Multiple problematic cryprographic issues #880
Comments
|
Well you've kicked a can of worms haven't you? I will say quite bluntly that I have heard and it is my firm belief that these backdoors are intentional by a nation state. Probably shouldn't be saying this but fuck it you only live once. This is my understanding that from a friend's research into making custom firmware for his router based on the LokiNet that he discovered the back doors in that and somehow that transferred over to Session both by the same government I have heard corroborating data from other sources. |
JavaDerg
changed the title
I kinda doubt that, backdoor are typically crafted with more care and less obvious. |
|
Its possible both are true,i've also heard from a reliable source that session fully complies with this nation state's subpeonas every time Having looked through it it seems like it is a mix of simply very sloppy work with a sprinkle of weaponized malicious incompetence , theres not really any excuse for such poor implenentations and so many of them I will be eager to see a reply ,even if i am ENTIRELY somehow off base(im not) the fact of the matter is any semi competent threat actor just with the information in the article can fully compromise session. Im going to stick with the very safe totally not turbofedded telegram :) |
|
I've written up a full response to the security researchers blog here , the author is either plainly incorrect or misleading on all of the raised security issues. As for the other claims from @SWORDIntel , that Session has intentionally introduced backdoors on behalf of nation states, this is false, if you have evidence of such a backdoor i would encourage you to make a public disclosure and warn people about it. I certainly don't want people using Session if its backdoored. Further to this, Session devs and contributors don't have any privileged access to the Session network, which means if a government asks for information via a subpoena, there isn't any information to give. This is inline with every transparency report published by the OPTF and STF. |
|
Proof, I mean, if I did, I still wouldn't be posting it, you know, because it's not something that needs to get out there. I just... If there was a back door, which maybe there should be, then I would just like it to be hidden better. I mean I'm sorry if I came off hostile, you know how this world is. I mean at the end of the day criminals do need to do what they need to do sometimes and we have to just bear with it but also they need to think they're safe and I mean it's a complicated balance. So you're saying categorically that the session is absolutely safe and secure with no way for any government body to access it whether they want it to or not? I do not know or believe it's intentional backdoors. I do believe it's likely backdoors that are present that are being taken advantage of. So you really are sure that every single issue brought up in this article is just a non-starter and comes from a poor understanding of their code. |
|
I was already planing to write a response, but Soatok cut me short on that. TL;DR
Soatok also pointed out a lot more things, so please read the article, but these are IMO the most pressing points. |
|
We have now updated our original blog post with a response to the PoC provided by the security researcher here https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture . In short
|
Hi!
I've come across this article recently outlining some problematic cryptographic issues in Session.
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
As none of these issues (as far as I could find) have been addressed in the issues on this repository, I decided to post this link here.
I am not the author of the blog post!
The text was updated successfully, but these errors were encountered: