- cross-posted to:
- privacy@lemmy.world
- privacyguides@lemmy.one
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.world
- privacyguides@lemmy.one
- privacy@lemmy.ml
tldr: their encryption sucks apparently
frankly i don’t know enough about cryprography to be able to summatize it better.
They fucked up their encryption so it has half the entropy they claim, they verify messages solely based on information from the message and their pseudo-tor thing isn’t encrypted. Also you can drain someone’s battery by sending them specially crafted messages
*Don’t Use Session,
if your threat profile includes government’s spending ±100k to crack your encryption, since their encryption is not the best out there.Which they likely won’t for an average privacy conscious user, but they might for high ranking criminals.
It was a good read though,
I won’t invite new people to Session due to it.But the title is a little click-baity,
“Session’s encryption is not the best”,
would be a more honest title.But the title is a little click-baity,
“Session’s encryption is not the best”,
would be a more honest title.I agree that this would be a better title, but it still belies the deeper points: the Session devs made sloppy or weak cryptographic decisions when there’s no seemingly reasonable justification for them. It points to a lack of understanding, ignorance, or possibly malicious intent (though the last seems less likely to me).
So, what happens when they do something really wrong? Doesn’t seem that far-fetched that it’s a matter of “when,” given how they’ve implemented everything else.
Do you happen to have an experience with using briar and can comment on it? It seems cool and using its mailbox system on a secondary old phone to get 100% uptime despite it being p2p is a nice concept. I just havent gotten around to really testing the UX when using it with multiple other people much.
I believe Briar currently is one of the best options out there, together with SimpleX.
However I lack usage experience with both.
Since no one I know makes use of them…It was already hard enough to convince only a handful of my friends to start using Session and Matrix/Element (which are not the best options anymore), but I’m kinda doubtful about my success rate of making them switch once again…
My success with convincing people to use Telegram has been better though, since that’s the most commonly known, but nearly no one wants to install an app they never heard off before, just to chat with only me :P
Also “convincing people” lately goes smth like this for me:
- Do you have WhatsApp or Messenger so I can send you some pictures?
- No I don’t use apps that do not respect my privacy, but you can send em to me through SimpleX, Briar, Session, Matrix/Element, Telegram, Discord or email :P
- Upon which most choose Telegram or Discord as their means to contact me, sadly no one had Briar/SimpleX yet.
I might be missing something, but I’d trust WhatsApp to leak much less data about me than Telegram or Discord. Those don’t have any form of E2EE.
Also, what about using Signal?
The way i (and many others) see it, anything that is not both open source and fully decentralized is automatically a no go. Open source for rather obvious reasons. Decentralized for less but increasingly obvious reasons (No central failure point, no central metadata collection, no central authority, no lock in).
Telegram or Discord
So yeah those are obviously shit too. Signal is the last centralized thing i use, but im starting to phase that out now too.
With all sorts of anti E2EE sentiment and right wing parties on the rise everywhere, i would rather get rid of any communication channels that are so prone to being blocked, shut down, censored, etc.
Oh, I thought it’s because of the Loki Foundation. This article was surprisingly technical.
This blog also has a good post from last year discussing the shortcomings of XMPP and Matrix relative to Signal.
Thx, and happy cakeday.