Session messenger adds PFS, PQE, and other improvements

Phone with glowing 'V2' above it, symbolizing the second version of the Session Protocol

Session, a popular encrypted messenger app in the privacy community, today announced several major updates, including one correcting one of their most commonly criticized and serious drawbacks.

Session has long been divisive in the community. It began in 2020 as a fork of Signal with several attractive improvements such as requiring no information to sign up, being onion-routed by default, and being decentralized.

But Session has also drawn its fair share of criticism. Session's decentralization depends heavily on their own cryptocurrency (a polarizing topic in and of itself), while questions have been raised about how decentralized the network really is. Perhaps most glaringly, however, is that Session removed Perfect Forward Secrecy (PFS) in 2021, citing stability issues when paired with Session's decentralized architecture.

PFS is—to oversimplify—a way to rotate encryption keys on a regular basis so that even if an adversary were to crack the encryption, previous (and potentially future) messages would still be encrypted. The attacker would only be able to read a specific window of messages that were encrypted using that particular set of keys.

Session has long argued that their other features make PFS unnecessary:

The simple fact of the matter is that Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example. These protections will prove as effective, or more so, in many real-world scenarios within Session’s scope and threat model.
(Source)

However, many—including the Privacy Guides community—have not been convinced. Session has not been a recommended messenger at Privacy Guides for quite some time, largely because of the lack of PFS.

The winds might be shifting, however, as Session has just announced their "V2 Protocol" which is set to include—among other things—PFS and Post-Quantum Encryption. In their blog post, they give a rough overview of how PFS will work:

...Accounts will establish a set of Rotating Key Pairs for each linked device and a single rotating key pair that is shared across all linked devices on a per-account basis. Per device keys are stored on each device... When a per device key rotates, the old key is deleted after a period of time, meaning if a device is compromised attackers cannot decrypt previously stored messages... Per-account keys would be kept in sync between linked devices, and these keys would be used by other senders to encrypt messages for your account and, subsequently, all of your linked devices. Per account keys also rotate frequently to ensure an attacker who compromises a device cannot decrypt historic stored messages encrypted by per account keys which are now deleted.
A critical component of the V2 Session Protocol is ensuring that devices remain synchronized as keys rotate, a significant challenge during Session’s previous implementation of PFS using the Signal Protocol. Since then, Session has introduced major infrastructure upgrades, including migrating core cryptographic logic into a shared library called libsession and developing a robust mechanism for synchronizing data across linked devices using "Config Messages". These upgrades, which are already implemented, will serve as the backbone for the V2 protocol and are expected to alleviate the synchronization issues encountered during Session’s previous PFS implementation.

Session also says they took this opportunity to add Post-Quantum Encryption to their cryptography. Quantum computers are computers that use a fundamentally different architecture than modern "classical computers," giving them exponentially more processing power. The fear for privacy and security is that while classical computers would take decades or longer to crack properly-implemented modern encryption keys, quantum computers could theoretically do it in exponentially less time - days or even hours.

Quantum computers are still very early in development. At this time, these concerns remain theoretical. Still, that hasn't stopped many companies from getting ahead of the curve, including Signal, Tuta, and many others in the privacy space, as well as Big Tech companies like Apple, Cloudflare, and more. Session now joins their ranks by deciding to use the ML-KEM encryption standard, which is a NIST-approved post-quantum cryptography already used in both Signal and iMessage.

In addition to this, another major and long-requested addition is the ability to manage linked devices (to know when your account has been linked with a new device and to remove it remotely). Session says that in the future this could be expanded to require authorization to link new devices, yet another security improvement. These new developments—particularly the re-introduction of PFS—will bring Session forward dramatically in terms of their security.

The V2 Protocol is not yet finalized. Additional details will be released in 2026.

Editor's note: The em-dashes (—) in this article were hand typed ;)

Community Discussion