Session Private Messsenger (GOS <>IOS&Android). Is it secure?

graphik

Hi¡
Is it secure to use Session Private Messenger with another regular client. I mean, between GOS session and IOS/Android session?
Thanks

DeletedUser288

graphik Is it secure

What do you mean? Like all modern messengers, Session is E2EE.

DeletedUser203

graphik here is the test,

Threat is either known or unknown, your device is a known.
The device you send problematic sensitive data to, is an unknown.
You don't know if the device is encrypted, secured with a 4 digit pin or a 20 digit pin, etc.
This persons level of security, anonymity or privacy now becomes your level, the moment you send the message.

"Is it secure to use Session Private Messenger with another regular client. I mean, between GOS session and IOS/Android session?" Only if their level of security is as good as yours,

argante

graphik Session transcends your physical locations through unique DNS and onion-routing. This network (Lokinet) is similar to Tor. The recipient of the message is also hidden behind three lokinet nodes. The decentralized Session's network database (swarm) is a bit like how the BitTorrent network works. It is difficult to block. In my opinion, Session is the best designed solution from this perspective. Unfortunately, Session has a weak(?) encryption (see this and this), which is why I use SimpleX.

JollyRancher

"Secure" is a question of threat profile and use case.

Take Signal as an example. It requires association with a phone number and the people who control its databases & infrastructure are under the jurisdiction of the US. Given probable cause, any law enforcement agency in the US can get a subpoena to require Signal to tell them if your phone number has a Signal account and the last time you used the app.

Contrast with SimpleX. No court order is going to associate a phone number with using SimpleX or the last time you used it because that information is never collected in the first place.

Whether or not any of that is relevant to a specific individuals use case, threat profile, or security concerns is a different matter.

Personally, I don't use Session but I haven't seen anything to indicate that is fundamentally insecure or flawed for most use cases and threat profiles.

graphik

Very logical and good answers. thank you

SovereignCopper

I don't get why people would even consider using an E2EE messenger that removed forward secrecy.

I don't like the tone or agree with all the conclusions of many of Soatok's blogs, but in the case of forward secrecy, they're definitely right.

argante

SovereignCopper In Session public key is the user ID. If your ID is going to be permanent, you can't have key rotation. Key rotation would require synchronization, which is difficult in a decentralized network. Nostr also has a permanent cryptographic ID. Briar has PFS, but the key rotation is every 29 days, I think, and one month of messages is stored in the database. So with PFS it's not like some people imagine, where we have rotation every few seconds. I don't have that much of a problem with PFS. I'm more concerned that the cryptography has been weakened.