Don’t Use Session (Signal Fork)
Last year, I outlined the specific requirements that an app needs to have in order for me to consider it a Signal competitor. Afterwards, I had several people ask me what I think of a Signal fork called Session. My answer then is the same thing I'll say today: Don't use Session. The main reason I said to avoid Session, all those months ago, was simply due to…
http://soatok.blog/2025/01/14/dont-use-session-signal-fork/
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok thank you very much for the detailed analysis.
=> More informations about this toot | More toots from ireneista@irenes.space
@ireneista Happy to help! :3
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok@furry.engineer on the note of the cost of the attack from the shattered paper: i did some back-of-napkin math based on the cost of renting more modern GPUs than the ones used in the attack (those were GTX 970s) on a service i presently use to inexpensively rent GPUs, which i use for testing prime number hunting software.
the cost of the attack today, based on my quick math, would be almost exactly $619, if you assume that no time was wasted in setting things up, and you are renting RTX 4090 GPUs.
last time i checked this was, i think, in late 2020. i had a reason to attempt that exact attack, if it was feasible. it was not, i would've still needed closer to $10,000-20,000 at the time (i don't remember the exact figure)
=> More informations about this toot | More toots from linear@nya.social
@linear Oh neat!
I wonder if I could convince a cryptography-related company to offer up that much compute for a collaboration on a paper.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok@furry.engineer oops, i lied, the attack i was trying to do back then was the 2020 shambles attack, not shattered.
but the math still checks out, and i ran the same napkin math for the 2020 shambles attack and got a figure of $837 (the authors quoted about $45k)
i think that's just more evidence that an attack on 64 bits of security is very much affordable now. not even 4 figures
=> More informations about this toot | More toots from linear@nya.social
@soatok@furry.engineer hm. i think i may have gotten my math wrong, so don't go chasing a grant to try this without checking yourself first :P
=> More informations about this toot | More toots from linear@nya.social
@soatok this was actually pretty understandable
=> More informations about this toot | More toots from risottobias@tech.lgbt
@soatok
Does Molly pass your sniff-test?
=> More informations about this toot | More toots from Brett_E_Carlock@mastodon.online
@Brett_E_Carlock Haven't looked, but I've been told it hasn't diverged from Signal in terms of cryptography protocols, so that's probably ok
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok Ah, excellent news, thank you!
They promote some code/memory hardening and some other things, as well as reducing tracking by not using Google APIs in Molly-FOSS.
https://molly.im
=> More informations about this toot | More toots from Brett_E_Carlock@mastodon.online
@Brett_E_Carlock @soatok ive been using signal-foss[0] for a couple years ever since getting this murena /e/os fairphone 3 so now im curious to try out molly-foss too,
can i somehow transfer my cached messages and stuff over to molly-foss instead? i tried doing the whole phone number verification thing from scratch but never got the code and then it started saying "error connecting to service" too when i tried selecting Resend code
[0] https://www.twinhelix.com/apps/signal-foss/
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@banaanihillo
I believe so, yes. IIRC, my earliest chats were in Signal and still are in Molly.
My verification had to be requested multiple times, but eventually worked.
=> More informations about this toot | More toots from Brett_E_Carlock@mastodon.online
@Brett_E_Carlock were you able to use the "transfer or restore account" thing? or did you do the setup like you'd do on a fresh phone?
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@Brett_E_Carlock alright i got the code now but i have zero recollection of the PIN now :blobbee_laugh_sweat:
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@Brett_E_Carlock okay i think i may have sucessfully mollyfied my signal now, it was a bit of a weird trip but signal desktop seems to have reconnected as well
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@banaanihillo @Brett_E_Carlock love molly
=> More informations about this toot | More toots from hipsterelectron@circumstances.run
@hipsterelectron @Brett_E_Carlock how do i change the timestamp format from 12 hours though :blobfoxgooglyconfused:
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@banaanihillo Mine seems to just use my locale (French,) if you're talking about Molly on Android, that is.
=> More informations about this toot | More toots from boo_@im-in.space
@boo_ murena /e/os version 1.17 with locale set to english/denmark or english/canada, can't remember which one works there
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@boo_ ah, i mean, language set to english/canada and time format has Use locale default unchecked and Use 24-hour format checked
=> More informations about this toot | More toots from banaanihillo@tech.lgbt
@banaanihillo Maybe Molly/Signal doesn't respect the last option. Android has English locales for regions that don't use it as their native language, for me it recommends Sweden. Maybe try one of those?
=> More informations about this toot | More toots from boo_@im-in.space
@soatok @Brett_E_Carlock I cannot speak the precise details but my understanding is that Molly is an alternative client for Signal and so I certainly hope everything important client side remains the same.
I'm using it as my solution for a second Signal account on one Android/GrapheneOS phone since unlike work profile applications it didn't require scary permissions.
=> More informations about this toot | More toots from gravepapaya@tiggi.es
@soatok do noise or MLS explicitly prevent KCI?
=> More informations about this toot | More toots from risottobias@tech.lgbt
@soatok ooo smarter question: how does signal prevent KCI?
=> More informations about this toot | More toots from risottobias@tech.lgbt
@risottobias Ratcheting protocols
=> More informations about this toot | More toots from soatok@furry.engineer
@risottobias See also, https://github.com/soatok/rawr-x3dh :P
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok but how would that prevent e.g. the federated key exchange starting point of your implementation?
Like they start with a first key no?
=> More informations about this toot | More toots from risottobias@tech.lgbt
@risottobias The key thing I'm building is for signing keypairs.
Those keypairs sign an ephemeral public key. There is no long-term x25519 public key in my design.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok I'm gonna nod like I understand but my head is empty
=> More informations about this toot | More toots from risottobias@tech.lgbt
@soatok also, on a signal ratchet, aren't the ratchet negotiations also "in band"?
=> More informations about this toot | More toots from risottobias@tech.lgbt
@soatok they took a state of the art design and broke it. if this isn't a honeypot then i don't know what is
=> More informations about this toot | More toots from b_rawr@furry.engineer
@soatok
[#]TIL about NOBUS (as a word)
=> More informations about this toot | More toots from magnetic_tape@infosec.exchange
@soatok@furry.engineer
=> More informations about this toot | More toots from natomic@woem.dev
@soatok WTAF!?🤯
Your #3 security issue (Session uses the public key as a symmetric key) should be an immediate disqualifier RIGHT THERE.
I don't really care if someone fixes that one. The fact that something like that EVER passed muster in an application which is supposedly about privacy should be an IMMEDIATE DISQUALIFIER.
The public key is public. I don't care if it looks like randomness. It's public, FFS.
That "[Tor but] with a few key differences" is pulling a crapton of weight.
=> More informations about this toot | More toots from mkj@social.mkj.earth
@mkj Id say not only a disqualification but grounds to go right to jail and have your keyboard privileges revoked
@soatok
=> More informations about this toot | More toots from kusuriya@hackers.town
@kusuriya Well, I was running low on space within the 500 characters and already had to trim...
@soatok
=> More informations about this toot | More toots from mkj@social.mkj.earth
@mkj
It's not the case: https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture
@soatok
=> More informations about this toot | More toots from bohwaz
@bohwaz @mkj Instead of spamming my mentions with Session's claims, give me a chance to respond to it first. They are mistaken.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok
I wasn't spamming, I just didn't saw your reply.
@mkj
=> More informations about this toot | More toots from bohwaz
@bohwaz @mkj Gotcha. One of the Session devs has been spamming links to their blog everywhere and it looked like you were following suit for a moment.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok I quote from the article:
“I did not disclose this blog post privately to the Session developers before pressing publish.
I do not feel that cryptographic issues always require coordinated disclosure with the software vendor.”
My reactions:
I ignore and continue my day 😎
=> More informations about this toot | More toots from funkybuddha@mastodon.green
@funkybuddha and who are you, besides the fact that you're boosting disinformation accounts and have nothing to say otherwise?
=> More informations about this toot | More toots from mawhrin@circumstances.run
@funkybuddha @soatok Awwww someone got butt hurt. This article is perfectly fine to read, signed, a technical person.
=> More informations about this toot | More toots from ljrk@todon.eu
@soatok so...
is the entire security based on the onion routing
=> More informations about this toot | More toots from entronid@infosec.exchange
@entronid The onion routing is a middleware between "swarms" that allegedly only persist ciphertext for a short term. So, not the "entire" security but a lot of it.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok Excellent post :3
Pretty frightening how much misinformation there is about Session given all of this...
=> More informations about this toot | More toots from UnknownSilicon@tech.lgbt
@UnknownSilicon Pretty much the entire infosec community, if you ask a random person in it with a clue what secure messager to use, will tell you "use Signal.".
And then there is a small but VERY vocal group who will scream at the top of their lungs BUT PHONE NUMBERS IT IS A GOVERNMENT TRACKING TOOL.
And ironically, when people with a clue poke at the supposedly oh so much better alternatives, pieces like these have a tendency to fall off...
Signal isn't perfect. Just damned good.
@soatok
=> More informations about this toot | More toots from mkj@social.mkj.earth
@soatok if you're gonna rip out the cryptography, why even fork signal?
=> More informations about this toot | More toots from Mae@is.badat.dev
@Mae @soatok
Choices of imputed reasoning include
and
Not having checked if the principals of Session are even known, let alone what their announced principles might be, I can't guess which.
OTOH check all that apply and presume hostile unless proven friendly are good watch words.
=> More informations about this toot | More toots from BRicker@fosstodon.org
@soatok What I personally also consider negative is the omninous connection to the OXEN cryptocurrency system, which apparently operates the onion routing for Session. https://www.freie-messenger.de/en/warumnicht/#session
=> More informations about this toot | More toots from mark22k@layer8.space
@soatok great blog post! Those are some really hefty design issues. Either someone was really convinced of their ability to design a cryptographic protocol when they weren't or that was intentional. Either way, removing PFS, checking the signature against the public key supplied in the message instead of a trusted one, and using a public key for symmetric encryption had me laughing. 😄🤦
=> More informations about this toot | More toots from robertguetzkow@infosec.exchange
@soatok Session messenger also has connections to the alt-right scene. That should already be enough reason not to use it:
https://web.archive.org/web/20210914000446/https://twitter.com/WPalant/status/1281540005190672384
=> More informations about this toot | More toots from Septem9er@chaos.social
@Septem9er @soatok If I understand things correctly, Session is no longer using Lokinet, so there is no connection to this guy anymore. But I might be wrong.
=> More informations about this toot | More toots from bohwaz
@bohwaz @Septem9er According to https://oxen.io/session-lokinet and https://github.com/search?q=repo%3Asession-foundation%2Fsession-android%20oxen&type=code it's still pretty baked-in.
=> More informations about this toot | More toots from soatok@furry.engineer
@soatok @Septem9er Ah right. I've read that they were migrating out of Oxen: https://getsession.org/blog/upgrading-to-session-network
But that might not be done yet. It's hard to know, as there's little public communication.
=> More informations about this toot | More toots from bohwaz
@soatok @Septem9er Interesting post on the Loki network: https://cheapskatesguide.org/articles/lokinet.html
That person seems to have understood the same thing as me: server operators participating in the network cannot get real money from the cryptocurrency used for this network, so I don't really see how this cryptocurrency can be useful in any way… Very weird.
=> More informations about this toot | More toots from bohwaz
@soatok I legitimately can't differentiate between "hanlon" and "nation-state" given the sheer level of incompetence displayed here... Especially "crossing the streams" by using asymmetric key material as a symmetric key. (and that's before considering that they use the public portion of said key material. Just crossing the streams at all is bad enough to warrant "kill it with fire" in my book...)
=> More informations about this toot | More toots from becomethewaifu@tech.lgbt
@soatok@furry.engineer
=> More informations about this toot | More toots from Orca@nya.one
@Orca @soatok I had to re-read that sentence twice because using a public portion of a key as a symmetric encryption key is insanity
=> More informations about this toot | More toots from l4p1n@furry.engineer
@l4p1n @Orca Yeah I had to include the source code as a visual aid because it was so bonkers
=> More informations about this toot | More toots from soatok@furry.engineer This content has been proxied by September (ba2dc).Proxy Information
text/gemini
