Practical privacy and simple cybersecurity.
TheNewOil.org

2022 Review: Session

What is Session & Why Do You Need It?

Session is an end-to-end encrypted messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Session has a lot of things to like. For starters, it’s on par with Signal’s “insultingly easy” setup. Seriously. It takes less than a minute (including downloading it). Setup involves clicking the “Create Session ID” button wherein it automatically creates an ID for you, then asks you to pick a display name, a notification mode (Apple/Google push notifications or their own Apple/Google-free notifications), and you’re ready to start chatting. You pretty just click “next” the whole way through. It’s actually faster than Signal’s setup because you don’t need to enter a code that they text to you.

Speaking of, you may have noticed in my description just now that Session requires absolutely NO user information to sign up, like phone number, email, etc. It’s not even optional – there’s no fields to enter it. While most of my readers probably don’t need anonymity, less data to hand out is always better, and it doesn’t get much “less” than Session.

Next, Session is onion-routed, which – for those unaware – means that your communication goes through several nodes (sometimes called “hops”) on the way both to and from each recipient. This is good for aiding anonymity. You may already be familiar with this concept from the Tor network, and if you’re not I suggest checking out my video about Tor here to learn more.

The next big plus is that Session is decentralized. This makes it censorship resistant and also resistant to malicious activity by the Session team. Nodes are run by volunteers, therefore any attempt to shut down Session or force them to log data would be pretty ineffective. And of course, the app is open-source so even if the Session organization was shut down, any sufficiently skilled developer could simply fork the project and continue to run it.

Finally, Session is audited, which they passed rather well in my opinion. All issues were fixed – including the only “severe” vulnerability – except ones that were intentional for functionality, all of which are not technical vulnerabilities but rather recommendations (like default notification configurations).

The Bad

Let me get a quick non-issue out of the way before I continue: the Session team is based in Australia, which is pretty much the most privacy-hostile Western country on the planet. But I don’t think this really matters as I mentioned above: Session is open source and decentralized. Any attempts to compromise it will only result in a fork of the client and the servers will likely continue to run unaffected.

With that out of the way, Session’s biggest drawback in my opinion is stability. While it has come a long way and should be pretty usable 95+% of the time, it does still experience the occasional bug, usually resulting in a message not being sent, received, or synced between devices. Understandably that can be a big deal, but also it’s so rare that I find the risk relatively low personally. You might feel otherwise if you’re a journalist or fall into some other high-risk threat model, which I accept. That’s why I’m acknowledging this stuff so you can know the drawbacks. It's also a little slow, but they're constantly working to speed it up and personally I don't mind “a little slow.” If it's urgent, I'll call you.

Speaking of, the single biggest thing keeping me from making Session my daily messenger is the lack of audio/video calls. At the time of publication, these were in closed beta with the Session team teasing that they should enter a public beta any day now, so maybe by the time you read this it’ll be out. When it is, I’m going to jump straight on that train. Session solves a lot of my personal, nitpicky complaints with Signal. Sadly though, for Android users, I don’t think Session will be able to replace Signal as your default messaging app for easy integration. That may be a dealbreaker for some.

The final bit that may put some people off of Session is their use of the Oxen cryptocurrency token. For 99% of users, this means absolutely nothing and you can skip to the conclusion. Session is not a “web3” app in the sense that you get paid for your content or can send or receive payments in crypto. The cryptocurrency aspect of Oxen does not come into play in any way, shape, or form for the end user. Rather, the Session team uses Oxen as a way to pay those who host nodes. It also comes into play in the hosting of nodes itself. Session is designed to be resistant to “Sybil” attacks, which is basically where one entity (like the NSA or GCHQ) hosts a ton of nodes so they have majority control of the network and can effectively spy on all the users. Session does this by making each node cost more Oxen to host than the previous, so the price of a node is always rising exponentially. This means that the cost of controlling a node quickly rises and becomes economically unfeasible for an entity attempting to control the network – governments have a lot of money, but realistically not enough to justify this. After a certain point, they’d be better off finding new attack vectors. Non-malicious, everyday users can still pool their resources together to host a node as a group, and they get rewarded in Oxen token for doing so. This is what helps run the network and protect it against Sybil attacks while keeping it accessible. Truth be told, all of this goes way over my head but I’m going to share some resources in the next section that you can listen to and get more information yourself. The reason I’m listing this as a con is because a lot of people feel very strongly about cryptocurrency, and knowing that Session is hosted off a centralized, home-brewed altcoin is definitely not something most cryptocurrency enthusiasts are happy about. At best, most crypto people seem to regard this as a necessary minor annoyance while others rage about how this could’ve easily been accomplished with an existing coin and no need to reinvent the wheel. Personally I don’t know who’s right, and I don’t care. Session works, it’s been audited, and I don’t have to deal with the crypto side as an end-user. I just want you to be aware in case you feel differently.

Conclusion

Session, in my opinion, is one of the best choices you can make for an encrypted messenger. They’re audited, they’re metadata– and censorship-resistant, and they make it easy to be totally anonymous (as always, if done right). Session is still young, but they’re growing fast and I don’t think it’ll take long at all before they can punch against some of the rockstars of the encrypted messaging community. Fortunately, if you still want more information to make up your own mind (or get more insight into the Oxen/cryptocurrency thing I mentioned earlier), I have two resources. First is my own interview with Kee Jeffrys, the Chief Technology Officer for Session, from about a year ago. The second is Seth For Privacy’s more recent interview, also with Kee. Both of these should give you more than enough information to decide if Session is right for you and if you want to try it out. I’d recommend at least giving it a shot. You have nothing to lose.

You can check out Session here.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...