Session Private Messenger - Really Understands Privacy!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I did a video two years ago on secure messaging apps and I made several recommendations on there but one that I was specifically interested in was the session app and I remember saying that we needed to keep an eye on this app I had good things to say about session even back then at the time session was still fairly new and was in a very basic form and I knew that a future version would climb up on my chart quickly well after two years I'm re-reviewing session and I will tell you now that if you're looking for a hardcore secure messaging app that really understands what privacy means this is the way to go many features that offer a turnkey communication solution are included with the app and makes it a robust solution I will definitely state that this is one of the best secure messaging apps out there and with a well thought out approach that was laid out in their original white paper when I read it a couple years ago much more private and secure than signal and definitely way Superior to other popular secure messaging options including WhatsApp and Telegram there are very specific reasons for this and I would be happy to explain all this if you stay right there [Music] session is a product created by the auxin Privacy Tech Foundation auction itself which power session is a cryptocurrency and provides a large incentivized community that can support the infrastructure for some foundational features of the technology which include looking at session traffic and the aux and cryptocurrency itself I'll discuss the auxin infrastructure details later so we don't get derailed with minutia too early on as this is a complex and robust secure messaging product you do not need to know anything about the aux and crypto to use session the main issue that distinguishes session from just about any other secure messaging app is that this is one of the few organizations that truly understand the Privacy issue completely apps like signal for example can boast end-to-end encryption or e2e but encryption is only a security aspect the biggest source of data to intelligence agencies for example is not the actual content of the communications but the metadata it's distressing that apps like signal Telegram and WhatsApp are driven by a telephone number a number that you get by supplying ID to a carrier and paid with a credit card tied to a credit report it is a published identity a phone number attached to relationships with other people based on call records and contact lists and 2fa list the simple Act of passing a phone number to some contact you don't already know is already a privacy breach so those signal gets high marks for usability its real purpose is for secure conversations but not private ones a private conversation should leave no indication that two people Converse at all that's the metadata the security is is only about the encryption of the conversation itself I often would recommend signal only for use by family members or people who already know each other's phone numbers never for strangers and I would say the same for WhatsApp and telegram WhatsApp is actually quite dangerous not only can WhatsApp identify you by your phone number your contacts are contacts tied to Facebook with a history of metadata based on Match Facebook accounts which includes relationships relatives and childhood friends so WhatsApp is total crap for privacy Zucker e-city scan the Facebook database and WhatsApp database and figure out people having surreptitious Affairs just from traffic patterns and relationships that shows you how bad the Privacy aspect is there are also other traces of metadata tied to IP addresses which again can generate patterns of data that can fully identify people's connections now session has none of these issues in fact the way their infrastructure is set up it may be the most private and secure messaging platform around if you're interested in a quality solution that completely obfuscates the metadata let me jump right into sessions features first of all this is an amazing recent development session runs on all platforms for my testing I've installed it on Android Linux and windows it is available also on iOS and Mac OS on my D Google phone I was using F Droid to install session which is a big plus right there since this means this version has no connection with Google Play but still it can be used on Normie phones using Google Play store or the Apple Store the advantage of having this Global compatibility including even the Google phones is that there is no learning curve with different platforms the UI is the same for all so once you figure out how session works the rest is easy session can be intimidating the first time you encounter it since you are identified by a session ID something you create on your device when you first install an app the main Hill to climb though is understanding what the session ID is so the session ID is actually a public key this intimidates a lot of people because they don't understand this it is unique to the session instance and it is the main identifier that is used to exchange a contact so two people needing to converse have to exchange session IDs but this time means many people because they don't know how to pass session IDs it is easy for example to state to a friend that your xmpp contact is robdest at xmpp.brexit live it's easier to remember a session ID looks like this a bunch of hexadecimal digits this admittedly is the biggest hill to climb with session but I will make this easy for you this session ID does not have to be private it is a public key and you can publicize to your friends and contacts through secondary means of communication like in a social media profile you cannot attribute the session ID to a particular person by watching session traffic with a collection of session IDs it shouldn't be possible to determine who's talking to whom by observing the network there's actually a way to generate a username that you can use to give to your contacts instead of the session ID the procedure for getting this username is fairly complicated and it's not something I expect a regular session user to figure out to get this username you need to really get into The Oxen ecosystem by installing the auxin wallet this procedure is not in the session website but it is described on the auxin website maybe session can come up with a way for people to generate a free and optional short handle that can then point to the session ID public key like they do with gpg public keys that could ease the acceptance difficulties as a public announcement you can set up an account on my Brax me app and publicize your session ID on there in your profile you can set up multiple session apps on multiple devices and use the same session ID and they will sync with recent messages I presume based on messages still stored temporarily on the auxin nodes remember though that this is a super secure app so there is no Central server that has your messages permanently aside from transient messages if you lose your session install you will lose all your older messages so a backup is to have multiple installs of session on different devices now I said that you cannot watch the session traffic on the network and start making metadata connections using session IDs this is the time to introduce the session Communications infrastructure and it is quite different than signal or Whatsapp signal WhatsApp and telegram run on centralized servers the problem with centralized servers is that omniscient players like the US government three-letter agencies can observe traffic flow from the world and using time comparisons are able to triangulate conversations and traffic by location this is a very dangerous kind of metadata that only Advanced players in privacy can understand session first of all runs on the infrastructure of auxin server nodes which are independent operators to support the aux and cryptocurrency and similar to Tor session uses an onion routing scheme similar to Tor this protocol is called Loki net and runs on The Oxen Network so the first thing obfuscated in session traffic is where the traffic is coming from your your message will be jumping from server to server and even multiple chains of servers before it gets to the message destination and the encryption onion layers ensure that the traffic is not visible to any of the servers processing the message this is a well-known technique for those that are familiar with Tor this is an encryption step not done by other messaging apps the end-to-end encryption and cell phone session uses the lib sodium Library people in cyber security know about lib sodium it is a well-supported cryptography that is maintained by a community outside session itself so we will not expect some unusual bugs in the cryptography used based on some proprietary protocol I use libsodium myself so this is a really good choice now the actual encryption is based on the private key of your session instance and that is kept in your local machine so as with anything else security off your device is key to the security of your conversations fortunately you can set a a password on your session instance if that is important to you this is a feature missing from many messaging apps so if someone can get a hold of your phone for example they can see your messages this attack is a well publicized approach for reading signal messages for example just hack the device and then run signal on it session is a full-featured Communications app and goes beyond just simple text messaging however you need to understand how these features are supported in the infrastructure as they are not as private as the text messaging side this is not different from signal all messaging apps have to compromise when you start handling multimedia since various protocols used by media like video for example can leave a trace what is unique about sessions approach though is that message Network traffic is routed through the onion routing so it's like using Tor at all times so observations of traffic cannot be done by external players so back to the multimedia one of the unique capabilities of high level secure messaging apps is that there's no permanent simple storage of messages however before the messages are delivered they can be temporarily stored and Route until the receiving device is connected to the network and can receive the message in the case of the encrypted text messages this can be routed to a multitude of servers provided by the auction Network and the message themselves are of course e2e encrypted as they appear to be stored for a period of about two weeks the difference with multimedia let's say images video and sound files is that they are maintained on session servers until the recipient receives them thus this is a centralized part of the infrastructure yes it is a compromise but signal is already centralized with this so it is a common approach multimedia files are limited to 10 megabytes by the way if you want to do voice calling that is actually done via the standard web RTC protocol at the moment this is not onion rotted through the Loki net however it is all peer-to-peer so there's no Central server involved caution though because all webrtc calls require a server to handle connection signaling like turn servers so this is not 100 but it is no different than signal it depends on your thread model in a hyper secure environment I think that text only Communications would be the way to go for normal Communications by average people the usability provided by multimedia support is probably essential for acceptance by a large number of people but back to the features like voice calling this is really convenient voice calling can be done on any of the devices so I can have a voice conversation between my Android and Linux computer but I'd probably use a VPN if I want to obfuscate webrtc traffic more you can also send voice recordings as attachments this is more secure than a real-time phone call and is something that can be done in a hyper secure model the voice recorder would be e2e encrypted now I didn't mention some basic requirements of a good secure messaging app one of those requirements is that the app be open source many of the alternative secure messaging apps including signal are only partially open source often there is no open source of the server code session is completely open source including all the versions for all platforms the whole infrastructure including oxen and the low keynet onion routing is also open source except for the centralized multimedia repositories for temporary storage there are no centralized servers all such and services are run by the infrastructure of The Oxen nodes I would Point session as the way to go for people needing end-to-end encrypted Communications with people they don't necessarily know well though it is of course excellent for everyone so to me it needs the criteria of all-purpose Communications from normal persons threat models to hybrid secure this is the use case where signal fails if someone wants to talk to me securely but doesn't want any detectable metadata that reveals I'm talking to an identifiable individual then session is superior to just about any other solution again its main benefit is the understanding that metadata is dangerous revealing phone numbers between two parties can expose tons of metadata to both parties and to third parties all it takes is for one real phone call to occur revealing emails can do the same thing revealing IP addresses as well again the risk is not only between the two parties but this data is easily retrieved by Third parties if I were a journalist wanting to obfuscate a whistleblower Source then session would be the best solution just as an example interaction two people could initiate contact on my braxman social media app braxme is a no identity app which means if two people set up two new accounts and conversed I would have no way of knowing who is who since an identity is not recorded an IP addresses are not tracked and there are no email addresses or phone numbers then the initial conversation within the app could be an exchange of session IDs or it could be implied by the publishing of the session ID in a profile and then the session conversation started careful though about sending session IDs in secondary communication channels like email since it would be possible for session IDs to be recorded externally by three letter agencies and connect people outside of session itself in other words it depends on the threat model let me generalize how to install session and specifically focus on quarks for some platforms if you're installing on iPhones and Google Androids there's nothing special you have to do you can just find the session private messenger app on the Apple store or the Google Play Store if you're on a the Google Phone the preferred way of installing session is via the F Droid store this is the most secure version the disadvantage is that you don't get to utilize notifications which gives you faster feedback on incoming messages on a computer you can go to getsession.org and the download link gives you files to download you can also download the APK of the Android version directly just download and click on the installer and it will install just like any other app on Linux it comes in an app image format app Images cannot be installed by just clicking on it so this can be confusing for Linux users I happen to be running on pop OS which is a fork of Ubuntu but to run the session app is simpler than you think you see it is not necessary to even install the session app just move the app image file to wherever you want to call it then change the permissions on file to allow execution you can do this on the file manager GUI of your distro or use the CH mod command on the command line then click on it and it runs nothing to install it is completely self-contained there are a bunch of instructions to install it via other repositories but that's a lot more complicated than just changing the permissions after installation and initial operation you'll be asked to generate the session ID by default this will be different on each device you don't have to store the session ID it is easy to copy anytime you need it what is hidden in the installation is the private key and that is really where the security lies so if this is important to you go to settings on session and set a password for your session installation otherwise your Security will be the device password of the device hosting session you will also be asked to backup the private key using a security phrase if you store the security phrase somewhere you will be able to restore your original session ID on other devices this can allow you to install the same session ID on multiple devices and will act as a backup if you lose a session ID you can set up a new session ID and start fresh the disadvantage to not being able to recover a session ID is that your contacts will need to get your new session ID now there's deep nitty-gritty that I have to go through to give a fuller explanation of the session infrastructure as I explained earlier session is a product of The Oxen privacy Tech Foundation which in itself is driven by the auxin cryptocurrency auxin is a fork of the anonymous crypto Monero so it is based on pretty solid routes as far as anonymity of crypto transactions is concerned oxen servers are maintained by individuals that make the money from aux and tokens and to run an auxin server you have to stick money in it and Auction Service nodes make auxent tokens from providing the services to the auction Network the main function of the aux and cryptocurrency is to support the network called looking at and session looking at as an alternative Network to tour deserves a separate video but here I'm just introducing it as an essential element of the session infrastructure a regular user of session does not need to understand this but those serious in understanding the advantages of session would find Value in this and you can read the details of oxen on The Oxen site in my past video I recommended xmpp as the best solution for a metadata free option for communications now say solution that respects metadata I can still recommend xmpp but let's compare session to xmpp xmpp is a protocol so unfortunately there is no one organization supporting it this means there are many xmpp apps and depending on the platform you will be faced with different apps some xmpp apps support all the features and some support only some of the features like the latest all member encryption method or handling attachments for example the UI for each app is different so it is hard to give instructions to your family because it depends on the app they install session has support for all platforms and the UI is the same for all as I've seen so that's a big plus xmpp handles the metadata Problem by having Federated servers you can even set up your own server however it is possible still to intercept traffic between servers and devices if you're an omniscient party like a three-letter agency not easy but doable session in contrast uses a tour-like network so this makes this a complex undertaking session is always e to e encrypted on xmpp you have to specifically choose which encryption to use because some clients do not support all encryption methods this makes session more bulletproof encryption wise for an inexperienced user xmpp is easier to set up because the usernames are easier to remember for sure if I were a business and I needed to set up quick Communications for my employees that is secure I would still use xmpp typically you'd be able to guess your usernames and you will all have the same server so there's a different use case for each but this would be my top two choices in summary the biggest roadblock to session news is the session ID remember that the session ID need not be private it's only private if you don't want spam or want to avoid the appearance of obvious session ID exchanges in surveill channels like email and texting but in most any other contexts like regular use you can reveal it publicly there roadblock eliminated friends I offer solutions to protect your privacy the Brax 2 privacy phone is completely big Tech free open source no tracking by anyone and definitely no censorship yet it is completely functional for most things we need to do on a phone instead of having big Tech control your internet traffic we have a VPN solution bytes VPN DNS free from tracking and a tour option we also have braxmail why have Google actively read your mail there is a choice

Info

Channel: Rob Braxman Tech

Views: 42,229

Rating: undefined out of 5

Keywords: internet privacy, tech privacy, privacy, de-googled phones, brax2 phone

Id: nprSLN_GEGI

Channel Id: undefined

Length: 23min 6sec (1386 seconds)

Published: Wed Jan 11 2023