PrivacyGuides' email-security page is misleading

I don’t understand why there is confusion of PFS in this thread. It has no relation to disappearing messages or creating new accounts.

PFS is absolutely mandatory to prevent trivially breaking past, present, and future messages if a key is leaked or broken.

The server and transports, whether you run it or trust it, should be considered hostile. You should assume that an attacker will have a copy of ciphertext and try to break it at some point. PFS substantially raises the bar by requiring given N messages to each have their own key broken.

if they aren’t default enabled, they’re not going to be used.

edit: some feedback about ArcaneChat

• I had to enable compatibility mode on GrapheneOS to make the app load.
  • edit: Was 64-bit, and seems incompatible with hmalloc.
• There was a proxy option to use, but Orbot integration would be nice as not everyone knows the port combo.
  • edit: For reference it is socks5://127.0.0.1:9050
• And most importantly the current proxy implementation is global not per account. So the server in this case could trivially correlate accounts.
  • edit: it does seem per profile, but not obvious at first.
• I couldn’t find the option to delete my account from the server, only the app.
• I didn’t see an option to force encryption, only prefer it.

can an ArcaneChat user send a secure email that I can read from my Tuta client? Or maybe to a mail(.)com or yahoo(.)com user? If not, I personally wouldn’t consider email secure, because this is how email is meant to be used.

Yes, both do that. I use Deltachat as my now primary email client and have no trouble talking with people on their institution’s servers, on yahoo, on gmail, etc…

What Deltachat and Arcanechat do is also add an autocrypt header so that the receiving party can start exchanging encrypted email if they so desire. There is an even better way to make this secure by avoiding easy MITM thanks to yet another addition (securejoin) which only those implement, but guarantee E2EE (instead of one that can be intercepted)

Both applications try to move the email ecosystem forward by showing how it can be done. There is nothing super specific about any of the things that are above.

To be fair, it seems DeltaChat has solved the subject problem by ignoring it entirely and building a protocol routing system atop of information in the encrypted body

It’s actually an old RFC draft, as said above: see my message above about standards

But DeltaChat does not intend to function as a traditional email server but a messenger, and I assume users aren’t using their personal emails in DeltaChat.

There’s a bit of a misunderstanding here: DeltaChat and chatmail are made by the same people, complement each other, but you don’t have to use both. I and other people use DeltaChat as an email client, not just as a messenger. Many emails are well managed with the messenger mindset (not all, of course). But it is entirely a client. Chatmail is the server (basically a bundling of standard postfix and dovecot) and DeltaChat offers to create an account on it easily.

you can’t detach theory from practice, you might have PFS, you assumed the friendly server supporting you is hostile and is storing all your messages, but you don’t see the relation with disappearing messages, you feel safe, then your real “attacker” unlocks (or force you to) your phone and gets access not only to your keys, they don’t need to go running to the server to then decrypt messages, they have your messages already in their hands in your phone together in the key because you said “It has no relation to disappearing messages”.

About creating accounts, the thing is that when you create a new account you also create a new key, when you delete the account the key together with all the messages are gone forever, so you have the same effect as PFS, this is a practical view of the outcome not a theoretical, I am not interested in discussing theory detached from practical reality.

it is the default in ArcaneChat tho

you probably installed some 32bit version

false, proxy is per profile, not global, you can use different proxies of different protocols per each account, including ShadowSocks VPNs!

mmmh yes that is a bit hard to discover: click your avatar at the top bar, then long-press your profile in the account switcher and select “delete”, I will add this option to somewhere in the profile settings so people discover it more easily, thanks for the feedback!

encryption is forced by default and it is in fact that “prefer encryption” option, I reused the string from Delta Chat but in fact will rename it to a more clear “enforce encryption” or so

this thread is not really about ArcaneChat so I would prefer if we continue this talk in the ArcaneChat community group, write to me at:

An attacker having physical access is a separate issue from PFS, even if they have the same outcome (accessing messages).

so your threat model is: “attacker controls server and used brute force to guess your key”? or in what situation does the attacker get access to the key without access to the messages in, let’s say, Signal?

I don’t trust Signal’s pinky promise either and we should assume they’re storing ciphertext too in some form, but at least their client actually has PFS.

As mentioned above, we know parties are storing this data. There will inevitably be advancements in computing or shortcuts to break encryption.
They will be able to break yesterday’s or today’s crypto eventually and will decrypt our messages. We shouldn’t make it easy for them.

You as a developer, PG as a recommendation source, and us (the technical) overall must continually raise the bar and not ignore this.

this doesn’t answer my question, please, how does the attacker get your signal key other than getting access to your device (and then having already access to the messages without needing the server)?

EDIT: thanks for updating your comment

so your assumption is that they will be able to easily brute-force/crack the key in the future, in that case, how does PFS helps much here? they can crack the key of every message then in that far-away future, we will likely be dead by then tho, it is also a question of when does it matter, and still creating a temporary profile and throwing it away has the same effect.

Why would they need to get your device?

Yes, both do that. I use Deltachat as my now primary email client and have no trouble talking with people on their institution’s servers, on yahoo, on gmail, etc…

But it stops being encrypted/secure while doing that I’m guessing?

Because having each message with its own key directly raises the time/monetary cost of breaking it. That is all security is ultimately about: increasing cost.

This cannot be assumed.

It’s not encrypted because my correspondents don’t have a key, yes. If they had one and used autocrypt, DeltaChat would import their key when they send me a message and we would have an encrypted conversation.

If that’s the only issue, then it seems like it’s a minor correction easily updated. Instead of say “not possible” just say “traditional email clients” and call it a day.

I feel as though these are technicalities of phrasing, which seem trivial to update. PG does take PRs to update the site, maybe throw up a draft PR?

This is contrived/unlikely.
Most messengers, while they may encrypt their storage, only store the messages in plaintext.
ie. PFS has no use/benefit here

However in the context of email, it is common for MUAs to just store the original/raw .mbox or whatever.

Yes, that’s not true because you can encrypt the entire message and have a hash of that message. You can retrieve that message in a Tokyo Cabinet with a key index hash table lookup.

I don’t really see a compelling reason to build and instant messenger and bolt that on top of an email+PGP anyway.

The reason PGP is used for email is because established mime types and support in email clients. There simply is no alternative except S/MIME and that requires a certificate.

There is an effort for compatibility, but to what goal? You still need the software to realistically communicate with recipients anyway. At that stage wouldn’t it be better just to use something that achieves all these goals.

In terms of email that has never been a particularly reliable protocol in terms of deliverability, rate limits and other server side factors.

Not to mention modern expectations of video, voice calls and multi device support. PGP does not have mullti device support unless you use the same keys everywhere (no such thing as cross signing device keys etc). The whole way that attachments are done (mime encoding a file and slapping it on the end) seems like something you’d want to avoid.

I guess this is why arcane chat reduces the size of voice, and images? I saw that mentioned:

• It is possible to disable profiles to completely disconnect them saving data/bandwidth
• Voice messages have more aggressive compression in “worse quality” mode to save data plan
• Automatic download of messages limited to 640KB by default

These all seem like reasons in 2025 to not use this software.

I wouldn’t assume anything about users. If they can they will and this just seems like an unnecessary footgun.