The session developers are interesting. But I don’t recommend anybody use session.
They took the signal protocol, and removed perfect forward secrecy because they found it hard to implement.
That’s crazy.
Also all of the file transfers on session go through servers in Canada. Centralized.
I give them kudos for trying to make the network self-sustainable through their crypto thing, but they never found a way to actually monetize it, there’s no paper use, it feels like the idea is kind of dead in the water at this point. I would not recommend session for any serious non-experimental usage
Nope. Whenever anybody ask them, they refer to this and close the ticket
I find their technical rationale, while welcome, a lot of hand waving to say they couldn’t figure out how to implement it, but it was not important because it’s not a big threat, because if somebody has the device they can get all the messages on the device anyway…
Losing perfect forward secrecy for “simpler code” is a strong design choice they made. I respect them for documenting this, I wish them the best of success, but that’s not a trade-off I’m willing to make for no benefit
The session developers are interesting. But I don’t recommend anybody use session.
They took the signal protocol, and removed perfect forward secrecy because they found it hard to implement.
That’s crazy.
Also all of the file transfers on session go through servers in Canada. Centralized.
I give them kudos for trying to make the network self-sustainable through their crypto thing, but they never found a way to actually monetize it, there’s no paper use, it feels like the idea is kind of dead in the water at this point. I would not recommend session for any serious non-experimental usage
Is there a feature request to add PFS again?
https://getsession.org/session-protocol-technical-information
Nope. Whenever anybody ask them, they refer to this and close the ticket
I find their technical rationale, while welcome, a lot of hand waving to say they couldn’t figure out how to implement it, but it was not important because it’s not a big threat, because if somebody has the device they can get all the messages on the device anyway…
Losing perfect forward secrecy for “simpler code” is a strong design choice they made. I respect them for documenting this, I wish them the best of success, but that’s not a trade-off I’m willing to make for no benefit