Session Private Messenger

anonimac · January 29, 2022, 9:56pm

Is it a good idea to use session messenger which is based on Lokinet inside Whonix or better not? Is this TOR over TOR?

Patrick · May 14, 2022, 2:31pm

That would be similar to:

It can most likely be used in Whonix:

(Whonix is based on Kicksecure.)

(But I am not saying (yet) that it should be. I haven’t researched Session enough yet. First impression however is very good.)

Patrick · May 17, 2022, 8:30am

github.com/oxen-io/session-desktop

session private messenger does not consider supply chain attacks yet?

opened 08:30AM - 17 May 22 UTC

closed 04:53AM - 03 Feb 23 UTC

adrelanos

help wanted

The copay wallet (hosted by bitpay, a big Bitcoin payment processing company) ha…d backdoor: <blockquote>If more than 100 BTC, steal it. Otherwise, don’t bother.</blockquote> sources: * https://www.synopsys.com/blogs/software-security/malicious-dependency-supply-chain/ * https://github.com/dominictarr/event-stream/issues/116 * https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047 How does session private messenger mitigate such issues supply chain attacks?

Patrick · May 17, 2022, 8:43am

nurmagoz · May 26, 2022, 1:05am

Session disabled forward secrecy:

github.com/oxen-io/session-desktop

Perfect forward secrecy

opened 10:35AM - 20 May 22 UTC

closed 05:36AM - 11 Aug 22 UTC

slrslr

1) "Session does [not](https://getsession.org/blog/session-protocol-technical-i…nformation) support perfect forward secrecy, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information." Source: https://www.privacyguides.org/real-time-communication/#session 2) "Does the app enforce perfect forward secrecy? No" Source: https://www.securemessagingapps.com Maybe Session does not collect significant amount of "sensitive information", yet can it be improved by having perfect forward secrecy? https://www.perfectforwardsecrecy.com/index.php https://www.signal.org/blog/asynchronous-security/

Has no support for wayland:

nurmagoz · June 2, 2022, 1:44am

github.com/oxen-io/session-desktop

Flawed path selection which effect anonymity

opened 11:46PM - 01 Jun 22 UTC

TNTBOMBOM

Clientside Security Discussion

**Describe the bug** Session use 3 nodes located on different areas which mak…es it hard to track who is using and where its going depend on the ends: (area = country = ISP) you -> X node in area 1 (know who you are) -> Y node in area 2 (doesnt know who you are, where are you going) -> Z node in area 3 (know where are you going but not who you are) -> Friend This is good if XYZ located on different areas of the world. But where it will be bad path? : If X and Z located in the same area then the whole 3 points of connections will be reduced to one: you -> X node in area 1 (know who you are) -> Y node in area 2 (doesnt know who you are, where are you going) -> Z node in area 1 (**know who are you and where are you going**) -> Friend So the 3 nodes can be drawn similar as this: you -> X node in area 1 (**know who are you and where are you going**) -> Friend **To Reproduce** Can bee seen from session path **Screenshots or Logs** ![session-path](https://user-images.githubusercontent.com/11895339/171519224-83a1804f-be1d-4462-8558-d32aceda5989.png) **Other information (please complete the following information):** * Device: PC * OS: Debian 11 * Session Version or Git commit hash: v 1.8.6 --------------- Wow getting wider: ![funnysessions](https://user-images.githubusercontent.com/11895339/206952786-69e28839-4fdb-4b9b-b0e5-53071ac24857.png)

nani · May 10, 2025, 9:05am

Session messenger is quite centralized - they can block your account without the ability to create a new one.

If we block your account for a breach of our Terms, you will not create another account without our permission.

And here are some interesting thoughts on Session and LokiNet:

Patrick · May 10, 2025, 11:23pm

I am not sure that follows. Maybe that text was written by lawyers. Or copied from somewhere. That certainly doesn’t sound nice. I would hope by that, they means a blocked account on their centralized project website getsession.org in case of opening a support request [1] (or perhaps a forum in the future or something). Or maybe their GitHub organisation.

You could ask them on GitHub for clarification.

[1] Submit a request – Session - English

nani · May 11, 2025, 10:07am

I sent them a message. I will post their response if they get back to me

Patrick · May 11, 2025, 10:09am

Probably best to ask on GitHub. That way it’s in public and their reply is verifiable for all readers, we can document and use their statement + hyperlink as a reference / evidence.

nani · May 11, 2025, 10:20am

I will wait for their response (they write “up to 48 hours”). Then, I will ask on github (or ask why nobody answered me and what’s going on)

nani · May 13, 2025, 5:32pm

I received a response from the support service. It seems you are right. They told me that account blocking is only possible in group chats.

nani · May 28, 2025, 1:04pm

taken from this forum Messengers in wiki - Website - Kicksecure Forums

nurmagoz · May 29, 2025, 4:59pm

Good read, thanks for sharing.

yeah the removal of PFS was a red flag which i posted here in 2022 (with other tickets), and from that time never looked back at session to be anything new or better.

nani · June 7, 2025, 2:13pm

Specialists from PrivacyGuides have removed Session and Element/Matrix from the list of recommended messengers The Best Private Instant Messengers - Privacy Guides. The main reason for the removal is the lack of forward secrecy:

These messengers do not have forward secrecy, and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of all past communications.

Old

Now

ps @Patrick, I will mention the problem of forward secrecy in the Matrix and Element sections and add a links in wiki Instant Messenger Chat. And I will remove the duplicate mention of CVE in the Matrix section.