Session | Send Messages, Not Metadata. | Private Messenger
getsession.org
Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.

I’m aware that Session has been discussed twice before on this community, but the last thread was 6 months old so excuse my starting a new one.

There’s one big concern I wanted to bring up, which is the disagreements over whether it has forward secrecy. The spec says it does, but I’ve found two other sources saying it doesn’t:

https://restoreprivacy.com/secure-encrypted-messaging-apps/session/ (search for “Perfect Forward Secrecy removed”) https://www.securemessagingapps.com

Why are they saying this? Is there a critical caveat to Session’s forward secrecy (does it not have it in closed groups?), or are both sources just wrong?

(I’ve also heard one source say its closed groups are limited to 10 members which would be a showstopper for me and another source say they’re limited to 100 and the spec says 500 so i don’t know what to believe.)

I’m also concerned about it being built on top of a blockchain and cryptocurrency, not because I’m suspicious of cryptocurrency in general but because I find it difficult to understand, and because that it costs thousands of dollars to run a Session node seems to me like the network is bound to be owned exclusively by a few rich companies and investors. Is it? Is there a place I can see who owns how much of it, particularly how much is owned by the Oxen developers?

UPDATE: I believe I’ve just learned that Sesison DOES NOT have forward secrecy or deniability; the whitepaper linked on their CURRENT website is outdated. https://getsession.org/blog/session-protocol-technical-information

    • @Yujiri@lemmy.mlOP
      22 years ago

      So I’ve heard, but if the software doesn’t give such developers control over us (or does so to a lesser extent than its alternatives), that doesn’t really matter to me. If bad people want to write tools that good people can take advantage of, let them.

      • @schnuppikarotti@lemmy.ml
        32 years ago

        mhh i dont see it like this. open source is much more then the finished “product” there is a communitie around, they have a youtube channel, social media channels. the developers get more attention if the messenger is more used.

    • RandomSomeone
      12 years ago

      So? Who cares? What has your comment anything to do with software? The most up voted comment on a software post is some political whining. Why should anyone care about what devs are doing in their personal life? I didn’t see that level of criticism when Tusky devs blocked gab.com in the app for ideological reasons, which is actually very concerning. Seriously, what the hell is wrong with you?

    • @schnuppikarotti@lemmy.ml
      12 years ago

      i mean at the end everyone has decide for themselve. i also tried session and found it really interesting. but then i found this and for me that means that i dont wanna use or support this project at all. and if people read this and say “i still wanna use it” then just do it. but then you at least know whats going on there

    • Jack
      02 years ago

      Seems the alt-right developer for Lokinet has been told to cut that shit out. And he’s apparently not connected to Session’s development directly. Just some possible okay news lol.

      Very interesting though, hadn’t heard of that.

        • Jack
          02 years ago

          I found it by looking around that thread, where the OP tweeted that they had responded. I’ll try to find the exact link when I get home, but they said he wasn’t neurotypical and didn’t understand, which I don’t really believe because he didn’t say racist things on Twitter, but I also don’t have experience with that.

          And I just meant that he wasn’t directly working on session, but does develop other projects

    • @Lynda@lemmy.ml
      -12 years ago

      Is the developer really connected to the “alt-right”, or connected with free speech?

      • @schnuppikarotti@lemmy.ml
        12 years ago

        in the video they speak about alt right. i mean whats also a bit weird for me is, if i would be accused as company to have this connections to alt right. but its just the users of my services that have this connections and i cant control it. i still could put out a statement. like the devs from mastodon. their its also that their open source software is used by gab and now trump social. but their find a way that i trust them that they really dont like whats happening with their software. with session i dont have the feeling. correct me if there are information that the dev is not working there anymore because of the connections and this posts.

  • @Lynda@lemmy.ml
    52 years ago

    It’s my understanding Session doesn’t do PFS because in order to do that kind of attack the attacker would need to have access to the device. And if the attacker has access to the device, then PFS isn’t going to be a benefit.

    I don’t understand why apps/messengers have a relationship with blockchain/cryptocurrency either. (so I am guessing). I’m not sure cryptocurrencies are really blockchains, and blockchains are really just protocols, and messengers are using the protocol. Sometimes blockchains sounds like a method/protocol for storing data in a distributed network.

    Or perhaps saying it this way: you can do multiple things with a blockchain, and cryptocurrency is just one of those things. So if an app/platform is going to use a blockchain, they can easily leverage the blockchain protocol for other things (currency, storage, transactions, messages, distributed apps, etc).

    • @Yujiri@lemmy.mlOP
      02 years ago

      Damn. If Session really doesn’t do PFS then I definitely won’t be telling my friends to switch away from Matrix for it. It’s true that PFS only matters if the attacker compromises a private key, but it is a really important property that a key or device compromise at some point doesn’t comrpomise all previous messages.

      Latacora’s takedown of PGP has a good explanation of why this is so important:

      In modern cryptography engineering, we assume our adversary is recording everything, into infinite storage. PGP’s claimed adversaries include world governments, many of whom are certainly doing exactly that. Against serious adversaries and without forward secrecy, breaches are a question of “when”, not “if”.

      But if it’s true that Session doesn’t do PFS, then why does the spec say it does? Can someone tag a developer?

  • @zksmk@lemmy.ml
    52 years ago

    I don’t really like cryptos at all, they’re way too laissez-faire/anarcho-capitalist for me, and not to mention the energy consumption, but let’s talk about them for a minute. I want to write down some thoughts. I have 0 crypto holdings, but I researched them a bit recently, it’s good to be informed.

    Apparently, Oxen is a fork of Monero, which is apparently an almost fully private crypto. I’m all for privacy of information, knowledge and messages but I don’t think money aka power should be private. Incredibly bad for democracy, not to mention it goes against the idea of taxation. This is pretty much a deal breaker for me for a messenger that would strive to become mainstream and challenge the big tech oligopolies.

    If a piece of software like this wants to use crypto, it should be a crypto that’s private only for small transactions (think, nobody needs to know you bought that candy, or that laundry detergent, I’m fine with the privacy of small purchases, in fact I think it’s good) but any transaction above a certain threshold should be public. In a crypto, this limit can be “voted” on, which is great, and I think in newer ones, like Polkadot, it doesn’t even require a hard fork.

    Also, while we’re on the topic, I’d love if a crypto had in-built ”taxation” within the system itself, that takes a reasonable amount of money from big transactions or even wallets, divides it and distributes it randomly to other users. As it is now, crypto is essentially just a ”make the rich richer/increase the wealth gap” kind of thing, even more than normal money is, plus it’s a global casino/gambling on top, which also has the same end results. It’s hard for me to enthusiastically get behind it. Btw, I’m not surprised a "socialist” crypto like this hasn’t been created yet, the incentives and the type of crowd is just not there, but I would be surprised if it doesn’t get created eventually.

    Secondly, the energy consumption. Apparently, Solana is a crypto that uses a new “proof of history” method (as opposed to proof of work or stake) that uses at least a 1000 times less energy than Bitcoin, and maybe even many more orders of magnitude less (1) and doesn’t suffer from the types of centralisation of power that happen with proof of work or even proof of stake. It’s apparently like a normal server in terms of energy consumption. If Session used this type of crypto I’d be more open to it.

    As it is, I just don’t know what’s the purpose of Session. An attempt to create a private mainstream messenger? Can’t really support it, at least that’s how I feel about it, in its current form. A fully private messenger for extreme cases, like journalists or something? There’s Briar for that, without the iffiness of crypto.

    • Jack
      32 years ago

      You might be interested in GNU Taler. I heard Stallman talking about it in some podcast about Monero (I think Monero Talk). He was saying it’s being designed to be private for payers, but not payees, for tax purposes.

      It was a dreadful listen though. The host just wanted RMS’s stamp of approval, kept trying to get him to say he liked Monero; and Stallman is the absolute worst, most obtuse podcast guest I’ve ever listened to lol.

    • @Lynda@lemmy.ml
      22 years ago

      bad for democracy

      Another way of saying that is that democracy is great for the majority, but bad for the minority. Not everyone wants to labor for something they don’t want or believe.

    • @Yujiri@lemmy.mlOP
      02 years ago

      Apparently, Oxen is a fork of Monero, which is apparently an almost fully private crypto. I’m all for privacy of information, knowledge and messages but I don’t think money aka power should be private. Incredibly bad for democracy, not to mention it goes against the idea of taxation. This is pretty much a deal breaker for me for a messenger that would strive to become mainstream and challenge the big tech oligopolies.

      We probably aren’t going to agree here because undermining democracy and taxation is music to my ears :P

      Though to be fair, I find your vision of taxation enforced by technology and given directly to poorer users rather than enforced by the state and given to the state, to be quite appealing.

      As for Briar, I looked into it some time ago and came away thinking I would switch to it (away from Matrix) if it weren’t Android-only. Requiring a phone is a deal breaker for me.