- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Especially for the less tech-savvy among us?
You must log in or register to comment.
Don’t use Session! It’s not secure with the recent changes!
Dear god, just don’t.
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
As soon as I saw the furry reaction images, I knew this was going to be a detailed and informative blog post.
Really bad idea, session copied signal, stripped out forward secrecy, and uses centralized file transfer servers.
This link has a helpful graphic, thank you! 🙂👍
first, why do you want to replace Signal?
Because his grandma can’t type a password 30 characters long just to restore her messages.
They are so smart and still make some choices that are so, so, *so dumb*. ‘No history on a new PC for you, it’s a ״feature״’. Seriously? c’mon.
History isn’t stored on the server so it can’t be automatically populated on a new device. That is a feature. The alternative, storing the messages on the server or having the means for one device to clone all of its messages to another device, would be insecure.
A 30 character long password is required in order to have enough bits of entropy so that the backed up messages are actually secure.
Grandma isn’t moving her data to a new PC without assistance, the person that is assisting her should be competent enough to operate Signal.
Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I’ll respectfully disagree.
Why can she do WhatsApp but no Signal?
It’s already needing to convince people to use Signal, why also making it hard for, let’s say, your grandma.
I use Matrix and this is possible via several encryption keys. They just probably cba. How Matrix E2EE works
Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I’ll respectfully disagree.
It is a centralized weak point that US feds can easily extract meta data from to obtain your social network etc
A bigger weak point is having weak encryption like Session has. Also, you cannot obtain metadata from Signal. They’ve gone to great length to prevent that. Signal servers don’t even know who is talking to whom.
easily extract metadata
That’s a pretty big claim to make with zero additional information.
Since 2018, Signal has been encrypting the sender data with a key that isn’t known to the server. Messages do not contain unencrypted metadata. I’m not sure how you expect the FBI to do this with the information available to the Signal servers.
at role does the signal server play?
at role does the signal server play?
If this is a question that you need answered then I’m
notsure you’re qualified to declare that Signal is insecure.
The real alternative to Signal for myself is SimpleX. The project is still in his beginning but it’s the best instant messaging we could have once polished finished
What do you think about OLVID?
Briar doesn’t even use a central server, all connections go through tor
Briar doesn’t make sense to me because you’re trading a central server for a central service… If tor is down, you can’t message. It’s the same POF as cellular, which is insane to me.
TOR isn’t a centralized service, it’s a distributed network.
It’s also a specific procol, which can absolutely be blocked. I don’t know where this notion that it’s impossible to block tor because it was designed to be censorship resistant came from, but you can absolutely stop people from using it.
It’s not even that hard and there’s nothing end users can do about it if they don’t know how to circumvent it…
Being able to be blocked is a completely different thing than being centralized service.
[…] there’s nothing end users can do about it if they don’t know how to circumvent it…
I mean, if users don’t know how to circumvent something, by definition there is nothing that they can do about it.
However, unless this hypothetical censoring country is blocking all encrypted network traffic it is trivial to access TOR via a VPN or an SSH tunnel
As a centralized system, nothing has been shown to improve on Signal yet. For decentralized systems, I haven’t seen anything better than Matrix yet? SimpleX is slightly more secure, but harder to spin up and easier to break.
Session… there have been multiple articles written on how it is flawed and untrustworthy.
“Harder to spin up”? Hard disagree. Matrix’s main server implementation is very resource-heavy, and alternatives like Conduit are not full-featured (and broke in some ways for me when interacting with mateix dot org). Meanwhile Simplex servers are pretty light and aside from a couple errors in the documentation that took a while to figure out, it has been easier than Conduit. And unlike Matrix, it has never broken for me so far.
Matrix is not decentralized but rather federated and distributed. Also synapse (matrix sevrer) have poor performance, especially when you federate your instance to others.
I think that SimpleX is more innovative and ground-breaking than Session.
But it’s a difficult concept for the average person to not have an account, but everything is device oriented. Same problem with people not using gpg for email. Having to maintain a thing similar to a private key that’s not memorizable like a username and password and back that up in case your device is lost. Is a big hurdle for many. And then additionally having to share a qr code or link through some external means for someone to connect with you rather than just telling them to download an app and enter your username HSS always been difficult.
So, IMHO, Signal has the best implementation possible with the level of usability that many nontechnical people expect in a chat application, even if it’s not the most secure. I am interested to see how SimpleX solves these issues in the future, though.
Of course it is, that’s the innovating part of it ! My opinion was that I rather use SimpleX if I wanted to switch away from Signal, if not I’ll simply use Signal not Session. But my threat model isn’t everyone’s.
I think as people will be more educated on cryptography in there digital lives we will have better UX to the point of it not be as difficult as sending on e-mail in the late 80s. Innovation like Bitcoin, nostr, U2F, passkeys etc… will be more accessible over time. Today sending a message on Signal is infinity more easy, secure and private than the majority of e-mails of the 21th century.
Use separate profile for different devices. Make a group when you chat with others.
Grr! Ok, but damned if I could get that to work! It seems like you can’t use the desktop and mobile client at the same time! You have to scan a QR code to switch between them! And it has issues with firewalls and VPNs! Old and clueless here, maybe part of the problem. 🙁
I just have two identical but independent profiles. They also double as my remote copypaste buffer.
No issues with fireballs and VPNs for me.
I didn’t have an issue with fireballs either, thankfully, because I made my saving throws before they got to me.🔥😉
Yes SimpleX isn’t mature from a UX perspective and that is due to it’s innovative approach. If you need to have device sync and don’t want Signal, Session could be a better optioon to you.
Am I right tho about having to scan QR codes to go back and forth between desktop and mobile on SimpleX, or am I just 😵💫?
I don’t use SimpleX on my computers
The main turnoff for me is that it is essentially impossible to selfhost - you use random nodes from the network, and to host such a node, you have to lock up a whole fortune (last time I looked I remember it being around $1500, might’ve changed) in their own cryptocurrency. They do promise returns, but I am skeptical - where would they take so much money to guarantee compensation for everyone within a sane amount of time? They claim it is against a Sybil attack, but it seems to me that it would be a lot easier for a government/company to have more nodes in a situation when “competition” is reduced like this.
Selfhosting is kind of hard and labor intensive for some of us; had a lot of trouble trying to set up NextCloud on my QNAP (if that counts as selfhosting), and finally gave up.
Fair - I was referring to the fact that here it isn’t even an option.
Also, XMPP or Simplex are very easy to set up, Nextcloud is indeed more complicated.
There’s nothing about Signal that requires savvines.
They probably meant tech-savviness compared to other Signal alternatives.
Although even then XMPP with modern clients is simple enough for my mom to use, so I don’t entirely buy the “complication” argument either.
is simple enough for my mom to use
The bar is so low. I just had to visit somebody today to help them fix their computer. There was dirt on the fingerprint reader, and they forgot their password. I told them their password was their user name. I.e. hunter / hunter and it didn’t work… (I chose this because of their modest tech experience)
They were using hunter / Hunter instead.
Idk, I meant my personal experience. She doesn’t see much difference between ease of use of her XMPP client compared to, say, Whatsapp.
