Session Private Messenger

anonimac · January 29, 2022, 9:56pm

Is it a good idea to use session messenger which is based on Lokinet inside Whonix or better not? Is this TOR over TOR?

Patrick · May 14, 2022, 2:31pm

That would be similar to:

It can most likely be used in Whonix:

(Whonix is based on Kicksecure.)

(But I am not saying (yet) that it should be. I haven’t researched Session enough yet. First impression however is very good.)

Patrick · May 17, 2022, 8:30am

github.com/oxen-io/session-desktop

session private messenger does not consider supply chain attacks yet?

opened 08:30AM - 17 May 22 UTC

closed 04:53AM - 03 Feb 23 UTC

adrelanos

help wanted

The copay wallet (hosted by bitpay, a big Bitcoin payment processing company) ha…d backdoor: <blockquote>If more than 100 BTC, steal it. Otherwise, don’t bother.</blockquote> sources: * https://www.synopsys.com/blogs/software-security/malicious-dependency-supply-chain/ * https://github.com/dominictarr/event-stream/issues/116 * https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047 How does session private messenger mitigate such issues supply chain attacks?

Patrick · May 17, 2022, 8:43am

nurmagoz · May 26, 2022, 1:05am

Session disabled forward secrecy:

github.com/oxen-io/session-desktop

Perfect forward secrecy

opened 10:35AM - 20 May 22 UTC

closed 05:36AM - 11 Aug 22 UTC

slrslr

1) "Session does [not](https://getsession.org/blog/session-protocol-technical-i…nformation) support perfect forward secrecy, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information." Source: https://www.privacyguides.org/real-time-communication/#session 2) "Does the app enforce perfect forward secrecy? No" Source: https://www.securemessagingapps.com Maybe Session does not collect significant amount of "sensitive information", yet can it be improved by having perfect forward secrecy? https://www.perfectforwardsecrecy.com/index.php https://www.signal.org/blog/asynchronous-security/

Has no support for wayland:

nurmagoz · June 2, 2022, 1:44am

github.com/oxen-io/session-desktop

Flawed path selection which effect anonymity

opened 11:46PM - 01 Jun 22 UTC

TNTBOMBOM

Clientside Security Discussion

**Describe the bug** Session use 3 nodes located on different areas which mak…es it hard to track who is using and where its going depend on the ends: (area = country = ISP) you -> X node in area 1 (know who you are) -> Y node in area 2 (doesnt know who you are, where are you going) -> Z node in area 3 (know where are you going but not who you are) -> Friend This is good if XYZ located on different areas of the world. But where it will be bad path? : If X and Z located in the same area then the whole 3 points of connections will be reduced to one: you -> X node in area 1 (know who you are) -> Y node in area 2 (doesnt know who you are, where are you going) -> Z node in area 1 (**know who are you and where are you going**) -> Friend So the 3 nodes can be drawn similar as this: you -> X node in area 1 (**know who are you and where are you going**) -> Friend **To Reproduce** Can bee seen from session path **Screenshots or Logs** ![session-path](https://user-images.githubusercontent.com/11895339/171519224-83a1804f-be1d-4462-8558-d32aceda5989.png) **Other information (please complete the following information):** * Device: PC * OS: Debian 11 * Session Version or Git commit hash: v 1.8.6 --------------- Wow getting wider: ![funnysessions](https://user-images.githubusercontent.com/11895339/206952786-69e28839-4fdb-4b9b-b0e5-53071ac24857.png)