• ᗪᗩᗰᑎ
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    For anyone considering Session messenger:


    The Session developers dropped Perfect Forward Secrecy because it would be hard to work around it.

    First things first, let’s talk about what we’re leaving behind: Perfect Forward Secrecy (PFS) and deniability.

    Source: https://getsession.org/session-protocol-explained

    In plain English, they dropped a security feature for their convenience to the detriment of their users’ security.

    For anyone unsure what PFS provides:

    The value of forward secrecy is that it protects past communication.

    Source: https://en.wikipedia.org/wiki/Forward_secrecy

    The Session devs also claim:

    Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example.

    Reading between the lines, we can interpret that as introducing security through obscurity, which is generally considered bad practice - https://cwe.mitre.org/data/definitions/656.html