Comments Page - Don't Use Session (Signal Fork)

« Back Don't Use Session (Signal Fork)soatok.blogSubmitted by xena 2 months ago

jetbalsa 2 months ago
> Cryptography nerds should NOT be finding the software that activists trust with their privacy hilarious.
This is very much true. Why in the world would session do the things they listed unless it really was just a state actor trying to get something in place to snoop on people.
- keejef 2 months ago
  Various reasons, using 128 Bits of entropy in Session Account IDs allows Session to use 13 word mnemonic seeds, instead of 25 word seeds, which makes the UX of writing down and saving mnemonic seeds easier, the claimed reduction in security by the researcher is incorrect. The other 2 security issues are misinterpretations of the code.
  Full response is provided here https://getsession.org/blog/a-response-to-recent-claims-abou...
keejef 2 months ago
Have written up a full response here, every claim by the researcher is covered https://getsession.org/blog/a-response-to-recent-claims-abou...
extraduder_ire 2 months ago
Glad to see someone looking into the actual security of this application finally. I couldn't find any information like this when I first heard of it.
The primary (maybe only) appeal of this app seems to be the lack of a phone number requirement. Consequently, you can run a desktop version without also having a phone.
- keejef 2 months ago
  Agree, its good when people review Session's code for vulnerabilities, its just in this case many of the claims the researcher makes are incorrect or misleading. https://getsession.org/blog/a-response-to-recent-claims-abou...
Llamamoe 2 months ago
I'm not familiar with cryptography enough to know whether these arguments make sense, but if they do, this is really damning. That's a series of intentional, unnecessary changes that each massively weaken the protocol's security...
- keejef 2 months ago
  We've put together a response here which responds to the claims re: cryptography https://getsession.org/blog/a-response-to-recent-claims-abou...
nexus_six 2 months ago
The site is returning just a JSON response of the blog post for me. Can't view the content directly.
- some_furry 2 months ago
  Should be fixed now.
  https://furry.engineer/@soatok/113833767490388329
ranger_danger 2 months ago
[flagged]
- dang 2 months ago
  "Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
  https://news.ycombinator.com/newsguidelines.html
  undefined 2 months ago
  [deleted]
- Kye 2 months ago
  Skill issue
- summermusic 2 months ago
  Why can't you take this web page seriously?