[HN Gopher] Session Protocol: Technical implementation details
___________________________________________________________________
Session Protocol: Technical implementation details
Author : johnchristopher
Score : 21 points
Date : 2021-01-08 20:30 UTC (2 hours ago)
(HTM) web link (getsession.org)
(TXT) w3m dump (getsession.org)
| loup-vaillant wrote:
| > _In practice, cryptographic deniability is often disregarded
| when it comes to court cases or media reporting._
|
| That's because implementers fail to follow through.
|
| The signal _protocol_ enables deniability, but the signal
| _application_ does not. For a communication app to deliver actual
| deniability it needs _at least_ to provide the ability to add,
| remove, and edit messages locally, with timestamps and
| everything. That edit feature must be easy to use, and easy to
| find. Ideally, it would be advertised when you first use the app.
| It must be crystal clear to any judge that screenshots from this
| app is no better than "he said, she said".
|
| For offline protocols where messages stay online for a long
| period of time (file encryption, and Signal to a lesser extent),
| we should also have an easy way to forge messages to oneself.
| With protocols from the Noise framework, this is easy to
| implement. From a user's perspective, we just need a "forge false
| message to self" button, where you specify the "fake sender".
| Only then can encrypted files be reduced to a "he said, she said"
| situation.
|
| Cryptographic deniability is not enough. We need _plausible_
| deniability, and that can only be achieved when (i) forgeries are
| easy, and (ii) everybody knows it.
| upofadown wrote:
| The news here is that Session is dumping Signal Protocol in
| favour of something simpler. So not so much forward secrecy and
| denyability. They do not think such features are worth the cost
| in complexity.
| ggm wrote:
| If you studied networking in computer science, "the session
| protocol" means something between the presentation and transport
| layers in the iso 7 layer model.
| wmf wrote:
| Unfortunately, common nouns being reused as product names is a
| lost cause at this point.
| loup-vaillant wrote:
| _(Shameless Plug(tm))_ Do not despair just yet:
| https://github.com/LoupVaillant/Monokex/
| arghwhat wrote:
| Anything above level 3 in the osi model is pretty useless
| distinction, and even the useful levels the distinction is just
| a bogus description of the status quo, rather than something
| truly useful.
| dunefox wrote:
| Sometime last year I tried Session and while the idea sounds
| great it needs a lot more attention before I can use it in anger
| - but I'm a fan of the idea.
| driminicus wrote:
| Yet another closed source, centralized ostensibly private chat
| client? If it actually gets a decent user base it should probably
| be bridged, but otherwise I don't really care.
| 5evOX5hTZ9mYa9E wrote:
| Exact opposite, based on Monero and Signal code, decentralised
| by relying on service nodes that anyone can run, implementing
| it's own onion routing. Honestly, on paper, it looks pretty
| good.
|
| The core problem is that devs are Australians and can be
| secretly compelled to backdoor their app via Assistance and
| Access Act.
___________________________________________________________________
(page generated 2021-01-08 23:00 UTC)