What is Reddit's opinion of
Session?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
It's so important that we don't accept privacy washing from companies like WhatsApp (or Facebook). If these campaigns succeed and the average person accepts tools like WhatsApp as being privacy-preserving, then consumer demand for privacy-specialising technology will decrease and it'll become extremely niche, especially for things like messengers which rely on network effect.
Big companies know that people are becoming more aware of and concerned with their digital privacy. Don't let them hijack the conversation oil-company style.
Hopefully one day mainstream apps will actually be privacy-focused, but WhatsApp ain't it.
Session uses Signal protocol (or a fork of it) https://getsession.org/introducing-the-session-protocol/
Also, my understanding is that Signal protocol is considered superior to Matrix or any other less tested protocols
https://www.reddit.com/r/signal/comments/dagydx/should_signal_support_the_matrix_protocol/
Still requires phone number to sign up. For no reason, could use any contact details, email, Matrix, qTox, even none like Session, email and Matrix and become a root identity provider.
Hi. I work for the not-for-profit that makes Session.
It's a really complicated issue, and it is for sure going to drive tech jobs out of Australia. Tech companies already based in Australia will have to use employees or failsafes based outside Aussie jurisdiction to cover themselves, and new companies will probably just incorporate elsewhere.
In the case of Session, there are things built into our design and core principles which mitigate anti-encryption/privacy legislation here in Australia or elsewhere.
- We are open source, code is audited and can be verified by anyone, anywhere (theoretically)
- The Session network is decentralised, so we do not actually operate the infrastructure for the service. That means we aren't handling or storing personal data and can't compromise an account ourselves
Being open source is relatively common, but being decentralised is a fairly major adjustment to your average technology software/service and comes with a lot of complexity that most of the time companies don't want to deal with.
As others in this thread have mentioned I think that while Australia may be at the forefront, it's really a part of a more-or-less global trend of anti-encryption agendas from regulators and legislators.
I actually wrote an article about it here: https://getsession.org/blog/on-the-recent-australian-surveillance-legislation
If you need voice and video in addition to E2E encrypted chat, the Matrix network with the Element client is a fantastic option.
If you just need E2E encrypted chat with optional audio messages then Session is starting to look very appealing. And eventually they'll have live voice/video calls too, which will make it even more useful.
> Remember you still need an Internet connection, which is seldom free of charge and completely open.
True enough, there's always a lowest common denominator. But in practical terms, here's a very likely scenario: I travel to a foreign country with just my cellphone. I get mugged on my way out of the airport and no longer have a phone. Even if I were to buy a new phone I still can't get access to my old number because it's from a different country. So I go to a library, or a cyber café, or the police station, and I use any computer with a web browser to connect to Element.io and type in my username and password from memory, and I'm golden. I can do chat/voice/video from there with all my contacts available, not depending on there being a database of contacts on the device as is the case with Signal. This for me is the ideal solution.
For anonymous messaging app I only see Session. Form their website they mention it's an end-to-end encrypted messenger that minimises sensitive metadata, designed and built for people who want absolute privacy and freedom from any form of surveillance. It is open source and was audited. It is powered by Oxen, designed to provide both security and anonymity.
Well, status is too far to be complete. Session, a decentralized version of Signal, is ahead in terms of completion.
However, the article does not mention that telegram is working on a decentralized public trustless blockchain with a parallel distributed anti censorship network called TON. This will be a major step ahead in term of privacy, anonymity and security.
I agree with you!
If I may add something, I'll use GNUPG in a thumdrive off line (ideally an airgap PC). Encrypt the message and then copy it another thumdrive.
I know.... Many steps. Once you get use it's 'automatic'.
Did you try Session? (https://getsession.org/). It's a fork of Signal and I think with best privacy options, for example you don't need to share your phone number).
I meant the latter is a stretch in the sense that it's not a household name, not that it's bad software. https://getsession.org/ is the only anti-botnet messaging service I actually trust, and even it's got its downsides.
All of the above services require a phone number to log in(except wickr)! Try using Session it's a fork of Signal which does not require you to give any identifying info bout u and doesn't collect any metadata. It also uses Oxen Service Node network which is similar to tor.
For more info on Session: https://www.youtube.com/watch?v=OBnQvy5RNEM
If you need voice and video in addition to E2E encrypted chat, the Matrix network with the Element client is a fantastic option.
If you just need E2E encrypted chat with optional audio messages then Session is starting to look very appealing. And eventually they'll have live voice/video calls too, which will make it even more useful.
A lot of people prefer convenience over privacy..
I use <strong>session</strong> because unlike signal you don't need a phone number or anything like that to get started. My only problem is getting friends to install & use it is hard....
not anymore. their page on the session protocol says they are no longer using the signal protocol and that session's protocol does not provide PFS or deniability
Regular texting, as in SMS text? Or Apple's iMessage?
SMS texting is not encrypted, secure, or private.
iMessage is encrypted, just like Signal. I don't think Apple has the encryption keys either..
Signal and iMessage both have potential risks, metadata. Apple definitely has metadata that can be shared with governments if compelled to do so. Signal shouldn't have metadata, but it does require your phone number, so they want you trust them with identifiable information.
What it would really comes down to is which organization do you trust not to give governments/organizations metadata.
Why is metadata important to protect? Because if you or your contacts are implicated, your association can put you at risk. Or if your contacts are profiled for advertising or someone's agenda, you can be associated based on your relationship. While this might not be happening today, and we don't know 100%, it also could happen in the future, with you not knowing.
I prefer Session to avoid potential risks of today and future.
You should read up on Session before talking.
No, Session no longer uses Signal protocol.
https://getsession.org/session-protocol-technical-information/
They've also always routed over Loki. That's always been the point, to use their nodes on their network. Though before sometime last year, the nodes never changed.
Don't get me wrong though, I'm certainly not defending their decisions and no longer have much faith in Session. I would prefer they used tried and true technologies rather than rolling their own.
I had major suspicions about Signal (biggest being closed source server code and phone # requirement) turns out they weren't unfounded. Still better than mainstream messengers like Whatscrap, but for truly private communication you might want to try Session. Similarly to Monero, it's the better technology, but suffers from lack of popularity.
Since no one has mentioned "Session" yet:
>Session is an end-to-end encrypted messenger that minimises sensitive metadata, designed and built for people who want absolute privacy and freedom from any form of surveillance.
I got it and kinda like it but cannot find anyone using it.. :p what do people think of it?
signal is more of an sms replacement, while matrix is a versatile decentralized group chat protocol. if i'm being honest, i know next to nothing about xmpp
i use https://getsession.org, it's like signal but a bit more private/secure imo
Session da Signal'ın bir branchı. Lokinet kullanıyor ve daha güvenli. Ama daha çok yeni bir uygulama; arama ve rich messaging support daha yok. Ama yakında geliyor
Koduna da github üzerinden bakabilirsiniz
Although Signal is much better than WhatsApp and stuff like that, it has some flaws, namely the phone number requirement and centralized servers. If you want to go a step beyond Signal, look into Session. It is based on Signal, but is decentralized and does not require a phone number. Currently it supports messaging and file attachments, and later will support calls with some changes coming in late March.
Edit: formatting is hard.
Yes, i understand. Use trusted open source apps, private DNS (I use pi-hole https://pi-hole.net and AdguardDNS as backup https://adguard.com), Session or Signal as a messenger (I prefer Session. https://getsession.org). Thats about as far as you can go on stock. (I use stock as mine won't keep TWRP installed as recovery and Magisk won't fully install im not sure why. Device: Moto G7 Play/T-Mobile REVVLRY) Further is adb uninstall all the bloat apps.
Man kann daraus lernen und sich nicht so sehr von einem (inkompetenten) Konzern abhängig machen. Schau dir doch Signal (auch zentralisiert, aber vertrauenswürdiger) und Session (dezentral und deshalb viel stabiler, jedoch weniger Funktionen) an und helfe deinen Eltern wenn nötig beim einrichten. :)
Hi :)
- SMS messages are not end-to-end-encrypted, meaning your message can be easily read by anyone who intercepts it or the people tasked with delivering it. Session is end-to-end-encrypted, but we also onion-route your messages through a decentralised network which means that the content of your message is hidden, but also the context — ie. who, when, and how often you're messaging.
- Many governments are anti-encryption. But you're right that Australia has particularly adversarial legislation when it comes to encryption. Luckily, as I mentioned, Session runs on a decentralised network. This means that, because we aren't in control of the servers that route the messages, it would be impossible for us to intercept a message from a particular user even if we were compelled to by the government.
- When we implemented the Session protocol, we chose to remove PFS. This is because based on Session's threat model, other aspects of its design remove the need for it. Every threat which is mitigated by PFS, is mitigated by things like anonymous account creation, onion routing, and metadata minimisation. You can learn more here.
Let me know if you have any additional questions.
Mind you, I'm not saying this is the end of humanity and we're all boned, your individual risk assessment is personal to your circumstances so this change will most likely not affect the majority. people still need to be aware so they can make informed decisions.
I still have my session ID as my pinned tweet.
You can read it at their blog posts, but for a short answer, session protocol.
https://getsession.org/introducing-the-session-protocol/
https://getsession.org/session-protocol-technical-information/
More private? I doubt that.
Have a look at session and MuWire for privacy. Also Bitmessage but it should be compiled since last release was 2018.
And until Session finishes its external security audit I wouldn’t recommend it for normal use.
> Session’s desktop, Android, and iOS clients are currently undergoing a security audit by Quarkslab. The results of the audit will be published once it is completed.
A little side note, there's an app called session that's more anonymous than signal because you don't register so they don't have your phone number and you don't have to allow the app permission to your contacts. You simply get a code and that's how people contact you. It's decentralized network makes it ideal for trusted communication and the app is open source. Give it a try https://getsession.org
looking at their website: https://getsession.org/
they have a link to their github, which has the source to all their programs.
if you are worried about backdoors, build it yourself from the publicly available source code,
if theres a backdoor in that code, then anyone can see it
Then mail isn't the right infrastructure for you. You could anonymize yourself to some degree by signing up for Tutanota using Tor network or VPN and never give away information in your account that could be linked to your profile.
Easier would be Session which does not require any profile information and is routed through Tor.
Yes, but safety and privacy features won't work as desired, like MAC spoofing and forcing all connections through TOR. TAILS only runs from a USB drive, and the persistent storage is encrypted (with LUKS I think?).
On TOR, please use obfs4 or meek-azure to try to avoid looking suspicious on the network.
Session works on Windows (exe) and Linux (appimage).
Again i have to push back on this, we have not mis-characterized Signal as mentioned in my other posts to you.
>Why in the world are they associating Signal with other proprietary messengers? Very odd statements.
If you read the context you will find that all of these apps offer some form of encryption, i'm grouping Signal in with them because Signal also offers encryption
We use the term 'Onion routing' and 'Onion requests' as they should be, you went to the effort of contacting the Tor developers and they agreed.
>in the academic literature, onion routing is a primitive that many designs and papers use, i would hate for the research world to conclude that the only thing that does onion routing is tor
Hence using the term Onion routing
>we actually, in our trademark advice, steer people toward using the more generic 'onion' word in their project rather than the more specific 'tor' word
We also clarify our usage in our faq https://getsession.org/faq
Personally I've never had anything like this happen to me, yes signal is secure but only to a certain extent, I've been using it far before it blew up, I also use Session
Unlike Signal which does require a phone number for sign-up session doesn't require anything. It's a lot more secure than signal because of the Sign-up process and other stuff. I'll link to it below, everyone reading this should check it out as a great alternative to Signal.
Oh my oh my. It seems my comment was removed. Did you catch a glimpse of it? I explained everything in full detail, the independent security audits of the software, the insane privacy it gives you towards any individual, government or corporation, how it new decentralized communication protocol is unblockable, so even people behind the great firewall can use it, anyone that is by any means connected to the internet, essentially. It's truly the best software as it asks for nothing. No E-Mail, no CAPTCHA, no phone number. Nothing. It has a client for every operating system (Linux, Windows, MacOS, Android, iOS, BSD) and device type (Laptop, Phone, Desktop) etc.
It's truly the best of the best. I'm by no means affiliated to the company behind it, but I've done personal checks and seen they are legitimate in every way.
The software is called Session. You can download it here:
I've been getting all my friends recently on it as well. It works like a charm after ~30 minutes of setting itself up for the first time, but even during that time most people didn't even realize something was up.
You either use Session or you're a noob.
But nah seriously, why don't people talk more about THIS messenger, it seems to be rather secure if not overly secure.
> I'd guess this is being publicized to drive users off signal to a more "interceptible" chat app.
At the risk of sounding like I'm doing that, I'm going to offer my recommendation anyways because it's too good of a messenger for people not to know about. If you want privacy in your messenger, use Session.
Just out of curiosity , are you describing this.
Since I had never heard of that I searched to see what is that and saw the website. Without any deeper research I'd just say that their white paper is from 2020. Can we really compare xmpp with it?
I'd recommend Session messenger, both for privacy and ease of use. You generate your ID within the app (open source, Win/Linux/Android/iOS) and it doesn't require a phone number or email. Exchange your IDs with your parents via sms/email/whatever and add each other in the app as contacts.
Image, video, document and voice message sharing is available, but voice calling is still being worked on.
Media sharing can be a bit slower than on centralised messengers due to lokinet routing, but still shouldn't take more than ~10s for an image transfer. 6MB max file size IIRC.
Think this is simpler for your parents to set up and use than Matrix or XMPP. Just note your recovery phrase somewhere (password manager for instance) if you intend to migrate or use on multiple devices.
If you have a Session ID, I'll be more than happy to send you a few (premium) courses; maybe download and watch those and see if you could get the hang of it through video tutorials? If you're doing it purely through documentations, then you're already ten times better than me; anyway, if you don't, it's very instant to set up, I'll only send you the links to the said resources and maybe uninstall/delete the application afterwards!
>Yeah nope that makes complete sense. The only way to really pull it off would be to either have the network store the message
Yep exactly.
>(like blockhain messengers do IE Session)
Sorry to break the bad news, but Session is not on a blockchain according to their own FAQ:
>No, your messages are not stored on a blockchain. Messages are stored by swarms, and are deleted after a fixed amount of time (called the “time-to-live”, or TTL).
All of your messages are encrypted, and can only be decrypted using the private key which is stored locally on your device.
And, on that same FAQ page, they say they don't end-to-end encrypt their open groups (but Signal end-to-end encrypts everything):
>The short answer: open groups are not as private as person-to-person messages or closed groups.
The long answer: open groups are large public channels where Session users can congregate and discuss anything they want. Open groups, unlike other services in Session, are self-hosted and thus not fully decentralised. Someone has to run a server which stores the open group’s message history. Additionally, because open group servers can serve thousands of users, messages are only encrypted in transit to the server rather than being fully end-to-end encrypted.
For smaller group chats with a higher degree of privacy, users are encouraged to use closed groups. You can find out more about open groups and closed groups here.
Sorry again to break the bad news ::end off-topic:: :).
Check out Session, it doesn't require anything to setup, not even your phone number, if you do some research into them you will find that their a lot more secure than even signal.
Don't get me wrong signal is great but Session is definitely a really great alternative.
Here's the link to their website 👇
There are a few CryptoCurrencies that don't have the huge environmental footprint that most other cryptos do.
[Oxen](https://oxen.io/] for example doesn't waste electricity via mining and also has real work uses such as being the infrastructure for Session and Lokinet.
A quick search reveals a number of cumbersome solutions for getting an anonymous phone number. Got a link to something straightforward?
Anyway, if what you are saying is true, then Signal is merely refactoring it's code to work with anonymous phone numbers and that is not a "phonenumberless" solution. It now relies on a third party registration (and that looks like a cumbersome operation, pending your link).
With Session, by contrast (https://getsession.org/faq), it looks like you can just directly (and locally) setup an anonymous account using any "recovery phrase" you like > Because Session doesn’t have a central server storing information about your identity, restoring your account using the traditional username and password method is not possible. Your recovery phrase is a mnemonic seed which can be used to restore your existing Session ID to a new device. ... You don’t need a mobile number or an email to make an account with Session. Your display name can be your real name, an alias, or anything else you like.
Monero is supposed to do only one thing and be the best at it, that is being a true crypto*currency*. However, Session messenger is using a Monero fork for its onion routing. Check it out!
Session has possible metadata leaks from their service nodes that route and store messages. They don’t use Tor either, but a separate onion routing protocol that hasn’t been examined or studied nearly to the extent Tor has.
Another thing I’m skeptical of Session about is their website. Their FAQ section is too one sided and subjective. Instead of bragging about your strengths you should list out your pros and cons with other popular messengers so users can form an objective opinion on your software and if it’s what they’re looking for. I2p does this brilliantly on their website.
Company: Session
Listing: here
Job: Senior/Mid Level iOS Engineer (Swift)
Type: Full time
Location: Melbourne, Australia
Remote: Yes, if in compatible timezone
Visa required: No
Required Experience: 2+ years writing iOS apps
We develop an open source private messaging application called Session. If you'd like to join our team of ~6 developers and work on privacy enhancing technologies email me at with a resume + some info about yourself and we can move from there. Alternatively you can reach out to me on Session at 05d871fc80ca007eed9b2f4df72853e2a2d5465a92fcb1889fb5c84aa2833b3b40
Signal has been subpoenaed by the FBI multiple times and the only data they are able to provide is:
- When you registered with the service
- The last time you signed in
Your contacts and other metadata is either obfuscated or not collected at all so that Signal doesn't have it in the first place.
That said, another option you might look into is Session. It started as a fork of Signal but they've modified and developed the protocol to work better over their own in-house onion routing network called Lokinet, and have also been independently audited. It doesn't require your phone number, instead it generates your keys on your device and then your "ID" is just your public key that you can share, but it's not related to your real identity in any way. If your "ID" gets compromised or somebody gets hold of it that you don't want to have it, you can just make a new one on your same device with no consequences. They are currently working on voice and video chat, and have shared videos of progress they've made on that front, but you can imagine how hard it must be to route voice/video calls over an onion network without having debilitating amounts of latency, so as of right now, there is no voice or video calling, just voice recordings you can make and send as attachments. You can check it out at: https://getsession.org
> Why are phone numbers a privacy problem?
> (...)
> Phone numbers are critical to the way we move about the world these days. Pretty much every service that lets you make an account—including essential services like banking and health—use your phone number for verification that you’re the real human that you’re claiming to be. This ever-increasing dependence on phone numbers makes it a logistical nightmare to try and change your phone number, and because of this...people just never change it.
> Even as a privacy-conscious person, it has been years since I updated my phone number. Changing my digits wouldn’t just mean that I have to sit down and spend hours tracking down and change my on-file phone number at my doctor’s clinic, gym, work, and a million other places — it would also mean that hundreds of contacts from years of professional and personal number-sharing would (effectively) lose my phone number. Even worse, if my old number ended up getting recycled, then my personal messages could end up in someone else’s inbox.
> Because of all this, people end up changing phone numbers less often than they change their actual, physical address. This is a big problem — over the years, you’ve probably entered your phone number into long-forgotten websites, petitions, and apps, and now your phone number is buried deep in all corners of the internet.
> (...)
I know that Matrix uses the AES-256 standard. Session uses their own encryption method though, I'm not really sure if it is a good idea or not. It is kind of hard to describe it, but there is a technical explanation of the protocol here: https://getsession.org/blog/session-protocol-technical-information
Sorry about missing that part. The node does do some minor calculations but it's nothing like PoW/mining that people usually think of when they think of cryptocurrency. It's doesn't use lots of electricity like CryptoCurrencies that use PoW.
The response from the other guy addresses your other concerns.
I understand that it's annoying how the barrier that resists sybil attacks also is a barrier for idealists like yourself. How if you still want to help without spending money I recommend that you use Lokinet, and Session https://getsession.org/ as it will increase the anonymity set for everyone using these services.
It's not just your email provider, but also the other end. There's also metadata and contact tracing. You also risk being unmasked by anyone you communicate with.
Untraceable/anonymous email best works when nobody knows who is talking to who, and connecting over an anonymous network.
Anonymous messaging is better (Session).
Signal est centralise, il me semble, et il demande ton numero de telephone. Une meilleure option (decentralisee et ne demande aucune information, de plus completement open source) est SESSION (https://getsession.org/session-for-beginners/), il y a aussi MATRIX, mais je ne recommande pas (des zones d'ombre question securite) www.matrix.org
Company: Session
Listing: https://www.seek.com.au/job/52906469
Job: Senior/Mid Level iOS Engineer
Type: Full time
Location: Melbourne, Victoria, Australia
Remote: Yes, but must be willing to move to Melbourne eventually
Visa required: No
Required Experience: 2+ years writing iOS apps
Element requires you to leave an email address with them at account registration. Session is better in that regard since it doesn't require an email address or phone number. Just created an account on both. I can't speak for Session's security and privacy measures in any other regard.
I already suggested session messenger. Decentralized so taking down one server doesn’t bring the whole thing down, no need for phone numbers, seems good in terms of privacy.... looks interesting
From 24bitFLAC (apparently a Loki team member):
"No, Session doesn't have perfect forward secrecy. PFS adds enormous complexity but is only relevant in an extremely narrow set of circumstances given the rest of Session's design. We further explained our decision not to use PFS here."
So, yeah, no PFS.
Hey there —
Text messages aren't really encrypted at all. Session messages are end-to-end encrypted using the Session protocol, they're a lot more secure than text messages!
It's true that the Australian government is anti-encryption, however we've spent a lot of time considering the regulation in Australia and whether it was a threat to Session. We don't think it is, and we've explained so in this article. Even though Session is made in Australia, its servers are actually distributed all across the world. We don't store your messages.
No, Session doesn't have perfect forward secrecy. PFS adds enormous complexity but is only relevant in an extremely narrow set of circumstances given the rest of Session's design. We further explained our decision not to use PFS here.
It's kinda obvious that Signal is only allowed to operate because it sticks to the parameters that 3-letter agencies dictate ...
Examples:
- Phone number required
- Contact upload / PIN by default (with dark patterns)
- Hosted in US data center
- No server federation
- Closed source server
- No alternative app stores
- ...
This makes it easy to crack (or at least monitor) for a certain government, whereas most other parties can't touch it.
Check out Session for a privacy aware fork. https://getsession.org
> PFS means that if long-term keys for a given conversation are compromised, only a small amount of recent messages can be decrypted. However, under typical circumstances, the only way long term keys can be compromised is through full physical device access — in which case an attacker could simply pull the already-decrypted messages from the local database. As is often said in the infosec community, physical access is total access.
>Session looks like a good alternative.
I would have agreed with you until I dug into the technicals:
> Session’s onion routing system, known as onion requests, uses Oxen's network of Oxen Service Nodes, which also power the $OXEN cryptocurrency
Lots of applications use .onion routing (Tor) and don't need a scammy crypto to power it!
Thank you! Session is looking very promising, but I have big concerns about its own scammy crypto “$OXEN”
One can support onion routing without needing a “utility token”. That’s a giant red flag IMO.
Still, keeping an eye on it https://getsession.org/
It’s only because session is new, once LokiNet is integrated they will provide those services. Even says so on their website:
> When will you support voice and video chat?
> At the moment, Session uses onion requests. However, this solution only supports something called TCP (Transmission Control Protocol) traffic. TCP is a highly reliable protocol, but it’s also high-latency, meaning that video and voice chat is not viable.
>Once Lokinet is implemented (see What is Lokinet? below), it will be possible to implement video and voice chat. Lokinet supports both TCP and UDP (User Datagram Protocol) traffic. UDP is a lightweight and connectionless protocol, making it ideal for broadcasting things like voice and video.
>Their reasons are basically people get their devices compromised so they don't need PFS...
That oversimplifies their argument which is basically that people like to keep their old messages around. A breach where FS was a possible mitigation would pretty much for sure mean access to those old messages thus negating the value of FS.
This is commonly seen in the case of Signal Messenger where most users not only fail to autodelete their messages but bitterly complain when their messages are not retained in a convenient way over all their devices.
>...and people take screenshots so they don't need deniability, ...
More to their point: things like courts are happy with low proof evidence like screenshots. It is a cultural argument. The existence of cyptographic proof of identity tends to ignored.
>I believe that your anonymity is at risk without deniability...
Note that the current system in use (Signal Protocol) provides a fairly low level of deniability in the form of forgeability. So Session isn't losing much, if anything, here.
No it isn't. It's not how Signal is designed. If you don't like it, don't use it. There are plenty of other encrypted options out there, and some of them -- such as Sesssion, which is based on Signal code -- are even anonymous. (Which Signal is not.)
The only way to talk to actual Signal users though is via a phone number, and that won't change.
Beware. Telegram has 'optional' security, and we all know how well that works - not.
Signal is much better, but still links to a phone number (due to be a non requirement Real Soon Now)
Or for messaging without audio/video support, but much much better privacy you have session messenger: https://getsession.org/
WhatsApp is still more private than Telegram, despite Facebook, because the core privacy techniques are both default and mandatory. Metadata is a problem though.
I'll leave some of your other questions to u/myfeetsmellallday to answer for you, but I can add a bit for a few of them:
>3. Why did you shut down the techlore subreddit?
I think there was just kind of a feeling that it was not working towards our goals as a community. Around a month or two ago we reworked all our online communities to be more consistent and well, good, and in the process we had to drop focus on a few. The general idea at the moment is to build a few very good communities rather than inconsistent communities on every platform under the sun, and we just couldn't give the Subreddit the focus that it'd deserve right now. There are all sorts of privacy-focused Subreddits (such as r/privacy) that are much more organized and active at the moment.
If we come up with a way to run a community on Reddit that actually adds value to Techlore as a whole, it is something we definitely can revisit.
>5. Why don't you have a Session chat for the techlore? (That would be cool)
Along these same lines, we really just had an issue with too many chat problems stretching our community too thin. We really want to have a few fantastic platforms we use rather than a lot of "just good" ones, so we are cautious about starting new chats like this officially. We do already use three different platforms though, and Session would be one to consider if we decide to add more in the future, for sure.
Session take private life very seriously
I don't think Session will easily reveal the ip address if onions or proxies onions networks that cut off session service
As you say, if it is necessary to take precautions, I will use a VPN
" Proxy routing was an interim routing solution which Session used at launch while we worked to implement onion requests. When proxy routing was in use, instead of connecting directly to an Oxen Service Node to send or receive messages, Session clients connected to a service node which then connects to a second service node on behalf of the Session client. The first service node then sends or requests messages from the second node on behalf of the mobile device.
This proxy routing system ensured that the client device’s IP address was never known by the service node which fetches or sends the messages. However, proxy routing did provide weaker privacy than the onion request system Session now uses. Proxy routing still provided a high level of security for minimising metadata leakage in the interim. The proxy routing system has now been replaced by onion requests."
Source
I would look at:
Instead of a complete comparison matrix, I simply by looking for a tool that meets my criteria.
- FOSS (If I have to pay for it, then it knows who I am. Open source allows audits by experts and anyone, though that's not guaranteed.)
- Web Browser or Linux App (appimage/container)
- Anonymous (no trust, no identifiable info means no phone, ip address, email, payment. No network tracking by ISP, corporation, gov, school. Tor/onion)
- Fool proof (all security on by default and easy to use)
- Decentralized (no single source of failure or single source of being shutdown)
- P2P (independence)
- Audits (I presume/faith the audits/reviews are meaningful, though I have to take everyone's word for that...but that's why it needs to be anonymous. But most audits I've seen are outdated and we don't know if governments have added backdoors (see Australia for example)).
- No unencrypted data anywhere (even locally)
- Fast (some apps/network is painfully slow)
- Jurisdiction that don't require a backdoor.
Unfortunately none are perfect.
>Vadí mu však, že Signal na svých serverech o uživatelích uchovává tzv. metadata. „Například propojení Signal skupin s příslušnými mobilními čísly uživatelů. Dokáže zjistit, kdo, kdy a s kým (tedy jakým číslem) začne komunikaci.“ > >Signal také podle Luptáka neřeší anonymitu – musíte se ještě stále zaregistrovat svým mobilním číslem. „A když anonymitu požadujete, tak byste měli používat jeho fork Session https://getsession.org. Případně počkat na novou verzi Signalu, která by měla umožňovat také anonymní registrace.
Session was using the Signal protocol for encryption but recently created and started implementing their own, the Session protocol. From a blogpost, they write, "The reality is that while Signal is laser-focused on security, Session’s vision includes a focus on anonymity and decentralisation, too — and trying to shoehorn the Signal protocol into that vision was like forcing a square peg into a round hole. The Signal protocol wasn’t built with decentralisation in mind, for example." Technical writeup is here.
A couple other advantages, in my opinion, include the elimination of metadata and the ability for people to sign up without an e-mail address or phone number. Session is also arguably censorship-proof.
Like Signal, it's cross-platform, open-source and E2EE.
> Lot of people here call Signal bad because it requires Phone number. That's okay, it's you preference. You can use other Apps like Element or Briar if don't wanna use Signal yourself.
I would add Session (Signal's fork) to alternative messengers that can be used without giving phone number.
I can really really recommend session it is a fork of Signal and Open Source and totally secure because no number is need for verification and user account is not secured via password instead via a seed like bitcoins. Aaaand they root your tragic trough their own “tor” if you want and it is on top of a cryptocurrency as network. Just geniuses!
I would go for Session https://getsession.org/
"Session is an end-to-end encrypted messenger that removes sensitive metadata collection, and is designed for people who want privacy and freedom from any forms of surveillance."
Clients for: Iphone, Android and Mac/PC/Linux
Supports chat, attachments and voice messages. The source is a fork from Signal and is OpenSource.
Why not use session ? Session is a fork from Signal that uses onion routing and is not connected to your phone number. Signal is a very good option but it's bound to a signal server to work while Session work more like a Tor network. Clients for Iphone, Android & Web https://getsession.org/
Does session really do this now? Because they still link to a version of their white paper on their site which says, or rather buries, in an addendum:
>"This paper does not describe Session as it exists in its initial release[.] some of the features described in this paper will still need additional work before being deployed to the live Session application. The most significant deviations from this paper and the Session application as of February 11th, 2020 are mentioned below:
>
>- Onion requests are not yet implemented in the initial release, and are replaced with Service Node proxy routing, which provides only a single hop, instead of the three hops which will be provided by onion requests.
>
>[....]"
https://getsession.org/whitepaper
(dated March 31, 2020)
There's a messaging app called Session that I've been using that meets your criteria. It's actually a fork from Signal but they removed the need for a phone number and added onion routing for messages.
There's actually a pretty cool open-source messaging app using blockchain tech already out called Session, I've been using it for a little while now and I Like it a lot. Might be up your alley to contribute to that if that's that you were envisioning.
or Session (forked from Signal, allegedly better): https://getsession.org/
or Riot (basically, really secure IRC) : https://about.riot.im/
These are all safe and secure. Any doubts? Ask in r/privacy.
Being based in the US (or the 14 eyes in general) is not really a red flag (yet). If the company has good business practices then it's fine. For example if they don't collect data what are they going to give if law enforcement orders them to? It is a problem if the country has a law against encryption or allowing backdoors on every service. While it's been attempted, so far such a law hasn't been passed anywhere (someone correct me if I'm wrong).
As for Wickr it's not recommended here because it's proprietary (closed-source) software, so there's no way to verify if the source code doesn't have a backdoor. Now that aside is it actually good? Well it's not too bad but Wickr can give away a lot more data than Signal if ordered to and plus Wickr has three trackers, Signal has none. Honestly Signal is better in every way except for the phone number, if that's too much of a problem use a burner phone.
There's also Session that requires no phone number or email, has decentralized servers, fully open-source, no trackers, uses onion-routing (not over the Tor network but instead their own called the Loki network) and uses Signal's encryption protocol, in fact the app itself is a fork of Signal.
Sounds great right? While it is, the app is very new (came out in February), still hasn't had a third-party audit (again someone correct me if I'm wrong). and it's still lacking a number of features, it also needs some more bug fixing.
You can give it a try if you want but for now Signal with a burner phone is the best choice.
>[...] I don't feel like I'm undermining anyone's privacy as there is no proof or allegations that they have done anything untoward. [...]
Feelings have no merit in this regard. Only because you can not see for yourself doesn't mean that it's okay.
"[...] however, we [meaning the Loki guys, creators of Session] don’t recommend using Session in cases where proven and independently verified security is required." (Source)
Their claims of privacy is still unproven, hence their disclaimer. Yet, you are still being complicit.
>[...] because I like it [...]
Good to know that you admit being biased, hence proving my point again with almost all posts with regards to Loki project and Session.
> Im*[sic]* not sure what you're*[sic]* problem is mate but I'm aware the app is not yet audited and have mentioned that plenty of times.
Audit alone won't mean anything at all as if by audit alone that the result will be any positive. As of now, it's just your own insinuations and having a personal opinion or being somewhat biased to that will not give any significance to Session as it's still not yet audited. In their own FAQ it still states: "[...] we don’t recommend using Session in cases where proven and independently verified security is required." Giving one liners, only mentioning that UX/UI whatever is good, etc. that is, only giving personal opinions have no merit and you don't even tell anything about threat models or use cases. Omitting those won't help people to make an informed decision on their own. People need to understand what could undermine their privacy and if it fits their threat model.
> I've also positively mentioned Signal endless times, I am a user of both Signal and Session and think they are great apps.
A bit of Hegelian dialectic at play here. You mentioning Session along with Signal doesn't give any significance to Session, you already said that you want to drop Signal (source).
>Stop cherry picking bits to try fit a narrative and regurgitating the same stuff over and over.
In almost every posts you have made about Session/Loki only proves my point. You are cherry picking every thread and posts about instant messengers to try to promote Session over and over again.
> You're making out like talking about something I like is a crime.
Why do you omit what could undermine user privacy?
>Your source of the guy saying he doesn't recommend it yet is 3 months old, maybe he recommends it now.
It's still in their FAQ: "[...] however, we don’t recommend using Session in cases where proven and independently verified security is required."
>As for shilling Session, yeah no shit I want to recommend it. The more popular it gets the easier it is to get people I know to use it.
You are recommending it to people yet don't care about what could undermine user privacy as if Session is that really could as you claim it to be despite it's not been audited proving their claims.
>Do you just have a doc filled with these pre-written comments? I swear you've been posting this same comment word for word for like 3 months
Do you follow every thread and posts of any mention of instant messengers and promote Session? I swear you've been posting comments the same promotions for Session that long.
Le MITM ne devrait pas poser de problème pour Session, ils utilisent le protocole Signal donc les messages sont chiffrés end to end (avec PFS et deniability), sauf pour les friends requests où ils ont dû le modifier un peu parce qu'ils sont décentralisés.
Le whitepaper est ici pour plus de détails https://getsession.org/wp-content/uploads/2020/02/Session-Whitepaper.pdf
For what it’s worth, there is a sort of “signal based” messenger like this already.
It’s another uphill battle to get people to use this instead assuming it’s actually “better”. But it does exist.
De ce que j'ai vu, oui. Tiré de leur site officiel
>In messaging apps, metadata is the information created when you send a message — everything about the message besides the actual contents of the message itself. This can include information like your IP address, the IP addresses of your contacts, who your messages are sent to, and the time and date that messages are sent.
>It’s impossible for Session to track users’ IP addresses because the app uses onion requests to send messages. Because Session doesn’t use central servers to route messages from person to person, we don’t know when you send messages, or who you send them to. Session lets you send messages — not metadata.
If you haven't already done so you might want to give a read to the Whitepaper Download from this page
https://getsession.org/ It's an amazing concept based on Onion routing. Metadata resistant and fully encrypted
Discarding an initiative solely based on the location is ignorant and eradic. First and foremost, Session is still under active development, so there is no point in judging it from the current featureset, commits and code. Rather judge them by the Whitepaper (PDF alert) from their site.
That Session is incorporated in Australia might not be ideal, but judging from the whitepaper, the setup - they are going to rule out users having to trust them, being designed to mitigate server comprimise.
I gather you are not using Signal, either? Signal is incorporated in the US ;) The good thing about Session is that it mitigates some 'flaws' that Signal suffers from. I do hope that they completely redo the desktop client properly, without being basically a webapp 'plus' (Signal Desktop is an Electron app).
Session is more like Signal. It is a bit more decentralized as they have several (5-7) service nodes around the globe (see here) but still, if I want to contact you via Session, I need to connect to Session's server.
Matrix, on the other hand, is really decentralized: I have my own matrix server home, and people that want to connect me send their messages directly to me.
The other difference is the fact that Session uses a "onion-like" rooting service LokiNet. This is nice, as it increases the anonymity of the user, but it seems strange to not use Tor.
I wanted to find a messaging app working without phone number and I tried Session but was not convinced by the society behind the app, so I switched to Matrix which is more transparent to me.
What if the identifier itself was an address of something like session for example and in case of infection you send the alert to everyone you have contacted (every address you have collected). This would eliminate the need for central server.
I'd like to ask your opinion on Session messenger. Because it seems to be a version of signal with nice features but a little shady or unclear in some parts. It also hasn't been audit.
The whole cryptocurrency scam wave they're surfing on means it's pretty much DOA (and extremely shady) unless they remove that part.
I mean, just look at that link:
https://getsession.org/how-session-protects-your-anonymity-with-blockchain-and-crypto/
and tell me you'd trust it on the long term.
If you do, how is your crypto portfolio faring at the moment?
yeah, like signal/tor, a privacy NFP. Always a good sign imo.
it uses something they call 'Service Nodes', which are decentralised nodes who are incentivised to function and perform tasks, which leads to some level of sybil resistance. they have a whitepaper which is nice reading: https://getsession.org/wp-content/uploads/2020/02/Session-Whitepaper.pdf
Das ist ein sehr guter Punkt. Der Entwickler von Signal scheint intransparent zu sein - das ist sehr schade und Grund zu Sorge. Mir ging es bei dem Beispiel um den Fakt, dass die Quellen offen sind und security audits vorhanden sind, sodass zumindest die end2end-Verschlüsselung garantiert ist. Ein Dorn im Auge ist die Verwendung der echten Telefonnummer.
Es gibt jedoch glücklicherweise Alternativen wie z.B. https://getsession.org/
Das Problem an der ganzen Sache ist: Hat die Software keine Nutzer, dann hat sie auch keinen Nutzen.
Zu deiner Frage: https://www.theguardian.com/world/2019/may/18/israeli-firm-nso-group-linked-to-whatsapp-spyware-attack-faces-lawsuit
Es wäre naiv zu glauben, dass solche Exploits reine, unvorhergesehene Bugs sind und es nicht noch weitere solcher Art gibt.
There's a few 3rd party articles online but I've noticed that these articles sometimes have outdated information even when they are first released.
You should be able to find 3rd party articles at r/LokiProject along with articles that come from the Loki blog. It's not a very active subreddit, their community is most active on Telegram and secondly Discord.
Although I would recommend just testing out the Session app https://getsession.org/ it's got a few bugs but is being actively worked on. My Session ID is 05a23cbdd20237014fff6bec32c3ae1775e3e2a290975c412986fd08a97c3dc211 if you want to add me but I'm not very good when it comes to conversation. You'll probably have a better conversation in one of the open groups. Just enter these urls into the app to join the respective group. Session Public Chat: https://chat.getsession.org Loki Community: https://loki.opensession.id
I have a simple question, how come encrypting drive protect plain text key? As I understands correctly encrypted disk is decrypted when you login to the OS, so the key is still in the plain text when you are logged in to the OS. So most probably active malware could steal your key.
So best practice is to encrypt the key using an app password.
I vaguely remember reading something regarding some kind of big rift between the devs - but it's open source, so anyone can pick it up and start working on it again. As for a P2P alternative, I don't have one that I feel good about recommending. If you're just looking for an app for private and secure text messaging, I'd check out Session (https://getsession.org/) - it's based on the Signal protocol, is completely open source and doesn't require a phone number. It has clients for iOS, Android, Windows and Linux.
great question and the answer I believe is onion routing + a decentralised server system. We shall see if its truly possible tho.
See: https://getsession.org/wp-content/uploads/2020/02/Session-Whitepaper.pdf