Session Messenger. Review
Official link: https://getsession.org/
Session Messenger Review (Dec2020)
While Signal is considered the most secure of the messaging services, end-to-end encryption (also known as E2E encryption) and almost no metadata capture, this new messaging platform, which is a fork of Signal, is more secure.
Session is a project of the Loki Foundation, registered in Victoria, Australia. The foundation states that its purpose is “… to create open source, metadata-neutral applications and communication tools that defend privacy in the digital world”.
Session Messenger Basics
Session conversations are protected by client-side E2E encryption, only the sender and recipient of a message can read them, and Session also protects the identities of its users. It makes your communications private and anonymous as well as secure.
Session can do this because it connects users through a Tor-like network of thousands of Service Nodes. The onion request system (layers, as used by the TorProject protocol) that Session uses to protect messages ensures that no service node on the network knows the source of a message (its IP address) and its destination (the recipient’s IP address).
Available for Android, iOS, macOS, Windows, Linux
Note : Session’s robust approach to not collecting metadata is a great advantage. I believe that the problem of metadata is the Achilles’ heel of many secure email services. Even the most popular secure email services, such as ProtonMail , do not have a good solution to the metadata problem.
Session has the following features to protect identity:
- No phone number is required to register (unlike Signal)
- No email is required to register (unlike Wire )
- No geolocation data, device data or metadata are collected
The service nodes are grouped into swarms. The swarms provide redundancy to the network, as well as temporary storage when messages cannot be delivered to their destination. Once the message is delivered, it is removed from network storage.
You will notice that I have not talked about any kind of central server here. The Session Messenger network is decentralized, with no single point of failure, and no main server for the bad guys to hack into.
Note: Session started with proxy routing rather than onion requests to protect messaging traffic, which while offering high levels of privacy, security, and anonymity, onion requests are better. As of the date of this review, the Session team was in the process of transitioning to onion requests.
Pros and cons of Session Messenger
- End-to-End Encryption (E2E) protects text and voice messages and attachments.
- Encryption algorithms: signal protocol , with Perfect Forward Secrecy (PFS)
- No phone number or email address required to register
- Oper Source (Open Source), the code is available in GitHub
- Login simultaneously with multiple devices
- Does not record IP addresses or metadata
- Encrypted closed groups (maximum 10 people) and open groups (no size limit)
- Does not support 2FA (Two-Factor Authentication)
- Very new with the onion routing protocol still under development (as of the date of this revision)
- It may have errors and not be reliable, they are working on the correction, it is a new platform (eg messages sent from the platform for pc, do not appear visible to the same user on the platform of the mobile device, but you can see, on both platforms, all received)
Note: Session Messenger is in the process of organizing a full third-party code audit, which will provide independent verification of Session’s security, privacy, and anonymity. Session is completely open source. I do not recommend, however, using Session where independently verified and tested security is required.
Installation and use
The installation and use is very intituitive. Minimal knowledge is required to install it.
When you start using it, you must create an account by generating a Session Messenger ID or start Session Messenger on an existing account (by entering an existing Session Messenger ID), for example if you installed on pc first and created the account there. To have the same account on both devices, the ID created on the first device must be entered.
A Session Messenger ID is a unique address that people can use to contact you in Session. As Session explains, the reason why using a Session Messenger ID is better than using a phone number from an email address is: “Your Session ID is completely private, anonymous, and has no connection to your real identity.
Once you create a Session Messenger ID, Session will ask you to choose your display name and tell Session how to handle automatic notifications. And once everything is done, Session will display its Recovery Phrase (also known as seed) and give you the opportunity to save it in a safe place. This recovery phrase is your most important key and you should not give it to anyone, this phrase is your dna.
If you lose the device you were using Session Messenger on, change it, or your operating system is corrupted by a virus, you can restore your user to another device by entering their Recovery Phrase and return to where they were last using that Session Messenger ID.
At first, Session will seem pretty dead and that’s because it still needs to connect to people. Session doesn’t scan its contacts for its privacy principles and needs you to tell it who to connect to. You do it by creating a new session.
A new chat session that you start by entering the Session ID of the person you want to chat with, you ask them for or scan a QR code containing their Session ID (not to be confused with the recovery phrase which are words).
Once you enter someone’s Session ID, you can send them a message. Once they accept it, you can exchange messages freely like any other chat application.
Beyond the basic chat, Session has a number of additional useful features:
- Encrypted groups : create small closed groups (10 people or less) or large open groups (no size limit).
- Voice messages : send and receive encrypted voice messages.
- Attachments : message attachments are also encrypted.
- Security numbers — check that you are communicating with the device you expect to talk to by comparing the security numbers.
I appreciate your contribution to encourage my articles