Session messenger is making a play for the position as the best secure messaging app. In this, it is going up against some intense competition from the likes of Signal and the other top apps we cover in our Best Secure and Encrypted Messaging Apps review. In this updated Session review, we’ll look at Session’s capabilities — both those active today and those comings soon.
Signal merits special mention in this Session review. That’s because Session is a fork of Signal, meaning that much of the guts of Session originally came from Signal. This is excellent since Signal has long been considered the most secure of the secure messaging services. Thanks to the excellent end-to-end (E2E) encryption provided by the Signal Protocol, Signal is about as secure as a messenger app can be.
But Signal isn’t as strong on privacy as it is on security. It collects some metadata and doesn’t have a corporate sponsor like Facebook sucking up and monetizing that metadata. More importantly, Signal requires you to submit a phone number to create an account. Signal also relies on central servers to manage message flow and hold the metadata it does collect.
Because Session is a fork of Signal, it inherited Signal’s strong security. From there, the Session team built an anonymized, decentralized system that provides superior privacy and anonymity for its users. Are you ready to learn more about this challenger for the throne of the best secure and private messenger app? Then let’s dive in with this Session review.
Session messenger basics
Behind the scenes, Session is fundamentally different than most other secure messaging services. To make the rest of this Session review easier to understand, we need to go over some basics now.
Conversations in Session are secured using client-side E2E encryption. Only the sender and the recipient of a message can read it. But Session goes beyond providing message security. Session also protects the identities of its users. It makes your communications private and anonymous, as well as secure.
Session can do this because it connects users through a Tor-like network of thousands of Service Nodes. Service Nodes are servers that pass messages back and forth through the network as well as provide additional services. The onion request system that Session uses to protect messages ensures that no Service Node in the network ever knows both a message’s origin (your IP address) and destination (the recipient’s IP address). This allows you to hide your IP by default.
Session takes a number of additional steps to protect your identity:
- No phone number is required for registration (unlike what we found in our Signal review)
- No email is required for registration (unlike with Wire messenger)
- No geolocation data, device data, or metadata is collected
The Service Nodes are grouped together into swarms. Swarms provide redundancy to the network as well as temporary storage when messages cannot be delivered to their destination. Each Session client connects to a swarm to send and receive messages in real time, as well as to retrieve relevant messages that are stored in the swarm awaiting delivery.
You’ll notice that we haven’t talked about any kind of central server here. The Session network is decentralized, with no single point of failure, and no main server for bad guys to hack. Session moves messages using an onion routing system.
In an onion routing system, messages are surrounded by multiple layers of encryption and pass through multiple nodes in the system. Each node decrypts a layer of encryption before passing the message along. Because of the way the messages are encrypted, no node can know both the origin of the message and its destination. Additionally, your IP address is never visible at the destination, meaning whoever you are conversing with has no way to identify you when you use Session. The Session service should prove to be very resilient, and continue functioning even as individual Service Nodes join or leave the network.
Session’s onion routing system runs on the Oxen Service Node network. This network (formerly known as Lokinet) also serves as part of the infrastructure for the $OXEN cryptocurrency. You can learn more about OXEN at the Oxen.io website.
While Session now handles basic messaging functions very well, it doesn’t have some of the features that competitors like Signal or Telegram do. It does not yet do voice or video calls, among other things. If you need those specific capabilities, you may want to look at a different messenger app.
That’s what you need to know to understand how Session works. background information, we’re now ready to talk intelligently about Session.
Here are the pros and cons that we identified in this Session review:
+ Pros
- End-to-end (E2E) encryption secures text and voice messages as well as attachments
- Encryption: Session Protocol
- Does not require telephone number or email address to sign up
- Open source
- Onion routing system provides decentralization and anonymity
- Does not log IP Addresses or metadata
- Encrypted closed groups (now up to 100 people) and open groups (no limit to size)
- Successfully completed security code audit of Desktop, Android, and iOS apps
– Cons
- Does not support 2FA (two factor authentication)
- Redesigned multi-device syncing
- Perfect Forward Secrecy removed
Important: The fact that Session doesn’t collect metadata is a huge plus. We consider the metadata issue to be the Achilles heel of many secure messaging services and secure email services. Even the most popular secure email services, such as ProtonMail, do not have a good solution to the metadata problem.
Now we’ll examine the key features of Session messenger.
Session feature summary
Here are features you’ll want to consider when evaluating Session:
- It uses the Signal-inspired Session Protocol, on top of a distributed onion routing system for anonymous, decentralized communication
- 100% open source code. (The code is available on GitHub.)
- Clients for Android, iOS, macOS, Windows, Linux
- The system is much more stable after several months of redesign and refactoring
Session company information
Session is a project of the Loki Foundation. The Loki Foundation (registered as LAG Foundation, LTD) is a registered charitable foundation based in Victoria, Australia. The foundation states that their purpose is to, “…build open-source, metadata-free communications tools and apps that defend privacy in the digital world.”
Note: Loki products are changing their name to Oxen. There will likely be an extended period of time where Loki and Oxen are used interchangeably.
Where is your Session data stored?
Messages that are sent to you are actually sent to your swarm. The messages are temporarily stored on multiple Service Nodes within the swarm to provide redundancy. Once your device picks up the messages from the swarm, they are automatically deleted from the Service Nodes that were temporarily storing them.
Note: This is not the same as a peer-to-peer architecture. Per the Session FAQ here,
Session clients do not act as nodes on the network, and do not relay or store messages for the network. Session’s network architecture is closer to a client-server model, where the Session application acts as the client and the Service Node swarm acts as the server. Session’s client-server architecture allows for easier asynchronous messaging (messaging when one party is offline) and onion routing-based IP address obfuscation, relative to peer-to-peer network architectures.
Third-party testing and audits of Session
Session now uses its onion routing network. Last year they commissioned a security audit of the Session Desktop, Android and iOS apps by Quarkslab. That audit is now complete and provides good news for Session and its users. The audit report concludes in part with the following:
Oxen Session really improves Signal privacy and resilience by using an overlay network to the existent end-to-end encryption instant messaging solution. The onion-routing mechanisms make use of Oxen’s Snodes to store and exchange messages, however, there are some other centralized standard web services that are still used through the overlay network (for the push service and to deliver attachments files). All major concerns have quickly been fixed.
Quarkslab Oxen Session Audit, Technical Report
Session is now suitable for use in cases where proven and independently verified security is a prerequisite.
Session hands-on testing
For this update of the Session review, I installed the Android app, along with the Windows desktop client.
Session Android app
I downloaded the Session Android app from the Google Play store. At that time the app had 1149 reviews and was rated 3.9 out of 5 stars (on the Apple App Store, Session Messenger had 120 reviews with a 4.4 out of 5 stars rating).
Launching Session highlighted one of the key differences between it and Signal: no need to enter a phone number or email address. Instead, Session gives you the opportunity to create an account by generating a Session ID, or by signing in to an existing account (by entering an existing Session ID).
A Session ID is a unique address people can use to contact you on Session. As Session explains, the reason using a Session ID is better than using a phone number or email address is, “Your Session ID is totally private, anonymous, and has no connection to your real identity.” Signal and other messaging apps that identify you with a phone number cannot give you this anonymity.
Once you create a Session ID, Session will ask you to pick your display name, and tell Session how to handle push notifications. And once that’s all done, Session will show you your Recovery Phrase and give you the opportunity to store it somewhere safe.
A Recovery Phrase is a string of words that you can enter to recover your account if you lose the Session ID, or change to a new device. To restore your Session ID, launch Session and tap Continue your Session. Session will give you the opportunity to enter your Recovery Phrase and get back to where you were when you last used that Session ID.
With all that out of the way, you are finally ready to start working with Session.
Working with Session
At first, Session will seem pretty dead. That’s because you still need to connect with people. While a service like Signal, you can scan your phone’s contact list looking for phone numbers that are registered as Signal users, Session needs you to tell it who to connect to. You do that by creating a New Session. A New Session is a chat session that you initiate by entering the Session ID of the person you want to chat with.
How do you know the Session ID of the person you want to chat with? You either get them to give it to you, or you scan a QR code that contains their Session ID. Unless you happen to be physically located in the same place, thereby able to pass the Session ID or display the QR code directly, one of you will need to share your Session ID with the other to get this thing started. You’ll need to use a different communication medium (another secure messenger app, perhaps) to make this happen.
Once you enter someone’s Session ID, you can send them a message. Once they accept it, you can freely exchange messages like any other chat app.
Tapping the icon for a contact opens your ongoing chat session with that contact.
Beyond basic chatting, Session has a number of additional useful features. Here are some of them:
- Encrypted groups – Create closed groups (up to 10 people previously; now up to 100) or huge open groups (no size limit).
- Voice messages – Create and share encrypted voice messages.
- Attachments – Message attachments are encrypted too.
- Safety Numbers – Verify that you are communicating with the device you expect to be talking to by comparing safety numbers.
Session Desktop clients
We installed the Session Desktop client on our Windows 10 test machine.
Session Windows Desktop
Downloading and installing the Sessions Windows Desktop client follows the standard “install a Windows app” process.
Note: If you want to use the Session Linux Desktop, you’ll need to install it as an AppImage. If you don’t know how to work with this portable Linux file package, click this link for a short video tutorial.
Running and configuring Session Desktop
Once you’ve got the desktop downloaded and installed, you need to fire it up. You’ll want to connect your desktop client to your mobile device. You can do this by selecting Sign In, instead of Create Account, then selecting Link Device to Existing Session ID and following the instructions. The Session desktop apps I tested for this review were easy to use to get going and use.
Note: Once you get the desktop app up and running, you will need to enter your contacts again. That’s because Session multidevice isn’t ready yet.
With the volume of changes coming out of the Session team, it can be hard to keep track of all the feature changes. If you intend to use this product, we suggest that you make time to check the Session blog to keep up with the ever-improving feature set of Session.
Support
Session’s support area reminds me a lot of Keybase. There’s an FAQ page, and the blog that I just mentioned, rather than a regular Support page like you would find for a paid product. The FAQ is pretty useful, although a little sparse (not surprising for a product that is still under heavy development).
If you have questions that the FAQ can’t answer, the company does offer email support and social media contacts. They also have links where you can report bugs and look for solutions. But those all take you to GitHub pages where you can look at the code and check existing issues pages. This is okay for techies, but it’s likely to confuse some regular users.
How secure and private is Session?
Once Session is completed and fully developed, it should be super secure, extremely private, anonymous, and generally excellent. However, it is unclear how far close to complete the product really is.
The onion routing system is now functional, which is a big boost for security and privacy. And the Quarkslab security audit shows that the Desktop, Android, and iOS apps are all secure.
Concerns about Australia and data security
On the topics of privacy and the security of your data, we must discuss where Session is based. As noted above, Session is based in Australia. Unfortunately, Australia is not a very good privacy jurisdiction for a few reasons.
As we recently discussed in our guide on the best VPNs for Australia, the country passed a law to undermine encryption and data security in 2018. Here’s a quick overview of this law:
The Australian Parliament passed a contentious encryption bill on Thursday to require technology companies to provide law enforcement and security agencies with access to encrypted communications. Privacy advocates, technology companies and other businesses had strongly opposed the bill, but Prime Minister Scott Morrison’s government said it was needed to thwart criminals and terrorists who use encrypted messaging programs to communicate.
In privacy circles, the “Assistance and Access Bill” is sometimes called the “encryption-busting law” or the “anti-encryption law” because of what it allows. This law would fundamentally affect businesses that provide encrypted communication services, including Session, VPN services, and other privacy-focused businesses. This topic continues to garner criticism from privacy advocates around the world.
In taking a page out of the Australia playbook, US regulators have also proposed forcing tech companies to break encryption, thereby facilitating surveillance.
The Loki Foundation that is behind Session addressed this thorny issue in a blog post:
Obviously, we were terrified when we first saw this bill. The potential for the project to be entirely undermined by this legislation did not go unnoticed. We had begun to consider how we might set up failsafes to allow people to catch bad code being injected into our codebase, or to pay someone external to Loki to do regular inspections of our binaries that we release and ensure they are not leaking extra information or mismatching the codebase in some way. If we were to be issued a TCN [Technical Capability Notice], we would not be able to tell anyone about it. If we set up some sort of canary system, we could be imprisoned. So whatever failsafe we did set up would have to be external to Loki, and would have to be regularly auditing us to make sure we haven’t been compromised before a TCN was issued.
Ultimately, the Loki Foundation believes they can still operate a secure messenger service in this perilous legal environment. Their blog post on the topic really goes deep into technical and legal details, which you can investigate if you have the time and inclination. In addition, they address the issue in the FAQ topic titled, ” Does the Australian government’s anti-encryption stance pose a risk to Session?” as well as in this update to their original blog post.
So is your data safe and secure with Session messenger?
I have my doubts after researching the Telecommunications and Other Legal Amendment (Assistance and Access) Bill 2018, commonly known as the AA bill or TOLA, but you can come to your own conclusions.
Other privacy concerns with Australia
It’s also worth noting that the anti-encryption legislation is not the only privacy issue that plagues Australia. Consider this:
- Mandatory data retention – In 2017, Australia implemented a mandatory data retention framework. This forces all internet providers and telephone companies to store connection data for government agencies for a full two years.
- Five Eyes – We have also noted before that Australia is a member of the Five Eyes surveillance alliance. This alliance works together to collect and share mass surveillance data.
And if you think that various agencies are not exploiting these laws to collect data on Australians, think again. Here is a recent headline from The Guardian:
Due to metadata collection laws in Australia, it’s great that Session makes every effort to not collect any metadata. However, it’s also clear that everyone in Australia should be using a non-Five Eyes VPN service such as NordVPN or Surfshark to encrypt and anonymize web browsing activity.
Session business features
Like its ancestor, Signal, Session doesn’t have any business-specific features or versions at this time. If you are looking for business features, check out our Wire review.
Session prices
Session is free and open source software. There is no charge for using Session and as far as I can tell, no plans to charge for the product in the future.
This is similar to what we noted in the Signal review.
Session Messenger FAQ
Here are a few questions that came up frequently during the research and writing of this update.
Is Session messenger safe?
The recently completed security audit by Quarkslab has confirmed what we long believed: Session is secure. But the actions of the Australian government to get around privacy protections on pretty much any app or service (not just Session) makes us feel that your privacy can’t be guaranteed if you use Session.
What is the Session protocol?
The Session protocol is a new messaging protocol developed by Session. Switching from the Signal protocol to the Session protocol keeps the security of the latter while providing privacy/anonymity and decentralization features. The result is a protocol that works well with Session’s unique architecture.
Session review conclusion
Session is a promising product, but it comes with Pros and Cons. Once complete, it should be just as secure as Signal, even more private than Signal, and anonymous as well. But there are still lingering concerns about Australia, data privacy, and the Loki Foundation’s ability to keep user data secure in this environment.
Based on the testing I did for this updated review, I am very impressed with the technical side of this project. The onion routing system is up and running, and the refactored apps work well. I haven’t run into any errors or been disconnected from the other party, as happened frequently during our initial test phase. It will be nice when the multidevice feature is out of beta, but that’s not a deal breaker. Functionally, Session seems ready for regular use.
The problem I see is with the Australian government. Even before they imposed the scary TOLA bill, Australia was a bad jurisdiction for privacy lovers. Five Eyes membership, mandatory data retention, and TOLA combine to make us advise choosing a messenger that isn’t based in Australian jurisdiction.
Is Session right for you?
Session works and works well. But if you want privacy in addition to security, you should probably look elsewhere. Here are some more secure messenger reviews.
This Session messenger review was last updated on December 15, 2021.
Thanks for the great review!
Here are more “cons” to session:
[https://www.freie-messenger.de/en/warumnicht]
And some more additional information …
Messenger quick overview (PDF downloadable in multiple languages):
[https://www.freie-messenger.de/en/systemvergleich]
Thoughts on “Alternatives to WhatsApp”:
[https://www.freie-messenger.de/en/messenger/gedanken]
And lastly, a unique overview of messenger comparisons:
[https://www.freie-messenger.de/systemvergleich/externe_vergleiche/]
One more thing: the desktop apps are not reproducible builds. Can’t find any pgp signature on their website either. Both the file signatures and their public keys are distributed via the same third-party: GitHub (Microsoft).
If they trust Microsoft that much they could’ve at least code sign the Windows version. They didn’t even do that.
– Desktop app is just another Electron app with all of it’s flaws, like trying to connect to gvt1.com on first run.
– Session brags about its own onion routing, but specifying your own guard/bridge relay, or setting another proxy (for example running through Tor first) is not possible in the app. There goes your metadata about using Session…
– Generated key is based on 13 words seed, there is no option to increase that.
– Can’t skip nickname creation, making it much weaker against social engineering attacks, and making it harder to create anonymous accounts, especially for new users.
– No ability to use multiple accounts at once, or run multiple Session instances at the same time.
– 0 protection against spam. You have to change account if your ID leaks.
– Can’t even change the language manually (it picks up the OS language automatically). There goes your metadata on screen shots…
– I’m sure turning on the “link preview” feature is totally safe as it has not been mentioned in the Quarkslab audit.
I would like to highlight one aspect though: the security audit was about the _applications_, and not about the Session protocol as a cryptography method. As for any housebrewn protocol there really should be an independent crypto audit around, otherwise all we know is that the application is nice and shiny, but we have no assurances about the real (mathematical) safety of the protocol.
It is a bad idea to skip the topic “since it has been forked from Signal” since the protocol was rewritten. Perfect Forward secrecy was dropped, Deniability was dropped, Self-Healing was dropped too, and we only have their word that this doesn’t matter at all. This may be partly subjective (or opinion based) but parts of those changes are calling out for verification.
And now for something completely different: anyone remember ToX? (It’s not yet dead, by the way.)
Are there better alternatives to Session which contains the missing parts (PFS, self-healing, etc.)?
I tried Session and it’s interesting but Australian law leaves me in doubt. I have doubts about some google libraries used in Session (android). I use *Tox with satisfaction but very few people use it.
I am really interested in hearing thoughts on this article: https://getsession.org/blog/the-gentrification-of-the-internet
I believe that there are some very valuable ideas and steps that can be taken here.
Thank you for this great site, excellent reviews and brilliant suggestions.
My comment intends to be an update (rather disappointing) on a new Australian bill that was rushed thorough in just one session(!!!) of parliament:
“The “Identity and Disrupt Bill 2021” shows the dangerous capture of the body politic by Australian Federal Police (AFP) and Australian Crime Commission (ACC) and other agencies is today. It shows little or no regard for the right to privacy and the rule of law more broadly. And it adds to the already wide suite of powers security agencies have acquired in recent years to surveil and track us.”
“This law now allows The Australian Federal Police (and others) to access any online account you have. They can see, modify, even delete your emails, your social media, and any online account if it’s considered a “threat”. They can post on your account pretending to be you. But it’s not just you – everything your kids do online is now at their fingertips. Every private exchange with your therapist, evey private message, everything that lives on your digital devices is at their fingertips. You’ll never know if they access that. And if you try to prevent them (or the companies hosting the platforms of your online accounts try to prevent them) they can face up to ten years in jail.”
Fascism, anyone?
[https://www.michaelwest.com.au/human-rights-violations-now-enshrined-in-legislation-in-australia/]
[https://www.michaelwest.com.au/manal-al-sharif-australias-new-surveillance-laws-remind-me-of-home/]
From what I know – the Session team has looked carefully at the new legislation, and has concluded that it may not have much of an impact on Session’s privacy and security features. Here’s an initial article – and I think there’ll be a more detailed FAQ out soon on the Session site. https://getsession.org/on-the-recent-australian-surveillance-legislation
I am not negating your concern, as that is the trend and it is sad.
Sessions, however, knew the environment they were building in and it seems they took everything into account for that. Their recent blog made the statement that a company can’t just run because the laws change. That does nothing to fight the issue.
A company needs to build itself from the ground up to be resistant to those laws and that is where Sessions takes the best of Signal and adds their own structure.
I am both a signal and Sessions user and anyone I get on Sessions, that is my main communication. Signal is only for those who don’t have Sessions (yet ;).)
When you have a company whose entire structure was built around the knowledge of these legal challenges, then it is pretty good.
https://getsession.org/blog/on-the-recent-australian-surveillance-legislation
Cannot it send video>5MB, just tried, but unfortunately!
When you use Session? then you have to use lokin (kind of VPN)….anyway, you must put “exit.loki” on EXIT NODE. Then open Session and enter password to start chatroom. you’re safe and full anonymity.
Great article from a great company.
This is why Sessions should be highly considered by everyone.
https://getsession.org/privacy-washing/
https://github.com/oxen-io/session-desktop
JavaScript 74.0%
TypeScript 22.9%
I wouldn’t personally trust such piece of software. And it must be slow and needy as hell )
Please include programming language and platform (WinAPI,Qt,GTK,etc.) in your reviews so people won’t have to get their expectations built up only to get broken.
Used it on my desktop and saw very little latency in regards to sending and receiving messages.
As far as the Java Script, that is most of the web and while there are potential risks, many privacy companies mitigate those.
All in all, solid, secure, private.
And yes, I use it often.
Session audit is out !!
https://blog.quarkslab.com/audit-of-session-secure-messaging-application.html
BIG DAY FOR SESSIONS!
The official audit is out and while I could not underatand the code, I can read the summation.
I know that this article does not recommend Sessions, but I disagree with that and say that Sessions is rock solid!
https://getsession.org/session-code-audit/
https://getsession.org/trust-on-first-use-the-achilles-heel-of-centralised-messengers/
Good article.
Hello, it is from swisscows company another app too, in the name of teleguard and so it is focused on privacy and security bassed on switzerland, good jurisdiction of internet laws and it is from safe and secure search engine, not bad talk about it in future !
It has been created
No phone number
No email
No paid
With id working,i think it is better than session
so let’s to do this on smartphones .
Best cheers
Good luck .
Sven, Do you have any thoughts, and would you or your team possible consider reviewing CoverMe and Private Line (formerlyBurnerline)? I believe both are under the same development team and they have apps for Google and Apple. CoverMe uses military grade encryption for messaging, texts, and calls. Private line claims to use End to End Encryption. These apps may be possible substitutes to replace Google services on phones, and in addition their services are similar to Line2. CoverMe has a lot of features similar to other secure messaging apps, such as self destructing messages. The only thing they don’t have, which I value, is 2FA.
Due to time limitations, we generally only focus on apps and services with a bigger audience. But we could keep this in mind for the future.
NP, and understood. Thank you, Sven, for educating and informing the community! Excellent platform.
I don’t get the point about Australia and laws… this app is open source, anyone in this world can review the code. If this is E2E encrypted and the code proves it is, there is no way for Australian law forces to access content information. IPs are protected by Tor, which is also open source and audited for years and years.
Metadata could be the only things to be gathered but as no one can ever know the man/girl behind the session ID…
So…
Could even be made by a secret service as I read in the comments, whatever…
To me Session sounds safe and secure as long as the code is audited and approved by cybersec famoust specialists.
I’m definitely no expert here, but my understanding is that the Australian law might require Session to build a back door in their code. It might be noticed eventually by people checking the source code, but it would then be the end of the project…
Could be. However, there was a statement that said known weaknesses could not be introduced into the code.
I am not sure how that is differentiated.
Here is the direct quote:
“Australia’s controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 does give authority to a number of government agencies to provide ‘designated communications providers’ with ‘technical assistance requests’ or ‘technical assistance notices’.
What this means for example, is that Australia’s intelligence services can compel Loki to develop tools that can be used to investigate specific targets. However, what is most important is that the request or notice cannot force Loki to build or install “a systemic weakness or systemic vulnerability” in to our network or our products.
The Session messenger is permissionless. There is no immediate way for us or anyone else to know the identity of our users. Because of the network’s open nature, any party can easily gain access to it and request all kinds of information. This includes us, intelligence agencies, or any other curious party. However, because it is all end-to-end encrypted, and uses onion routing to store and retrieve messages, no one is able to piece together who is talking to who or what is actually being said. Technical assistance notices don’t make a lot of sense in the context of Session or the Loki Network, as we, nor anyone else has the ability to identify users and decrypt their messages.The only way requests or notices would be useful to anyone is if we were to introduce a systemic weakness, which we can not legally be compelled to under current law”
It is an intereating article that can be read here:
https://getsession.org/session-and-australias-laws-to-circumvent-secure-communications/
Love this site and its reviews. I trust you guys. All we need is regular updates and reviews of more products. Especially the new products with their “Respecting Privacy” claims
Hi Jimmy, with all of the recent interest in secure messenger products (alternatives with WhatsApp), we are updating all of these reviews in the next two weeks and then posting a new roundup guide on the best secure messaging systems when the reviews are finished/updated.
Would another review of Sessions to account for the many updates they’ve made be a good idea? I’m using it with confidence. It’s ditched the proxy routing protocol for the onion routing protocol awhile ago too.
Yep, we’ll check it out again soon for some updates. Feel free to add any other thoughts you have or share your own review in the comments.
@Sven,
If they are using the onion, and have a third party audit (happening now) would that make them recommended in your mind?
Yes that would go a long way. It also just needs to work well without bugs. And if I recall correctly, receiving messages was spotty when Heinrich and I were testing it on different platforms. But that was last year also.
@Sven,
Thank you for your input. Here is what I found and your thoughts helped me to give them a try.
1) The move to being Onion was highly important. They have switched to it.
https://getsession.org/onion-requests-session-new-message-routing-solution/
2) Being reviewed from an outside company. It is in the process. this is from their FAQ titled “Security Audit”, “Session’s desktop, Android, and iOS clients are currently undergoing a security audit by Quarkslab. The results of the audit will be published once it is completed.”.
https://getsession.org/faq/
Both of these are positive steps. Thanks.
Great news, thanks for the update J.M.
You’re welcome and thank you.
I have it and am trying to get people over to it…but maybe in time.
I did do a practice run but I sent a few messages only and received them.
They reccommend going through Google’s setup as it is faster but the Metadata is even more locked down if you pull it from what they call the Hive or swarm.
Little longer but it seemed good. Hoping to try more later.
I wonder how many of those encrypted communication apps are launched by different secret services masqueraded as foundations….
Signal or any other messenger that insists on attaching itself to deeply personal information like a phone number (or even email, although a secondary email address is clearly much easier to acquire) is a complete non-starter for me; unfortunately, it seems generally accepted that you MUST provide something like that with essentially no exceptions – which is why I found Session in the first place and why it’s so appealing to me. To someone who has been around long enough to see instant messaging be born and need nothing more that a meaningless string of numbers (ICQ) or a unique username to function, the modern insistence on easily identifiable personal data is about unnatural, jarring and generally unacceptable as it can possibly get. A phone or a computer is just a communication channel, NOT the identifier of who you are.
Additionally, for-pay services – even when they seem both reasonably priced AND reasonably trustworthy – are impractical for not one but TWO reasons: first, if you’re paying for access you have now attached even stronger personally identifiable information to your account: your credit card number (unless payment by cryptocurrency is available – but that is rare, and comes with its own set of problems); and second, even if YOU would be willing to pay for the service, it’s hard enough to convince others you actually want to communicate with to follow you to some new platform they never heard of through all the hassle of installing and setting it up – telling them they also have to pay to use it (even just a little bit) would be a complete non-starter. “WhatsApp is free so why would they want to pay…?”. Free access therefore makes Session even more appealing, especially considering how rare such a thing is when the service is being paid for neither by you nor by leveraging the data collected.
Unfortunately as modern history clearly shows the Facebook-era general public can not be relied on to create a demand and support for properly private services, mirrored by the general lack of such services being offered; which is why I find Session so important – it, or something close to it clearly needs to exist and we are very fortunate to have that work done for us by those offering it. I just hope Session turns out to be financially sustainable and free of… undue influence. But as it is, it looks like the best (and only acceptable) bet right now.
Tinfoil chat is better than Session.
https://github.com/maqp/tfc
Sure, if you can figure out which links to use to download or build it. Another instance of creators making things harder or not willing to put in the time to make it easy for users.
Please review Threema. I just started using it—have only sent a few SMS messages and made a few test calls to family members. From my layperson’s perspective, it seemed the most secure, and it’s in Switzerland. Threema does not require a phone number, but it provides the OPTION of linking to a phone number and scanning one’s contact list if one wishes. I had not heard of Session until today, and I would be interested to read a review of Threema which might compare it to Session and Signal. For personal use, Threema costs only CHF 3.99 for a lifetime license, which is quite affordable.
Please give best privacy friendly DNS servers list and review cloudflare dns separately
We could review DNS separately, but we recommend using a good VPN service, which will already handle all DNS requests encrypted in the VPN tunnel. Using only encrypted, “privacy” DNS services is an incomplete solution because your IP address remains exposed to every website you visit, ads, and trackers. Additionally, even with encrypted DNS, your ISP can see (and record) the sites you visit, even if they aren’t handling DNS requests. As for Cloudflare, it is a US company that records DNS requests (browsing history) the last time I checked the privacy policy. And it could be forced to hand over any of this info, just like an American ISP.
Those who can’t afford VPN should use private, encrypted DNS anyway. Private, encrypted DNS can protect users by preventing: 1) redirection to a site preferred by ISP aka DNS spoofing , 2)DNS-based blocking as well as 3) direct logging of DNS queries.
True, ISP can gain info on websites visit via reverse DNS lookup but reverse lookup is not 100% reliable.
2FA is not really needed for Session at all. There’s no central servers, so you hold your identity on the device itself (offline).
Agree. It’s listed as a “con” in the article, but 2FA is actually a big negative from a privacy standpoint. It’s a system-confirmation of PII. That’s a bad thing for privacy. Standard 2FA works in general but is not without breach risks too, especially if leveraging SMS.
Also, agree with the author that Australia is a heavy surveillance state, and not the ideal launching pad for security oriented projects. But because of the open design, this system could be reloaded elsewhere without a ton of effort, if it came to that.
Dear Mr. Long,
I just want to first thank you for such a wonderful review! I feel some shame that I haven’t looked properly into Session yet, though I have heard some buzz about it; the excuse for my behavior is probably that the privacy scene has been just so turbulent as of late. Services seem to be getting acquired or exposed left and right, and what alternatives remain are far from ideal. Even your short list of secure messaging services has probably one real contender. Keybase has been acquired by Zoom, Telegram is hit with vulnerabilities every few months (and is far from built on private and secure infrastructure), and Wire has been playing catch-up with Signal for years. And then Signal itself is lacking in some critical areas of privacy, although I would be loathe to criticize its security construction. But I don’t want to fall into the classic pattern of hopelessly keysmashing about how privacy has been dying since 9/11. Back to your review, for all of the merits and demerits of Session, you covered things neutrally and painted a clear picture. That’s commendable in any area where it would be easy to “accidentally” favor X service just a bit much, lest they cut off their contribution dollars…I hope you continue to write with Sven and the rest of the growing Restore Privacy “squad” (posse? gang?). Great stuff.
Sincerely,
Anonymous
Just because you ban something on paper , does not mean its banned in practice .
Thank you for the review. Seems to have similarities with Threema (no phone, no email, randomized ID, server middle-man for asynchronous messaging, messages deleted from server once delivered, no metadata log, no GIFs?) except that Threema is not decentralized, is based in Switzerland and cannot be logged on multiple devices on the same time.
Switzerland is a place to avoid too due the relations with US