this post was submitted on 01 Jun 2024
45 points (95.9% liked)

Privacy

31957 readers
529 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Title.

I've used it before, but I'm not really sure how I feel about it. Would you use it on a day-to-day basis?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 19 points 5 months ago (2 children)

The session developers are interesting. But I don't recommend anybody use session.

They took the signal protocol, and removed perfect forward secrecy because they found it hard to implement.

That's crazy.

Also all of the file transfers on session go through servers in Canada. Centralized.

I give them kudos for trying to make the network self-sustainable through their crypto thing, but they never found a way to actually monetize it, there's no paper use, it feels like the idea is kind of dead in the water at this point. I would not recommend session for any serious non-experimental usage

[–] [email protected] 3 points 5 months ago (1 children)

Is there a feature request to add PFS again?

[–] [email protected] 9 points 5 months ago* (last edited 5 months ago)

https://getsession.org/session-protocol-technical-information

Nope. Whenever anybody ask them, they refer to this and close the ticket

I find their technical rationale, while welcome, a lot of hand waving to say they couldn't figure out how to implement it, but it was not important because it's not a big threat, because if somebody has the device they can get all the messages on the device anyway....

Losing perfect forward secrecy for "simpler code" is a strong design choice they made. I respect them for documenting this, I wish them the best of success, but that's not a trade-off I'm willing to make for no benefit

[–] [email protected] 2 points 5 months ago (1 children)

removed perfect forward secrecy because they found it hard to implement.

That's just a blatant lie. There's an entire blog post about it. You don't have to lie about it just because you're not smart enough to understand it.

https://getsession.org/blog/session-protocol-technical-information

[–] [email protected] 0 points 5 months ago (1 children)

It's not a lie. I have read their post. And my interpretation reading between the lines is they dropped it because of complexity

[–] [email protected] 2 points 5 months ago (1 children)

You can interpret it however you like but that's not what it says.

[–] [email protected] 2 points 5 months ago

Fair enough. They did not explicitly say they removed it for complexity.

The facts are: they started with a protocol that had perfect forward secrecy, and they removed it, but not for philosophical reasons.

They were not opposed to perfect forward secrecy

In today's ecosystem there are products that use onion networks and provide perfect for secrecy like simple x, and briar over tor...

You're welcome to make any decision you like, if you want to use session go right ahead. I'm not going to stop you, and I'm happy you're doing so. We're all better for choice