Iâm aware that Session has been discussed twice before on this community, but the last thread was 6 months old so excuse my starting a new one.
Thereâs one big concern I wanted to bring up, which is the disagreements over whether it has forward secrecy. The spec says it does, but Iâve found two other sources saying it doesnât:
https://restoreprivacy.com/secure-encrypted-messaging-apps/session/ (search for âPerfect Forward Secrecy removedâ) https://www.securemessagingapps.com
Why are they saying this? Is there a critical caveat to Sessionâs forward secrecy (does it not have it in closed groups?), or are both sources just wrong?
(Iâve also heard one source say its closed groups are limited to 10 members which would be a showstopper for me and another source say theyâre limited to 100 and the spec says 500 so i donât know what to believe.)
Iâm also concerned about it being built on top of a blockchain and cryptocurrency, not because Iâm suspicious of cryptocurrency in general but because I find it difficult to understand, and because that it costs thousands of dollars to run a Session node seems to me like the network is bound to be owned exclusively by a few rich companies and investors. Is it? Is there a place I can see who owns how much of it, particularly how much is owned by the Oxen developers?
UPDATE: I believe Iâve just learned that Sesison DOES NOT have forward secrecy or deniability; the whitepaper linked on their CURRENT website is outdated. https://getsession.org/blog/session-protocol-technical-information
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
btw, at least one of the developers is connected with the alt-right scene
https://nitter.net/WPalant/status/1281578526932705281
So Iâve heard, but if the software doesnât give such developers control over us (or does so to a lesser extent than its alternatives), that doesnât really matter to me. If bad people want to write tools that good people can take advantage of, let them.
mhh i dont see it like this. open source is much more then the finished âproductâ there is a communitie around, they have a youtube channel, social media channels. the developers get more attention if the messenger is more used.
Good point.
There was this post a while ago on lemmy.ml, where the CTO at oxen came in as well.
The CTO lied and said they didnât have any connection to 8kun, while
Itâs a very interesting thread to say the least.
sadly just in german, but around minute 27 they speak about lokinet https://media.ccc.de/search/?q=lets+play+infokrieg
Seems the alt-right developer for Lokinet has been told to cut that shit out. And heâs apparently not connected to Sessionâs development directly. Just some possible okay news lol.
Very interesting though, hadnât heard of that.
do you have a source for this? and session, oxen and lokinet are the same companie
I found it by looking around that thread, where the OP tweeted that they had responded. Iâll try to find the exact link when I get home, but they said he wasnât neurotypical and didnât understand, which I donât really believe because he didnât say racist things on Twitter, but I also donât have experience with that.
And I just meant that he wasnât directly working on session, but does develop other projects
yikes, just uninstalled it
i mean at the end everyone has decide for themselve. i also tried session and found it really interesting. but then i found this and for me that means that i dont wanna use or support this project at all. and if people read this and say âi still wanna use itâ then just do it. but then you at least know whats going on there
https://nitter.net/WPalant/status/1281540005190672384
Is the developer really connected to the âalt-rightâ, or connected with free speech?
in the video they speak about alt right. i mean whats also a bit weird for me is, if i would be accused as company to have this connections to alt right. but its just the users of my services that have this connections and i cant control it. i still could put out a statement. like the devs from mastodon. their its also that their open source software is used by gab and now trump social. but their find a way that i trust them that they really dont like whats happing with their software. with session i dont have the feeling. correct me if their are informationen that the dev is not working their anymore because of the connections
So? Who cares? What has your comment anything to do with software? The most up voted comment on a software post is some political whining. Why should anyone care about what devs are doing in their personal life? I didnât see that level of criticism when Tusky devs blocked gab.com in the app for ideological reasons, which is actually very concerning. Seriously, what the hell is wrong with you?
You canât separate people from their products.
You can, you have to do it. When someoneâs doing software, ask yourself software related questions. You just canât go with âthis guyâs Trump supporterâ or âthis guyâs a communistâ. Just forget about it as long as the software doesnât reflect those facts (you should never have or care about that information in the first place). Stop politicizing software, stick to the technical aspect of it. Imagine science like âthis paper is brilliant⌠but itâs from someone tied to a political scene we donât support, so weâll just ignore itâ. How stupid is this?
Thatâs happening a lot and some circles like to p-hack their way to success. You canât completely separate the author from their work.
Also if on the basis of that science they are going to be in a powerful position (leading a project), that should be criticized.
I donât really like cryptos at all, theyâre way too laissez-faire/anarcho-capitalist for me, and not to mention the energy consumption, but letâs talk about them for a minute. I want to write down some thoughts. I have 0 crypto holdings, but I researched them a bit recently, itâs good to be informed.
Apparently, Oxen is a fork of Monero, which is apparently an almost fully private crypto. Iâm all for privacy of information, knowledge and messages but I donât think money aka power should be private. Incredibly bad for democracy, not to mention it goes against the idea of taxation. This is pretty much a deal breaker for me for a messenger that would strive to become mainstream and challenge the big tech oligopolies.
If a piece of software like this wants to use crypto, it should be a crypto thatâs private only for small transactions (think, nobody needs to know you bought that candy, or that laundry detergent, Iâm fine with the privacy of small purchases, in fact I think itâs good) but any transaction above a certain threshold should be public. In a crypto, this limit can be âvotedâ on, which is great, and I think in newer ones, like Polkadot, it doesnât even require a hard fork.
Also, while weâre on the topic, Iâd love if a crypto had in-built âtaxationâ within the system itself, that takes a reasonable amount of money from big transactions or even wallets, divides it and distributes it randomly to other users. As it is now, crypto is essentially just a âmake the rich richer/increase the wealth gapâ kind of thing, even more than normal money is, plus itâs a global casino/gambling on top, which also has the same end results. Itâs hard for me to enthusiastically get behind it. Btw, Iâm not surprised a "socialistâ crypto like this hasnât been created yet, the incentives and the type of crowd is just not there, but I would be surprised if it doesnât get created eventually.
Secondly, the energy consumption. Apparently, Solana is a crypto that uses a new âproof of historyâ method (as opposed to proof of work or stake) that uses at least a 1000 times less energy than Bitcoin, and maybe even many more orders of magnitude less (1) and doesnât suffer from the types of centralisation of power that happen with proof of work or even proof of stake. Itâs apparently like a normal server in terms of energy consumption. If Session used this type of crypto Iâd be more open to it.
As it is, I just donât know whatâs the purpose of Session. An attempt to create a private mainstream messenger? Canât really support it, at least thatâs how I feel about it, in its current form. A fully private messenger for extreme cases, like journalists or something? Thereâs Briar for that, without the iffiness of crypto.
You might be interested in GNU Taler. I heard Stallman talking about it in some podcast about Monero (I think Monero Talk). He was saying itâs being designed to be private for payers, but not payees, for tax purposes.
It was a dreadful listen though. The host just wanted RMSâs stamp of approval, kept trying to get him to say he liked Monero; and Stallman is the absolute worst, most obtuse podcast guest Iâve ever listened to lol.
A bit of this sounds like FreeCoin from Dyne ORG.
We probably arenât going to agree here because undermining democracy and taxation is music to my ears :P
Though to be fair, I find your vision of taxation enforced by technology and given directly to poorer users rather than enforced by the state and given to the state, to be quite appealing.
As for Briar, I looked into it some time ago and came away thinking I would switch to it (away from Matrix) if it werenât Android-only. Requiring a phone is a deal breaker for me.
Another way of saying that is that democracy is great for the majority, but bad for the minority. Not everyone wants to labor for something they donât want or believe. Cryptocurrency is about freedom.
Nobody wants to labor for something they donât want or believe.
Democracy is about giving as many people as much freedom as possible, while putting emphasis and primacy on giving additional freedom to those with the least of it, first. Itâs about leveling the playing field. Itâs about compromise. Itâs about everyone. But you canât please everyone. Hence, reasonable compromises.
Private money (crypto or not) is not, itâs about giving more freedom to the select few, the rich. Being more poor than you deserve (common in unregulated taxless capitalism), robs you of your freedom. When thereâs multiple agents in a limited space, freedom is a limited resource. This is true with any group of people, abstract or literal, you canât move. Money is freedom, underserved and unfairly extra money is underserved and unfairly extra freedom. Private money is not about fair freedom.
Democracy is not about tyranny of the majority, fair democracies have protections for minorities infused into their cores. And thatâs why in functioning democracies the rich get taxed.
How is cryptocurrency about freedom. What freedom does it grant me?
The freedom to not have your money controlled by state and/or capitalist institutions such as banks and payment processors. This is actually a huge deal IMO. With traditional fiat currency, you are completely at the mercy of every financial institution you deal with - your bank account can be closed or locked or your money seized by the government, and every time you buy anything with a bank card youâre really giving the merchant full access to all your money and just hoping they donât abuse it. And they do. Who hasnât had experiences having illegitimate charges appear in your account history, struggling to figure out how to cancel a subscription before the corporation charges you again without consent, or charged more money at a store than you were told it would be and not realizing it until it was too late? Cryptocurrency has issues, but the fact that it gives you control of your own money is very important to me.
The same thing is true with cryptocurrency though? Most people have their cryptobucks at a wallet that sits at an exchange? Which then has the same drawbacks as a bank.
I donât know if itâs true that âmost peopleâ have their cryptobucks in custodial wallets, but the point of cryptocurrency is that you donât need to do that. You can pay online using a wallet you control (and I have done so), which is impossible with traditional currency.
What cryptocurrency thatâs properly decentralized can handle enough transactions for it to be useful?
I think having democratic control (via the state) over the money is pretty important. Also cash has a lot of advantages as well.
The state is the greatest enemy of human freedom and peace, so I will withdraw from this thread.
Are you anti government? I donât like states as well, I meant to say government.
Of course, I am an anarchist! Though I am curious what distinction youâre drawing between states and governments.
I think that a local government of people who are appointed by the people to do something specific would be viable in an anarchist society. To me the point is that these people canât make broad decisions on their own, they have to be sent with an assignment.
This sounds exactly like the typical rhetoric shared by socdems and constitutionalists: saying that the government is âappointed by the peopleâ, when in fact every official or law supported by some of the people is opposed by the rest of the people.
This seems too vague to be a meaningful difference. What is a âbroadâ decision? What sort of assignment will they be âsentâ with? What exactly can these people do, and what happens if some of the people donât like their decision?
Most anarchist societies that I have read about did have some kind of assemblies? And since not everyone will go there, people are sent. Thatâs a governmental structure.
How else would you organize a society? For example housing? There is need for organization in a society. In an organization there are governmental decisions that need to be made. Not top-down, but bottom up.
Um, you didnât really answer any of my questions. You just added more vague statements like âthere is need for organization in a societyâ and ânot top-down, but bottom upâ.
Yes, youâll have to find a compromise. Peer-to-peer negotitation is strenuous and offers no guarantee that youâll come to any agreement at all. But what do you propose should be done if you canât reach a compromise? Is the assembly going to pick one and force both of you to accept it? Also, who is on this assembly? How are they appointed? You canât just say there should be an assembly that helps you reach a compromise and leave it at that.
Itâs my understanding Session doesnât do PFS because in order to do that kind of attack the attacker would need to have access to the device. And if the attacker has access to the device, then PFS isnât going to be a benefit.
I donât understand why apps/messengers have a relationship with blockchain/cryptocurrency either. (so I am guessing). Iâm not sure cryptocurrencies are really blockchains, and blockchains are really just protocols, and messengers are using the protocol. Sometimes blockchains sounds like a method/protocol for storing data in a distributed network.
Or perhaps saying it this way: you can do multiple things with a blockchain, and cryptocurrency is just one of those things. So if an app/platform is going to use a blockchain, they can easily leverage the blockchain protocol for other things (currency, storage, transactions, messages, distributed apps, etc).
Damn. If Session really doesnât do PFS then I definitely wonât be telling my friends to switch away from Matrix for it. Itâs true that PFS only matters if the attacker compromises a private key, but it is a really important property that a key or device compromise at some point doesnât comrpomise all previous messages.
Latacoraâs takedown of PGP has a good explanation of why this is so important:
But if itâs true that Session doesnât do PFS, then why does the spec say it does? Can someone tag a developer?
@KeeJef@lemmy.eus seems to be the CTO of Session based on other threads
Unfortunately they use both Cloudflare and Electron. EDIT: Electron article uses Cloudflare so I linked to wayback machine instead
To be fair Signalâs desktop client also relies on electron
The âtu quoqueâ argument doesnât count. Just because your neighbor hits their wife, you shouldnât do the same.
That is not my argument. My argument is that you cannot recommend Signal while rejecting Session for an issue that they both have.
fast mode and slow modeâŚ
Can you elaborate?
deleted by creator