyone who hasn't tried it really ought to." - hkt

Security Audits and Trust in Messaging Apps

The need for security audits is raised as a crucial factor in evaluating the safety and reliability of alternative messaging apps, with comparisons to Signal and warnings about using unaudited software.

  • Importance of Audit: "But - has there been security audit been done? [...] If not, it's not safe to use - who knows what's buried in the source code (even if the source code is open)." - data_maan
  • AJ007 warns about the dangers of closed systems: "Certainly if no one can implement these two things it is functionally a closed source project. It also is a security failure from the standpoint of control, validation, and also future security and vulnerability patching (there's a graveyard of dead "secure" messaging apps.)"
  • Examples of recommended messengers: "I mean, should probably just use Ricochet Refresh, Briar, Session, Element, etc." - johnisgood
  • Concerns about trusting a single party: "To the haters talking about PGP: giving your entire social graph to Meta or even Signal is considerably worse." -hkt