• ᗪᗩᗰᑎ
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        For anyone considering Session messenger:


        The Session developers dropped Perfect Forward Secrecy because it would be hard to work around it.

        First things first, let’s talk about what we’re leaving behind: Perfect Forward Secrecy (PFS) and deniability.

        Source: https://getsession.org/session-protocol-explained

        In plain English, they dropped a security feature for their convenience to the detriment of their users’ security.

        For anyone unsure what PFS provides:

        The value of forward secrecy is that it protects past communication.

        Source: https://en.wikipedia.org/wiki/Forward_secrecy

        The Session devs also claim:

        Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example.

        Reading between the lines, we can interpret that as introducing security through obscurity, which is generally considered bad practice - https://cwe.mitre.org/data/definitions/656.html

      • XNX@slrpnk.net
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        The point is being able to communicate when the internet is shut off