> Cryptography nerds should NOT be finding the software that activists trust with their privacy hilarious.
This is very much true. Why in the world would session do the things they listed unless it really was just a state actor trying to get something in place to snoop on people.
Various reasons, using 128 Bits of entropy in Session Account IDs allows Session to use 13 word mnemonic seeds, instead of 25 word seeds, which makes the UX of writing down and saving mnemonic seeds easier, the claimed reduction in security by the researcher is incorrect. The other 2 security issues are misinterpretations of the code.
Glad to see someone looking into the actual security of this application finally. I couldn't find any information like this when I first heard of it.
The primary (maybe only) appeal of this app seems to be the lack of a phone number requirement. Consequently, you can run a desktop version without also having a phone.
I'm not familiar with cryptography enough to know whether these arguments make sense, but if they do, this is really damning. That's a series of intentional, unnecessary changes that each massively weaken the protocol's security...
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
> Cryptography nerds should NOT be finding the software that activists trust with their privacy hilarious.
This is very much true. Why in the world would session do the things they listed unless it really was just a state actor trying to get something in place to snoop on people.
Various reasons, using 128 Bits of entropy in Session Account IDs allows Session to use 13 word mnemonic seeds, instead of 25 word seeds, which makes the UX of writing down and saving mnemonic seeds easier, the claimed reduction in security by the researcher is incorrect. The other 2 security issues are misinterpretations of the code.
Full response is provided here https://getsession.org/blog/a-response-to-recent-claims-abou...
Have written up a full response here, every claim by the researcher is covered https://getsession.org/blog/a-response-to-recent-claims-abou...
Glad to see someone looking into the actual security of this application finally. I couldn't find any information like this when I first heard of it.
The primary (maybe only) appeal of this app seems to be the lack of a phone number requirement. Consequently, you can run a desktop version without also having a phone.
Agree, its good when people review Session's code for vulnerabilities, its just in this case many of the claims the researcher makes are incorrect or misleading. https://getsession.org/blog/a-response-to-recent-claims-abou...
I'm not familiar with cryptography enough to know whether these arguments make sense, but if they do, this is really damning. That's a series of intentional, unnecessary changes that each massively weaken the protocol's security...
We've put together a response here which responds to the claims re: cryptography https://getsession.org/blog/a-response-to-recent-claims-abou...
The site is returning just a JSON response of the blog post for me. Can't view the content directly.
Should be fixed now.
https://furry.engineer/@soatok/113833767490388329
[flagged]
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
https://news.ycombinator.com/newsguidelines.html
Skill issue
Why can't you take this web page seriously?