this post was submitted on 01 Jun 2024
45 points (94.1% liked)

Privacy

32046 readers
718 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Title.

I've used it before, but I'm not really sure how I feel about it. Would you use it on a day-to-day basis?

all 42 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 5 months ago (2 children)

The session developers are interesting. But I don't recommend anybody use session.

They took the signal protocol, and removed perfect forward secrecy because they found it hard to implement.

That's crazy.

Also all of the file transfers on session go through servers in Canada. Centralized.

I give them kudos for trying to make the network self-sustainable through their crypto thing, but they never found a way to actually monetize it, there's no paper use, it feels like the idea is kind of dead in the water at this point. I would not recommend session for any serious non-experimental usage

[–] [email protected] 4 points 5 months ago (1 children)

Is there a feature request to add PFS again?

[–] [email protected] 9 points 5 months ago* (last edited 5 months ago)

https://getsession.org/session-protocol-technical-information

Nope. Whenever anybody ask them, they refer to this and close the ticket

I find their technical rationale, while welcome, a lot of hand waving to say they couldn't figure out how to implement it, but it was not important because it's not a big threat, because if somebody has the device they can get all the messages on the device anyway....

Losing perfect forward secrecy for "simpler code" is a strong design choice they made. I respect them for documenting this, I wish them the best of success, but that's not a trade-off I'm willing to make for no benefit

[–] [email protected] 15 points 5 months ago* (last edited 5 months ago) (1 children)

The concept behind Session is nice, but the implementation is poor. im gonna give a full review here for future generations and their posterity and all that, since I have a lot of experience with it.

First if all, their org is based in Australia, one of the worst countries on earth for privacy. They have openly admitted that the government there can secretly force them to ship backdoored binaries and packages. Huge red flag.

Session runs on the oxen network, an onion relay that runs on crypto stakes instead of straight up volunteering. however, a node requires 15000 OXEN tokens to run, which currently is about 2500USD. in the past it was much more expensive. so the barrier of entry is high. you can say that it makes it more secure or less sure. i think they should lower it now that sybil attacks are much less likely, with most of the tokens locked up in nodes.

The oxen network is SLOW. I mean really slow. For conparison, try running both SimpleX over TOR, and Session, side by side, for a few days, you will notice a huge difference. Trying to message someone in Session is a crapshoot. you will either wait 1 second or 10 seconds for message delivery, sometimes more. I've experienced message delivery times of up to two minutes. Face paced messaging is not a thing.

the oxen network can stored messages for up to two weeks, and this is nice for that centralized app experience while being a decentralized app, when the sync works correctly. but also it may be uncomfortable for some people to keep them stored on-chain.

User experience is ABYSMAL in the long term. Device sync, message deletion, file transfer, just to name a few things that are buggy as hell, confusing, or plain dont work half the time. im not gonna go into it, let's just say that it can get sucky in the long term, weird stuff happens. messages may not be truly deleted either. And of course, we have the slow message delivery, among other little stupid bugs. it's definitely not a "just werks" app.

The UX is made worse by the fact that their apps are just poorly maintained forks of Signal. the phone app is okay I guess. the desktop app is worse. The desktop signal app was already not that great, just thrown-together Electron garbage. but Session didnt even bother to make their own electron app. And electron is extremely insecure by the way. and slow. not what you want for secure messaging. also the electron version hasnt been updated in a while, so there are many zero days in both signal and session apps. signal and session both screwed up on this whole thing.

Also somehow even though Signal accomplished it themselves, Session couldn't seem to accomplish Perfect Forward Secrecy while also keeping multi-device sync. Generally everything about the Session team screams "we aren't that smart"

Session has two notification settings, one is for google cloud messaging which does work with MicroG too, the other spins the app up once in a while and checks for messages. both of these have been unreliable for me in different instances though, especially in work profiles. but in main profile with microG it's actually 90%+ reliable to be honest.

Session has some good points. There are no signups obviously. The Session ID / User Id model is easy for newbies to understand. easier to share than a long af SimpleX link. even if buggy sometimes, you can easily link your ID with other devices and message from them, which is something that is not easy with SimpleX currently. it also provides you onion routing out of the box without having to run Orbot in the background which takes up a decent amount of battery power.

Recently-ish, Session/Oxen team announced that they are going to make a network overhaul at some point. Yet despite having built nothing at all yet, they have already minted an erc20 token and begun presales and all the usual crypto token bullcrap that comes with the standard scammy overtones of a lot of crypto projects and random eth tokens. It's pretty sad.

Overall, session is decent out of the box for a quick need but not for long term stable UX.

[–] [email protected] 2 points 5 months ago (1 children)

Yup, it's sad. Oxen is/was a Monero fork, with some actual privacy. Now their pivot to a centralized, VC-backed PoS like Eth that has no privacy is just overall disappointing. It more or less confirms my earlier suspicions that Session devs only care about enriching themselves. The "Sybil resistance" excuse for requiring such a high amount of capital to contribute a node is just a bunch of BS.

[–] [email protected] 2 points 5 months ago

all good points.

yeahh i completely forgot that oxen is a monero fork. damn, the concepts behind the network were really good, the ideas and everything, and had a huge amount of potential, but just terrible choice after choice althroughout the implementation. sad indeed.

[–] [email protected] 14 points 5 months ago (3 children)

I wouldn't see a reason to use Session over SimpleX

[–] [email protected] 4 points 5 months ago (1 children)

I think the server infrastructure is different? SimpleX is similar to a federation network, isn't it? Session uses an Onion-based approach like Tor.

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago) (1 children)

Yes. The difference is that you need to pay to host a Session node, and pay BIG money. That locks out most people that aren't cryptobros, companies or government agencies. While both a Tor/i2p node and Simplex server (or XMPP, or Matrix) are decidedly easy to set up.

[–] shadearg 5 points 5 months ago* (last edited 5 months ago)

Each SimpleX release gets me closer to using it. The upcoming v5.8 update is no exception:

This release focus is improving the app usability, and preparing the foundation for v5.8 that will provide an in-built protection of user IP addresses when connecting to unknown file and messaging servers, reducing the need to use Tor (which would still remain supported via SOCKS proxy, for additional privacy).

And another round of security audits:

We are planning a 3rd party security audit for the protocols and cryptography design in July 2024, and also the security audit for an implementation in December 2024/January 2025,

Looking good.

Edit: SimpleX v5.7.5 is 313 MB without Data/Cache on Android. Yikes.

Client Version App size
SimpleX v5.7.5 313 MB
Threema Libre 5.3.1l 138 MB
Jami 20240521-01 102 MB
Briar 1.5.11 101 MB
Session 1.18.4 99 MB
[–] [email protected] 2 points 5 months ago (1 children)
[–] [email protected] 3 points 5 months ago (1 children)

Kind of a workaround, but you can add all your devices to a group chat

[–] [email protected] 2 points 5 months ago

That's actually fine. I wish the docs made that more clear.

[–] [email protected] 2 points 5 months ago (1 children)

My use of session is limited to my kids, wife and a couple of friends. I had high hopes for it when I started using it, but its devs have fallen incredibly short. I have also tried SimpleX on and off, but for some reason, it drinks battery like there's no tomorrow, so I'm off of it for now.

[–] [email protected] 2 points 5 months ago (1 children)

Hello! In the latest v5.8 of SimpleX there are various improvements that might be of interest, including for battery consumption.

[–] [email protected] 3 points 5 months ago

Yup. Just tried it again with a few paranoid friends like me, and the battery drain is now gone. Just moved the FAM over too 🤣🤣

[–] [email protected] 10 points 5 months ago* (last edited 5 months ago) (1 children)

When I last looked it over (maybe a year or so ago) these problems stood out:

  • Immature code base.
  • Custom onion network that seemed unlikely ever to have enough users to be very effective against attacks.
  • Small limit on chat group size. (I think they have raised it from 10 to 100 more recently.)
  • Small limit on media attachment size.
  • Desktop support appeared to be an Electron app. (I avoid those because they're incredibly wasteful of resources, and often suffer from Electron's many bugs.)

Its design showed some neat ideas, but it was not practical for my needs.

Also, I have read more recently that Session removed forward secrecy, which rather undermines its value proposition.

[–] [email protected] 8 points 5 months ago* (last edited 5 months ago)

I was one of their strongest advocates, but their progress is unbearably slow. SimpleX for example has advanced a lot more in the same timeframe.
To me it seems like at the current pace they will need another two to three years to solve their problems.

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago)

Their network seems to run on some crypto bs, don't see a reason to use it over Briar or SimpleX for that matter

Like I can just host a Tor node or self host SimpleX

[–] swooosh 6 points 5 months ago* (last edited 5 months ago) (2 children)

My opinion: it's good. I would use it on a daily basis if someone would ask me to text on it with her. But I'd never ask someone else to use it because there are, in my opinion, better options like matrix and signal which I mandate people to use.

[–] [email protected] 4 points 5 months ago (1 children)

Well Matrix and Signal are not necessarily better but just more convenient and suitable for normal users

[–] swooosh 4 points 5 months ago

Yes, And more widespread

[–] [email protected] -1 points 5 months ago* (last edited 5 months ago)

signal

I personally think that Session is better than Signal. At least it doesn't require a phone number to register.

[–] [email protected] 5 points 5 months ago

Interesting idea, but the removal of perfect forward secrecy and Stuff like that is just a no. I have it just to play with, but nothing serious. I use SimpleX and Signal, and Matrix.

[–] [email protected] 4 points 5 months ago (1 children)

I really do wonder why more people aren't using Delta Chat.

spoilerMe included.

Anyway. I remember using Session for a few months a couple of years ago. Something about the interface was bugging me. It felt sluggish.

[–] [email protected] 4 points 5 months ago

Delta Chat

It's an email front-end with opportunistic PGP, including all the drawbacks thereof.

Not really comparable to a modern e2ee instant messenger.

[–] [email protected] 4 points 5 months ago (1 children)

I use it for our family chat. It's okay. The biggest issue is sometimes messages are delayed (up to half-an-hour at times). Other than that, it's fine. It meets our needs.

[–] [email protected] 5 points 5 months ago (2 children)

look into switching the fam to SimpleX. much more reliable.

[–] [email protected] 2 points 5 months ago (1 children)

It's not an option. It doesn't work on all our phones.

[–] [email protected] 1 points 5 months ago (1 children)

Which phones doesn't it work on?

[–] [email protected] 2 points 5 months ago
[–] [email protected] 2 points 5 months ago (1 children)

It just is less flexible and has a more complex UI.

[–] [email protected] 2 points 5 months ago

less flexible? explain

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago)

I really like the idea of creating a decentralized network that has a fair monetization model built right in, instead of relying on donations like the Fediverse. Crypto got a very bad rep, but this kind of stuff is exactly what it's good for imo.

It also has some core features that are missing from other similar messengers, like multi-device sync. And lastly, the devs seem pretty capable and open as well. They are very transparent with their work and seem to have the right ideas about where things should go and which trade-offs to make. E.g. their reasoning for not using the Signal protocol seems solid to me.

So I'm hopeful, but time will tell if it all works out.

[–] [email protected] 3 points 5 months ago

I use it, it works pretty good tbh.

[–] [email protected] -1 points 5 months ago

If a person uses F-Droid and disables all anti-features in Settings, do a search for Session it's not listen. That's all that a person needs to know for why Session is not an option. Can't garauntee privcy like SimpleX can.