• Arthur Besse@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    5 months ago

    Thank you. I have read that the Session is not yet using quantum-resistant cryptographic algorithm. It is using X25519 which is an elliptic curve algorithm widely used for key agreement in TLS today. As a layman, I do not expect this to be a problem for a regular user (who is no target of the US three letter agencies) in the near future.

    The lack of forward secrecy and lack of post-quantum encryption are orthogonal deficiencies. The development of a cryptanalytically-relevant quantum computer is only one of the ways that a long-term key could be compromised in the future, and forward secrecy without some PQ crypto does not actually even protect against that.

    The reason to have forward secrecy (even if you don’t have PQ) is that long-term keys can be compromised in the future by malware or device seizure. See the forward secrecy wikipedia article i linked in my previous comment for more information.

    According to https://www.securemessagingapps.com/ Session uses: X25519 / XSalsa20 256 / Poly1305

    These are good cryptographic choices, albeit not PQ. The problem is that they aren’t being combined in a forward secret manner. It is very possible to build a forward secret protocol from these primitives (as many other projects have done) but Session opted not to. They actually were originally using Signal’s forward secret ratchet, but if i understand correctly it was too difficult for them so they just gave up on forward secrecy at some point and replaced it with this thing they have now.

    While Simplex uses: Curve25519 / XSalsa20 256 / Poly1305

    SimpleX actually added Streamlined NTRU Prime recently for quantum resistance. (And it was forward secret from the beginning, as one would expect of any protocol designed in the last 15 years or so…)

    and Simplex does not provide transparency report

    Actually they do, here: https://simplex.chat/transparency/index.html

    and logs timestamps/IP addresses

    Huh? I don’t think so… what makes you say that?

    • hetzlemmingsworld@lemmings.worldOPM
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      what makes you say that?

      I have read it at https://www.securemessagingapps.com

      lack of forward secrecy

      Oxen people argument: “under typical circumstances, the only way long term keys can be compromised is through full physical device access — in which case an attacker could simply pull the already-decrypted messages from the local database. As is often said in the infosec community, physical access is total access” source: https://getsession.org/blog/session-protocol-explained

      They are also saying “We will be looking at making it easier to rotate accounts as a whole” source: https://github.com/oxen-io/session-desktop/issues/2338

      • Arthur Besse@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        and logs timestamps/IP addresses

        what makes you say that?

        I have read it at https://www.securemessagingapps.com

        That website has a lot of things wrong, and provides no citations for most of its claims: it just says “Yes” or “No” about most things.

        SimpleX says they don’t log IP addresses, and their claim is at least as credible as anyone else’s. I suspect the securemessagingapps web page gave them a “No” in that column because SimpleX is refreshingly honest in their threat model and privacy policy, and thus mentions that even though they don’t log IPs their hosting provider (or the hosting provider of other SimpleX servers - you don’t have to use one of theirs) could be. They currently recommend using Tor to mitigate this problem.

        Oxen people argument: “under typical circumstances, the only way long term keys can be compromised is through full physical device access — in which case an attacker could simply pull the already-decrypted messages from the local database.

        Most chat apps allow you to delete old messages, both on an individual message basis and automatically after some period of time. Does Session not?

        As is often said in the infosec community, physical access is total access”

        Who would say that, except someone trying to excuse their protocol’s lack of forward secrecy?

        There is no reason why physical access to a device should mean total access to messages that were deleted previously; all serious secure messaging protocols today use forward secrecy to limit the impact of device compromise.

        Furthermore, most modern (eg, designed in the last decade or so) protocols also provide post-compromise security (aka “backward secrecy”, “future secrecy”, or “self-healing”) to introduce new entropy into their ratchets such that when a device is temporarily compromised (as is actually very often the case in real-world attacks on mobile operating systems) the key material which an attacker can exfiltrate doesn’t allow them to decrypt future messages which are sent later after the device is uncompromised (eg, rebooted).