PMUSR Has Session removed its PFS and why?
Yes, it was in December 2020.
Alleged reason: Signal Protocol was built to operate in a centralised environment.
The real reason: multi-device functionality was a top priority at the time, but could not be realised in the short term with PFS. So the chief developer at the time decided to do without PFS to reach the goal.
This Difficulty can also be seen at the Threema devs, who have been working hard on this for years (!) and are now close to the finish line. Finally!
But: their beta version (iOS only, Android OS will follow later) still does not allow PFS.
See blogpost at getsession.org.
Extract - please read it in full if you are interested:
Quote:
Mission: Possible — Session Protocol
In Session’s case, our analysis has led us to a conclusion: the features we think will be most important for our users are best served by migrating Session to its own encryption protocol — the Session Protocol.
The Signal Protocol is great at what it does, and what it does is security — a whole lot of it. Session does security too, but the problem is that Session’s scope also includes a focus on anonymity and decentralisation. Now that Session is well-established and we’re working to add features, one issue keeps cropping up: the Signal Protocol simply wasn’t built to work this way. It was built to operate in a centralised environment, and we’ve been trying to shoehorn it into Session’s starkly different infrastructure. That’s where the Session Protocol comes in. This new protocol will let us improve stability and streamline the development of new features. Of course, nothing in life comes easy, and there are a few features that won’t join us on the next leg of this adventure. However, the benefits of the Session Protocol make this transition well worth it.
End of quote.