> Cryptography nerds should NOT be finding the software that activists trust with their privacy hilarious.
This is very much true. Why in the world would session do the things they listed unless it really was just a state actor trying to get something in place to snoop on people.
Various reasons, using 128 Bits of entropy in Session Account IDs allows Session to use 13 word mnemonic seeds, instead of 25 word seeds, which makes the UX of writing down and saving mnemonic seeds easier, the claimed reduction in security by the researcher is incorrect. The other 2 security issues are misinterpretations of the code.
Glad to see someone looking into the actual security of this application finally. I couldn't find any information like this when I first heard of it.
The primary (maybe only) appeal of this app seems to be the lack of a phone number requirement. Consequently, you can run a desktop version without also having a phone.
I'm not familiar with cryptography enough to know whether these arguments make sense, but if they do, this is really damning. That's a series of intentional, unnecessary changes that each massively weaken the protocol's security...
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
This is very much true. Why in the world would session do the things they listed unless it really was just a state actor trying to get something in place to snoop on people.