Session | Send Messages, Not Metadata. | Private Messenger
getsession.org
external-link
Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.

I’m aware that Session has been discussed twice before on this community, but the last thread was 6 months old so excuse my starting a new one.

There’s one big concern I wanted to bring up, which is the disagreements over whether it has forward secrecy. The spec says it does, but I’ve found two other sources saying it doesn’t:

https://restoreprivacy.com/secure-encrypted-messaging-apps/session/ (search for “Perfect Forward Secrecy removed”) https://www.securemessagingapps.com

Why are they saying this? Is there a critical caveat to Session’s forward secrecy (does it not have it in closed groups?), or are both sources just wrong?

(I’ve also heard one source say its closed groups are limited to 10 members which would be a showstopper for me and another source say they’re limited to 100 and the spec says 500 so i don’t know what to believe.)

I’m also concerned about it being built on top of a blockchain and cryptocurrency, not because I’m suspicious of cryptocurrency in general but because I find it difficult to understand, and because that it costs thousands of dollars to run a Session node seems to me like the network is bound to be owned exclusively by a few rich companies and investors. Is it? Is there a place I can see who owns how much of it, particularly how much is owned by the Oxen developers?

UPDATE: I believe I’ve just learned that Sesison DOES NOT have forward secrecy or deniability; the whitepaper linked on their CURRENT website is outdated. https://getsession.org/blog/session-protocol-technical-information

btw, at least one of the developers is connected with the alt-right scene

https://nitter.net/WPalant/status/1281578526932705281

@Yujiri@lemmy.ml
creator
link
fedilink
39 hilabete

So I’ve heard, but if the software doesn’t give such developers control over us (or does so to a lesser extent than its alternatives), that doesn’t really matter to me. If bad people want to write tools that good people can take advantage of, let them.

mhh i dont see it like this. open source is much more then the finished “product” there is a communitie around, they have a youtube channel, social media channels. the developers get more attention if the messenger is more used.

@Yujiri@lemmy.ml
creator
link
fedilink
29 hilabete

Good point.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

There was this post a while ago on lemmy.ml, where the CTO at oxen came in as well.

The CTO lied and said they didn’t have any connection to 8kun, while

But some Loki staff may have advised 8kun administrators “to a limited extent”, he said, and provided some help to users hoping to access it.

It’s a very interesting thread to say the least.

sadly just in german, but around minute 27 they speak about lokinet https://media.ccc.de/search/?q=lets+play+infokrieg

Jack
link
fedilink
29 hilabete

Seems the alt-right developer for Lokinet has been told to cut that shit out. And he’s apparently not connected to Session’s development directly. Just some possible okay news lol.

Very interesting though, hadn’t heard of that.

do you have a source for this? and session, oxen and lokinet are the same companie

Jack
link
fedilink
19 hilabete

I found it by looking around that thread, where the OP tweeted that they had responded. I’ll try to find the exact link when I get home, but they said he wasn’t neurotypical and didn’t understand, which I don’t really believe because he didn’t say racist things on Twitter, but I also don’t have experience with that.

And I just meant that he wasn’t directly working on session, but does develop other projects

@p_the_redditor@lemmy.ml
link
fedilink
19 hilabete

yikes, just uninstalled it

i mean at the end everyone has decide for themselve. i also tried session and found it really interesting. but then i found this and for me that means that i dont wanna use or support this project at all. and if people read this and say “i still wanna use it” then just do it. but then you at least know whats going on there

@Lynda@lemmy.ml
link
fedilink
09 hilabete

Is the developer really connected to the “alt-right”, or connected with free speech?

@schnuppikarotti@lemmy.ml
link
fedilink
1
edit-2
9 hilabete

in the video they speak about alt right. i mean whats also a bit weird for me is, if i would be accused as company to have this connections to alt right. but its just the users of my services that have this connections and i cant control it. i still could put out a statement. like the devs from mastodon. their its also that their open source software is used by gab and now trump social. but their find a way that i trust them that they really dont like whats happing with their software. with session i dont have the feeling. correct me if their are informationen that the dev is not working their anymore because of the connections

RandomSomeone
link
fedilink
-1
edit-2
9 hilabete

So? Who cares? What has your comment anything to do with software? The most up voted comment on a software post is some political whining. Why should anyone care about what devs are doing in their personal life? I didn’t see that level of criticism when Tusky devs blocked gab.com in the app for ideological reasons, which is actually very concerning. Seriously, what the hell is wrong with you?

@Helix@feddit.de
link
fedilink
29 hilabete

You can’t separate people from their products.

RandomSomeone
link
fedilink
39 hilabete

You can, you have to do it. When someone’s doing software, ask yourself software related questions. You just can’t go with “this guy’s Trump supporter” or “this guy’s a communist”. Just forget about it as long as the software doesn’t reflect those facts (you should never have or care about that information in the first place). Stop politicizing software, stick to the technical aspect of it. Imagine science like “this paper is brilliant… but it’s from someone tied to a political scene we don’t support, so we’ll just ignore it”. How stupid is this?

@Helix@feddit.de
link
fedilink
29 hilabete

Imagine science like “this paper is brilliant… but it’s from someone tied to a political scene we don’t support, so we’ll just ignore it”. How stupid is this?

That’s happening a lot and some circles like to p-hack their way to success. You can’t completely separate the author from their work.

@sexy_peach@feddit.de
link
fedilink
19 hilabete

Also if on the basis of that science they are going to be in a powerful position (leading a project), that should be criticized.

@zksmk@lemmy.ml
link
fedilink
7
edit-2
9 hilabete

I don’t really like cryptos at all, they’re way too laissez-faire/anarcho-capitalist for me, and not to mention the energy consumption, but let’s talk about them for a minute. I want to write down some thoughts. I have 0 crypto holdings, but I researched them a bit recently, it’s good to be informed.

Apparently, Oxen is a fork of Monero, which is apparently an almost fully private crypto. I’m all for privacy of information, knowledge and messages but I don’t think money aka power should be private. Incredibly bad for democracy, not to mention it goes against the idea of taxation. This is pretty much a deal breaker for me for a messenger that would strive to become mainstream and challenge the big tech oligopolies.

If a piece of software like this wants to use crypto, it should be a crypto that’s private only for small transactions (think, nobody needs to know you bought that candy, or that laundry detergent, I’m fine with the privacy of small purchases, in fact I think it’s good) but any transaction above a certain threshold should be public. In a crypto, this limit can be “voted” on, which is great, and I think in newer ones, like Polkadot, it doesn’t even require a hard fork.

Also, while we’re on the topic, I’d love if a crypto had in-built ”taxation” within the system itself, that takes a reasonable amount of money from big transactions or even wallets, divides it and distributes it randomly to other users. As it is now, crypto is essentially just a ”make the rich richer/increase the wealth gap” kind of thing, even more than normal money is, plus it’s a global casino/gambling on top, which also has the same end results. It’s hard for me to enthusiastically get behind it. Btw, I’m not surprised a "socialist” crypto like this hasn’t been created yet, the incentives and the type of crowd is just not there, but I would be surprised if it doesn’t get created eventually.

Secondly, the energy consumption. Apparently, Solana is a crypto that uses a new “proof of history” method (as opposed to proof of work or stake) that uses at least a 1000 times less energy than Bitcoin, and maybe even many more orders of magnitude less (1) and doesn’t suffer from the types of centralisation of power that happen with proof of work or even proof of stake. It’s apparently like a normal server in terms of energy consumption. If Session used this type of crypto I’d be more open to it.

As it is, I just don’t know what’s the purpose of Session. An attempt to create a private mainstream messenger? Can’t really support it, at least that’s how I feel about it, in its current form. A fully private messenger for extreme cases, like journalists or something? There’s Briar for that, without the iffiness of crypto.

Jack
link
fedilink
79 hilabete

You might be interested in GNU Taler. I heard Stallman talking about it in some podcast about Monero (I think Monero Talk). He was saying it’s being designed to be private for payers, but not payees, for tax purposes.

It was a dreadful listen though. The host just wanted RMS’s stamp of approval, kept trying to get him to say he liked Monero; and Stallman is the absolute worst, most obtuse podcast guest I’ve ever listened to lol.

@Echedenyan@lemmy.ml
link
fedilink
39 hilabete

A bit of this sounds like FreeCoin from Dyne ORG.

@Yujiri@lemmy.ml
creator
link
fedilink
09 hilabete

Apparently, Oxen is a fork of Monero, which is apparently an almost fully private crypto. I’m all for privacy of information, knowledge and messages but I don’t think money aka power should be private. Incredibly bad for democracy, not to mention it goes against the idea of taxation. This is pretty much a deal breaker for me for a messenger that would strive to become mainstream and challenge the big tech oligopolies.

We probably aren’t going to agree here because undermining democracy and taxation is music to my ears :P

Though to be fair, I find your vision of taxation enforced by technology and given directly to poorer users rather than enforced by the state and given to the state, to be quite appealing.

As for Briar, I looked into it some time ago and came away thinking I would switch to it (away from Matrix) if it weren’t Android-only. Requiring a phone is a deal breaker for me.

@Lynda@lemmy.ml
link
fedilink
0
edit-2
9 hilabete

bad for democracy

Another way of saying that is that democracy is great for the majority, but bad for the minority. Not everyone wants to labor for something they don’t want or believe. Cryptocurrency is about freedom.

@zksmk@lemmy.ml
link
fedilink
29 hilabete

Not everyone wants to labor for something they don’t want or believe.

Nobody wants to labor for something they don’t want or believe.

Democracy is about giving as many people as much freedom as possible, while putting emphasis and primacy on giving additional freedom to those with the least of it, first. It’s about leveling the playing field. It’s about compromise. It’s about everyone. But you can’t please everyone. Hence, reasonable compromises.

Private money (crypto or not) is not, it’s about giving more freedom to the select few, the rich. Being more poor than you deserve (common in unregulated taxless capitalism), robs you of your freedom. When there’s multiple agents in a limited space, freedom is a limited resource. This is true with any group of people, abstract or literal, you can’t move. Money is freedom, underserved and unfairly extra money is underserved and unfairly extra freedom. Private money is not about fair freedom.

Democracy is not about tyranny of the majority, fair democracies have protections for minorities infused into their cores. And that’s why in functioning democracies the rich get taxed.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

How is cryptocurrency about freedom. What freedom does it grant me?

@Yujiri@lemmy.ml
creator
link
fedilink
49 hilabete

The freedom to not have your money controlled by state and/or capitalist institutions such as banks and payment processors. This is actually a huge deal IMO. With traditional fiat currency, you are completely at the mercy of every financial institution you deal with - your bank account can be closed or locked or your money seized by the government, and every time you buy anything with a bank card you’re really giving the merchant full access to all your money and just hoping they don’t abuse it. And they do. Who hasn’t had experiences having illegitimate charges appear in your account history, struggling to figure out how to cancel a subscription before the corporation charges you again without consent, or charged more money at a store than you were told it would be and not realizing it until it was too late? Cryptocurrency has issues, but the fact that it gives you control of your own money is very important to me.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

The same thing is true with cryptocurrency though? Most people have their cryptobucks at a wallet that sits at an exchange? Which then has the same drawbacks as a bank.

@Yujiri@lemmy.ml
creator
link
fedilink
39 hilabete

I don’t know if it’s true that “most people” have their cryptobucks in custodial wallets, but the point of cryptocurrency is that you don’t need to do that. You can pay online using a wallet you control (and I have done so), which is impossible with traditional currency.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

What cryptocurrency that’s properly decentralized can handle enough transactions for it to be useful?

I think having democratic control (via the state) over the money is pretty important. Also cash has a lot of advantages as well.

@Yujiri@lemmy.ml
creator
link
fedilink
29 hilabete

The state is the greatest enemy of human freedom and peace, so I will withdraw from this thread.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

Are you anti government? I don’t like states as well, I meant to say government.

@Yujiri@lemmy.ml
creator
link
fedilink
29 hilabete

Of course, I am an anarchist! Though I am curious what distinction you’re drawing between states and governments.

@sexy_peach@feddit.de
link
fedilink
29 hilabete

I think that a local government of people who are appointed by the people to do something specific would be viable in an anarchist society. To me the point is that these people can’t make broad decisions on their own, they have to be sent with an assignment.

@Yujiri@lemmy.ml
creator
link
fedilink
19 hilabete

This sounds exactly like the typical rhetoric shared by socdems and constitutionalists: saying that the government is “appointed by the people”, when in fact every official or law supported by some of the people is opposed by the rest of the people.

To me the point is that these people can’t make broad decisions on their own, they have to be sent with an assignment.

This seems too vague to be a meaningful difference. What is a “broad” decision? What sort of assignment will they be “sent” with? What exactly can these people do, and what happens if some of the people don’t like their decision?

@sexy_peach@feddit.de
link
fedilink
29 hilabete

Most anarchist societies that I have read about did have some kind of assemblies? And since not everyone will go there, people are sent. That’s a governmental structure.

What exactly can these people do, and what happens if some of the people don’t like their decision? What if I don’t like how my neighbors re shape our street in an anarchist society? We have to find some kind of compromise. Same with decisions that are made by an assembly. You don’t have to make the compromise with the assembly but with the people who sent them.

How else would you organize a society? For example housing? There is need for organization in a society. In an organization there are governmental decisions that need to be made. Not top-down, but bottom up.

@Yujiri@lemmy.ml
creator
link
fedilink
19 hilabete

Um, you didn’t really answer any of my questions. You just added more vague statements like “there is need for organization in a society” and “not top-down, but bottom up”.

What if I don’t like how my neighbors re shape our street in an anarchist society? We have to find some kind of compromise.

Yes, you’ll have to find a compromise. Peer-to-peer negotitation is strenuous and offers no guarantee that you’ll come to any agreement at all. But what do you propose should be done if you can’t reach a compromise? Is the assembly going to pick one and force both of you to accept it? Also, who is on this assembly? How are they appointed? You can’t just say there should be an assembly that helps you reach a compromise and leave it at that.

@Lynda@lemmy.ml
link
fedilink
59 hilabete

It’s my understanding Session doesn’t do PFS because in order to do that kind of attack the attacker would need to have access to the device. And if the attacker has access to the device, then PFS isn’t going to be a benefit.

I don’t understand why apps/messengers have a relationship with blockchain/cryptocurrency either. (so I am guessing). I’m not sure cryptocurrencies are really blockchains, and blockchains are really just protocols, and messengers are using the protocol. Sometimes blockchains sounds like a method/protocol for storing data in a distributed network.

Or perhaps saying it this way: you can do multiple things with a blockchain, and cryptocurrency is just one of those things. So if an app/platform is going to use a blockchain, they can easily leverage the blockchain protocol for other things (currency, storage, transactions, messages, distributed apps, etc).

@Yujiri@lemmy.ml
creator
link
fedilink
19 hilabete

Damn. If Session really doesn’t do PFS then I definitely won’t be telling my friends to switch away from Matrix for it. It’s true that PFS only matters if the attacker compromises a private key, but it is a really important property that a key or device compromise at some point doesn’t comrpomise all previous messages.

Latacora’s takedown of PGP has a good explanation of why this is so important:

In modern cryptography engineering, we assume our adversary is recording everything, into infinite storage. PGP’s claimed adversaries include world governments, many of whom are certainly doing exactly that. Against serious adversaries and without forward secrecy, breaches are a question of “when”, not “if”.

But if it’s true that Session doesn’t do PFS, then why does the spec say it does? Can someone tag a developer?

@Yujiri@lemmy.ml
creator
link
fedilink
19 hilabete

@KeeJef@lemmy.eus seems to be the CTO of Session based on other threads

@ziproot@lemmy.ml
link
fedilink
3
edit-2
9 hilabete

Unfortunately they use both Cloudflare and Electron. EDIT: Electron article uses Cloudflare so I linked to wayback machine instead

@Yujiri@lemmy.ml
creator
link
fedilink
19 hilabete

To be fair Signal’s desktop client also relies on electron

@Helix@feddit.de
link
fedilink
09 hilabete

The “tu quoque” argument doesn’t count. Just because your neighbor hits their wife, you shouldn’t do the same.

@Yujiri@lemmy.ml
creator
link
fedilink
09 hilabete

That is not my argument. My argument is that you cannot recommend Signal while rejecting Session for an issue that they both have.

@Vera9@lemmy.ml
link
fedilink
19 hilabete

fast mode and slow mode…

@Yujiri@lemmy.ml
creator
link
fedilink
29 hilabete

Can you elaborate?

@Echedenyan@lemmy.ml
link
fedilink
1
edit-2
9 hilabete

deleted by creator

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 20 users / day
  • 43 users / week
  • 111 users / month
  • 410 users / 6 months
  • 13 subscribers
  • 1.72K Posts
  • 8.31K Comments
  • Modlog