Don’t Use Session (Signal Fork)

K8y

Has anyone seen if a neutral third-party weighed in on this? What's the final verdict?

N1b

K8y what do you think a "neutral" third party would add to the conversation? The code is publicly available, it's clarified and confirmed that the devs compromised security for convenience.

Whether that's a bad thing for you depends on your threat model and needs alone, nobody can make that decision for you.

I for myself am avoiding Session, as I don't see any advantage over Signal/Molly for myself and my peers.

Watermelon

K8y Session passed a third-party audit a few years ago. Look in their website/blog for it. I don't know if they've changed their cryptography since then, and it's possible that if the way the same cryptography is used is changed could also impact security.

K8y

N1b the trouble for me though is all of this is over my head, so I have to just trust the experts. However are there any experts here that can see things from Sessions point of view? Like play Devil's advocate... (Bring up things others forgot) before completely discarding them...

angela

N1b Session doesn't require a phone number and doesn't consolidate everything of AWS servers. Winner: Session, even with slightly weaker encryption. Also having accounts recoverable by seed phrase offers some portability and safety with upgrading or changing devices.

ryrona

angela Session doesn't require a phone number and doesn't consolidate everything of AWS servers. Winner: Session, even with slightly weaker encryption.

K8y Maybe sessions 128 is good enough...

That is the question here I think. If it indeed is 128 bit security like Session claims, it would be secure enough, even if it is a downgrade compared to Signal protocol. However, if it is 64 bit security like the security researcher claimed, and my teacher in cryptography told us as a rule of thumb, then it is not secure enough, as 64 bit security is trivial to break for anyone with a decent computer. Which we can assume all state actors and other possible enemies have.

K8y If a city builds a 50 meter high wall surrounding it, then another builds theirs 65 meters high does it really mean the first city is subverting its security?

This analogy doesn't hold. When we say it is 64 bit security, we mean it takes 2⁶⁴ effort to break the security. If we say 128 bit security, we mean it takes 2¹²⁸ effort to break the security. That is 128-bit security is 20,000,000,000,000,000,000 times harder to break. Hopefully then you understand why those bits of security really matters. In your analogy, it would be a wall that is that many times taller.

K8y However are there any experts here that can see things from Sessions point of view? Like play Devil's advocate...

We would need an actual cryptographic expert to state an opinion about this, and explain why. It is very rare to come across someone that actually understands cryptography to the degree where they can design, analyze and break the security of cryptographic algorithms. And yet, it is a person with that knowledge that must state whether what Session is doing is actually secure. Ideally, Session wouldn't even have deviated from known secure constructs to begin with, but they insist on doing that, and that is what makes everyone so anxious or outright skeptical.

N1b

K8y I just realized that I made too many wrong assumptions regarding your post and intentions, thanks for the clarification. It's good to keep the discussion up and see how deep we can get. There might still be good use cases for session, even if they are not relevant for myself.

Unfortunately I can't contribute any further as this is far beyond my knowledge.

K8y

angela even with slightly weaker encryption.

This seems to be the crux of the matter, but is it really that problematic? If a city builds a 50 meter high wall surrounding it, then another builds theirs 65 meters high does it really mean the first city is subverting its security?

Maybe sessions 128 is good enough...

Especially when it wipes metadata, more than signal I think...

K8y

ryrona great points! Maybe one of those experts will step forward to settle this.

Do you agree session is better at wiping metadata than signal?

angela

ryrona So because part of the 128-bit key is based on non-random filler, the critic is saying it's equivalent to 64-bit and the Session response it isn't. And you're saying 64-bit is easy to crack with brute force. It's interesting.

This is a question that should have a definite mathematical answer because it's so specific.

The problem is that the math is so complex that I don't know who to trust. My instinct is that non-random filler would not be trivial to remove from the 128-bit information. Even if that knowledge reduced the calculations needed, I doubt it would remove it so much as to make it equivalent to brute-force breaking 64-bit encryption. Since that seems so illogical to me (because a mathematical transformation like that wouldn't be easy to undo) then I don't think the critic is right and probably the response is not right either because that assumption could probably reduce brute-force average time, but I'm just guessing.

More real cryptographic experts would need to offer opinions to convince me.

ryrona

K8y Do you agree session is better at wiping metadata than signal?

Hard to tell. Wiping metadata requires that the nodes that keep the metadata agrees to wipe it, and it is not clear that is likelier to happen in Session where anyone (including attackers) can run nodes, as opposed to Signal where all nodes are run by a single (hopefully trusted) company. Ideally, one wouldn't even collect metadata to begin with. Both Session and Signal does try to minimize the amount of metadata they collect. I don't now exactly what Signal is doing, so I cannot really compare Session and Signal in this regard, but we can say for certain that either collect far less metadata than eg Matrix is doing, but far more than what SimpleX is doing. We can also say that Signal does collect one piece of metadata, phone numbers, that for many would be very concerning and ruin any anonymity towards the chat provider. Here Matrix, and especially Session and SimpleX are better.

Assuming Session is actually secure that is, which is doubtful.

K8y

ryrona either collect far less metadata than eg Matrix is doing, but far more than what SimpleX is doing.

So Matrix Element collects lots of metadata, whereas SimpleX the least? Are there any significant drawbacks to SimpleX then?

N1b I just realized that I made too many wrong assumptions regarding your post and intentions, thanks for the clarification.

Thank you : )

angela More real cryptographic experts would need to offer opinions to convince me.

Me too!

ryrona

angela So because part of the 128-bit key is based on non-random filler, the critic is saying it's equivalent to 64-bit and the Session response it isn't. And you're saying 64-bit is easy to crack with brute force. It's interesting.

Tiny corrections. It is a 256-bit key, but 128 of those bits are a filler, which means the key only has 128-bit of entropy. Elliptic curve cryptography is generally believed to offer half the number of bits in security as the size of the key (if the key has full entropy). If they didn't hash the key prior to using it as an ECC key, the security would trivially have been degraded to 64-bit security. They hash the key, that is where the analysis gets complicated.

angela This is a question that should have a definite mathematical answer because it's so specific.

Yes. But question is who can answer that, or if it even is easily answerable by anyone today. Certain constructs, such as simply using twice the amount of entropy, are easy to analyze and prove secure. Other constructs, as I imagine this hashing falls into, might be very hard to prove secure, but also very hard to prove insecure. They are left in a state there they theoretically might have vulnerabilities, but no one can prove it.

That is why one should stick to known secure constructs, and that Session developers haven't done that is what makes everyone so anxious.

ryrona

K8y So Matrix Element collects lots of metadata, whereas SimpleX the least? Are there any significant drawbacks to SimpleX then?

That it is new. That you, if you use it as intended, connect to untrusted nodes. That we generally don't know yet how much security, privacy and anonymity such a system offers. That we still don't know if the company behind SimpleX is trustworthy, or if they might start doing shady things to earn money similar to what Session developers did. SimpleX developers have expressed an interest in earning money on SimpleX, and to me that is extremely worrying. As I see it, SimpleX is simply too new right now.

I am staying at Element right now. Not only because everyone I know uses Matrix, but also because I know what metadata they collect, and I know what security, privacy and anonymity they offer. I guess many stay at Signal for similar reasons.

Watermelon

ryrona That it is new.

It's not just new, it's also very complex and nontrivial to analyze and reason about its privacy and anonymity guarantees, because of a combination of its modular design with many separate protocols and also the lackluster way they're presented to end users, last time I checked. There's many infographics on their site each presenting a different angle but no infographic giving a clear full picture and detailing the privacy/anonymity properties. Also doesn't help that the different protocols have such similar names and sometimes they call the same protocol with an inconsistent name or acronym. Very difficult to understand this way especially as a person with attention deficiency.

EDIT: I've also managed to catch one nontrivial privacy issue with SimpleX that I've asked them in private about and they've confirmed to me. It's not a vulnerability or anything, but it just confirms what I said above. They should put much more effort into their documentation, their infographics on their site don't impress me. It's also not anything hidden, it's something I was able to conclude with logic.

ryrona

Watermelon I've also managed to catch one nontrivial privacy issue with SimpleX that I've asked them in private about and they've confirmed to me. It's not a vulnerability or anything, but it just confirms what I said above.

I am curious about this. Can you share what privacy issue it is you have found?

Watermelon

ryrona This may be outdated, and they've since made additions/changes that I suspect might affect the situation, but idk because it's so messy to understand. It used to be that SimpleX gives you the ability to add SMP servers of your own. Your contacts know which SMP server you have. Thus, if you use a non-default SMP server for decentralization, you're forfeiting anonymity as the custom SMP server functions as a sort of pseudonym; furthermore, your choice of a specific SMP server potentially lets your contact learn something about you regardless of the pseudonym issue. They've confirmed it's the case and that they want to add more preset SMP servers to decrease centralization.

ryrona

Watermelon Ah, okay. Yeah, all users would need to have the same list of nodes to use to not leak that information, same as Tor and other networks. I think they are worried about bundling a list containing lowly trusted nodes, which is why they still really only have their own nodes bundled in the app. I think I read a few months ago that they considered using their nodes as first hop, to allow for using untrusted nodes as the actual end points without those nodes being able to learn much about you. Or something to a similar effect. I guess we will see what happens. They are trying to solve the problem at least, as far as I know.

neel

Another problem with Session is that it's based on the "Lokinet" anonymity network. I made a comment on it on the Tor forums a year ago.

Lokinet is very heavily built on crypto tech, which means to run a node you'll have to be rich. They hoped it will scare sybils but in reality some sybils (e.g. Russia, China) are rich and can easily run Oxen nodes while ordinary users like me can't run nodes because we don't have enough Oxen coins.

In short, Session, Lokinet and Oxen is a "Web3" alternative "privacy" platform. We all know Web3 sucks, and even VCs moved away from it and towards "AI".