Flaws they introduced by removing PFS (Perfect Forward Secrecy) and Cryptographic Deniability, just to name two big ones, which they got free from Signal. For anyone not aware, they removed these security features because it made development more difficult for them, not because it was in the interest of their users.
Additional, more technical details on why you shouldn’t use Sessions:
Session has responded to that blog post, mostly debunking it. There is also a response from Soatok to their response, and they edited their original response afterward to address Soatok’s response to Session’s original blog post. Session was also audited by third parties, which had already pointed out some of the things Soatok mentioned in his blog post, and that does not mean Session is insecure or unable to compete with SimpleX, Threema, DeltaChat, Briar, and many other “private messengers.” Signal requires a phone number, which in Germany where I live, is by law attached to your identity and is also a unique identifier and an attack surface. I use and prefer Signal over Session, but Signal also has many small flaws.
Appeal to authority.
Unfounded claim.
Flaws they introduced by removing PFS (Perfect Forward Secrecy) and Cryptographic Deniability, just to name two big ones, which they got free from Signal. For anyone not aware, they removed these security features because it made development more difficult for them, not because it was in the interest of their users.
Has yet to be seen, although if they bring back PFS, they will have at least reached Signal’s level of privacy/security from over a decade ago
Edit:
Additional, more technical details on why you shouldn’t use Sessions: https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
?
I’ve done my research.
I’m relatively confident that they well do the things they’ve promised.
https://getsession.org/blog/session-protocol-v2
Session has responded to that blog post, mostly debunking it. There is also a response from Soatok to their response, and they edited their original response afterward to address Soatok’s response to Session’s original blog post. Session was also audited by third parties, which had already pointed out some of the things Soatok mentioned in his blog post, and that does not mean Session is insecure or unable to compete with SimpleX, Threema, DeltaChat, Briar, and many other “private messengers.” Signal requires a phone number, which in Germany where I live, is by law attached to your identity and is also a unique identifier and an attack surface. I use and prefer Signal over Session, but Signal also has many small flaws.
https://soatok.blog/2025/01/20/session-round-2/
https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture
I will also not continue this conversation further if nothing that I have not already clarified is brought up.