• The Cuuuuube@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      Session has made some insecure solution surrounding important design elements like forward secrecy

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          8 months ago

          For anyone considering Session messenger:


          The Session developers dropped Perfect Forward Secrecy because it would be hard to work around it.

          First things first, let’s talk about what we’re leaving behind: Perfect Forward Secrecy (PFS) and deniability.

          Source: https://getsession.org/session-protocol-explained

          In plain English, they dropped a security feature for their convenience to the detriment of their users’ security.

          For anyone unsure what PFS provides:

          The value of forward secrecy is that it protects past communication.

          Source: https://en.wikipedia.org/wiki/Forward_secrecy

          The Session devs also claim:

          Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example.

          Reading between the lines, we can interpret that as introducing security through obscurity, which is generally considered bad practice - https://cwe.mitre.org/data/definitions/656.html

        • XNX@slrpnk.net
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          The point is being able to communicate when the internet is shut off