privacytools / privacytools.io

🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
https://www.privacyguides.org
Creative Commons Zero v1.0 Universal
3.12k stars 384 forks source link

🆕 Software Suggestion | Session (ex-Loki Messenger) #1678

Open lrq3000 opened 4 years ago

lrq3000 commented 4 years ago

Basic Information

Name: Session (ex-Loki Messenger) Category: Encrypted Instant Messengers - Decentralized URL: https://getsession.org/ Platforms: Desktop (Mac, Linux, Windows), Android, iOS

Description

Session (new name of the Loki Messenger) is an anonymous text messenger initially forked from the Signal messenger but completely reworked 3-hops onion routing protocol on top of asymmetrically encrypted messages to anonymize all interactions. E2EE is always enabled and only lokinet users can be contacted through the app. Supports 1-on-1, private groups and public rooms text chats. No phone number nor any private information is required to register. App is cross-platform, available on Windows, Linux, Android, iOS. All open-source, including clients.

In the future, Session will migrate to the Lokinet network (ex LOKI blockchain), a blockchain initially forked from Monero which works over a LLARP (Low Latency Anonymous Routing Protocol) onion routing layer using faster UDP packets, that will allow voice calls. Indeed, Session currently only supports text messages for now due to using a TCP onion routing, but voice calls and maybe video are planned for later after migration to Lokinet (but no exact date planned)). It seems the blockchain is already online since years, but it's still in beta due to the LLARP protocol being tested out, whereas the blockchain technology used is relatively well established, the LLARP protocol is new and needs to be ironed out.

Why I am making the suggestion

Seems like a concurrent to BCM #1662, but it is entirely opensource (here for the messenger). The LLARP onion routing protocol is explained here and compared succinctly to TOR and I2P here (TL;DR: the goal is to retain the strong anonymity and security guarantees of both networks but with faster speed and easier network management - I can't describe more precisely as I am no expert). The messenger (Session) is discussed here. Blokt and SecureChatGuide reviewed it last year under beta (it still is but seems to be soon reaching the first stable release).

I think the messenger is the most directly useful part of the project right now, and hence the focus of this ticket, but the LOKI/LLARP network could also be added as an entry in Self-contained Networks (as suggested before #924) if someone with more expertise than me can understand the provided docs.

/EDIT: a technical preprint is available since 11/02/2020: https://arxiv.org/abs/2002.04609

/EDIT: Session's code was independently audited in April 2021: https://getsession.org/session-code-audit/

My connection with the software

No link, I am just interested in privacy protecting networks.

lrq3000 commented 4 years ago

Mmmm Maybe this ticket should be put on hold until the final release comes out, here is the introductory message when installing the software:

Thanks for testing Loki Messenger! This software is a beta version of the full Loki Messenger software suite, and so is missing some of the features the full version will have. This version of Loki Messenger provides no guarantees of metadata privacy. While your messages are secured using end to end encryption, in this beta version of Loki messenger, third parties (like your ISP or the Service Node network) can see who you’re talking to and when you’re sending or receiving messages. It is also possible that third parties could correlate your public key to your IP address and your real identity if they learn your public key. However, no one except you and your intended recipients will be able to see the contents of your messages. We recommend using existing methods, like Tor or I2P to mask your IP address while using Loki Messenger beta version. As a beta, this software is still experimental. When things aren't working for you, or you feel confused by the app, please let us know by filing an issue on Github or making suggestions on Discord.

At least, it looks like they take security very seriously. Up to you guys to see whether you want to add the entry with a warning, or wait for the final release to fix these issues.

KeeJef commented 4 years ago

Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review.

lrq3000 commented 4 years ago

@KeeJef that's great news to hear! Can't wait to test the stable release with all the anonymity features implemented :-)

wuniversales commented 4 years ago

My God, what an amazing application. Thank you

wuniversales commented 4 years ago

New website: https://getsession.org/

ian-tedesco commented 4 years ago

Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review.

When exactly are you launching? Great project!

lrq3000 commented 4 years ago

The app is already available, I have used it before posting this issue, but some important features were missing such as group chat, but on the new website it's written this is now possible, so i guess that's what was meant, the deployment of the new release with these important group features and security updates?

Le lun. 10 févr. 2020 à 16:10, 5a384507-18ce-417c-bb55-d4dfcc8883fe < notifications@github.com> a écrit :

Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review.

When exactly are you launching? Great project!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/privacytoolsIO/privacytools.io/issues/1678?email_source=notifications&email_token=AAIRFXTMMKI6EJ6MOAU6ZSTRCFU77A5CNFSM4KOP2STKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELI3M7Y#issuecomment-584169087, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXQYIG4FVLNCNXFIIMDRCFU77ANCNFSM4KOP2STA .

ian-tedesco commented 4 years ago

The app is already available, I have used it before posting this issue, but some important features were missing such as group chat, but on the new website it's written this is now possible, so i guess that's what was meant, the deployment of the new release with these important group features and security updates? Le lun. 10 févr. 2020 à 16:10, 5a384507-18ce-417c-bb55-d4dfcc8883fe < notifications@github.com> a écrit : … Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review. When exactly are you launching? Great project! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1678?email_source=notifications&email_token=AAIRFXTMMKI6EJ6MOAU6ZSTRCFU77A5CNFSM4KOP2STKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELI3M7Y#issuecomment-584169087>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXQYIG4FVLNCNXFIIMDRCFU77ANCNFSM4KOP2STA .

Yes, I meant the new features and security updates. I gave it a look on the desktop client but couldn't find a way of installing it on mobile without using Google Play store, do you know if the .apk is available somewhere?

KeeJef commented 4 years ago

Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review.

When exactly are you launching? Great project!

As mentioned above Session is now launched on all platforms at https://getsession.org , today we also published a whitepaper https://getsession.org/whitepaper which goes through the design in detail. We are still working through a number of issues discovered when we launched with Multi-device setups so that might not be working as expected if you encounter and edge case.

KeeJef commented 4 years ago

The app is already available, I have used it before posting this issue, but some important features were missing such as group chat, but on the new website it's written this is now possible, so i guess that's what was meant, the deployment of the new release with these important group features and security updates? Le lun. 10 févr. 2020 à 16:10, 5a384507-18ce-417c-bb55-d4dfcc8883fe < notifications@github.com> a écrit : … Hey, I'm the CTO on the Loki/Session project, just to confirm, yes we will be launching Session in a few days on Desktop, iOS and Android, so probably best to hold off until then for research/review. When exactly are you launching? Great project! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1678?email_source=notifications&email_token=AAIRFXTMMKI6EJ6MOAU6ZSTRCFU77A5CNFSM4KOP2STKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELI3M7Y#issuecomment-584169087>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIRFXQYIG4FVLNCNXFIIMDRCFU77ANCNFSM4KOP2STA .

Yes, I meant the new features and security updates. I gave it a look on the desktop client but couldn't find a way of installing it on mobile without using Google Play store, do you know if the .apk is available somewhere?

APKs are here, https://github.com/loki-project/session-android/releases , We will be trying to get into F-Droid repo shortly, we're just focusing on bugfixes for now since we just released.

lrq3000 commented 4 years ago

@KeeJef Thanks a lot for the updates, I have updated this issue accordingly. Good luck with the post-release bugfixing, you've got an awesome project here!

ian-tedesco commented 4 years ago

Congrats, I hope you get a stable release ASAP and your project is great!

zaggynl commented 4 years ago

Does this depend on the Google Services Framework? Aurora store shows a GSF dependency.

wuniversales commented 4 years ago

As they say during the beta, it has a traffic analyzer, then they will remove it in the stable version.

KeeJef commented 4 years ago

@wuniversales all analytics have already been removed from all platforms, that was done a few weeks ago when Session was released

Regarding Aurora store flagging Session as GSF dependent, not sure why that is happening, we have APK's that you can download directly here and those work fine without Google play, i will have a look into it on Monday though.

PMK commented 4 years ago

1.0.2 released and I'm impressed! I would like to see this being added.

ian-tedesco commented 4 years ago

1.0.2 released and I'm impressed! I would like to see this being added.

Yeah, it works pretty sweet and it doesn't have shitty Google dependencies like Signal.

blacklight447 commented 4 years ago

1.0.2 released and I'm impressed! I would like to see this being added.

Yeah, it works pretty sweet and it doesn't have shitty Google dependencies like Signal.

Signal hasn't had the need to run on google for notifications for years now, and even with the google version, google only sees that you have a notification, not what the notification is about.

About Session now, what is the intended threatmodel? And also, what does it intend to solve over signal ( as of now, it seems to be a Signal fork with some blockchain stuff bolted on).

KeeJef commented 4 years ago

The threat model is defined in the whitepaper here https://arxiv.org/pdf/2002.04609.pdf

Since Session deploys proxy routing (1 hop, soon to be Onion routing 3 hops) inside it can deal with network level adversaries, as opposed to Signal in which the server can collect the sender and recipient IP addresses. Additionally it removes the need for phone numbers or email addresses as identifiers and instead uses public keys, which enhance anonymity as they are not linked to any real work identifier. Session also doesn't rely on central servers, messages are not stored on servers run solely by the developers or Loki foundation and instead are stored on Service Nodes run by community members, this makes the network resilient to being shutdown or compelled to run privacy compromising software distributions. There is more information contained in the whitepaper about how this is achieved and the properties it provides.

blacklight447 commented 4 years ago

The threat model is defined in the whitepaper here https://arxiv.org/pdf/2002.04609.pdf

Since Session deploys proxy routing (1 hop, soon to be Onion routing 3 hops) inside it can deal with network level adversaries, as opposed to Signal in which the server can collect the sender and recipient IP addresses. Additionally it removes the need for phone numbers or email addresses as identifiers and instead uses public keys, which enhance anonymity as they are not linked to any real work identifier. Session also doesn't rely on central servers, messages are not stored on servers run solely by the developers or Loki foundation and instead are stored on Service Nodes run by community members, this makes the network resilient to being shutdown or compelled to run privacy compromising software distributions. There is more information contained in the whitepaper about how this is achieved and the properties it provides.

So it aims to solve signals ability to correlate conversation members via your own onion routing network ( as currently, signal can still correlate via IP, but not via account's because of their sealed sender feature) and you deal with the phone number issue with a blockchain?

KeeJef commented 4 years ago

So it aims to solve signals ability to correlate conversation members via your own onion routing network ( as currently, signal can still correlate via IP, but not via account's because of their sealed sender feature) and you deal with the phone number issue with a blockchain?

Yes it aims to resolve the IP address correlation, by using an Onion routing network. But no, it doesn't use a blockchain to solve the phone number issue, the public keys don't have any relationship to the blockchain, they are just public keys. The blockchain is used to incentivze the nodes in the network who store user messages and allow for asynchronous communications. You dont need to pay to send messages or use the messenger or anything, its abstracted away from the user.

blacklight447 commented 4 years ago

Interesting. What happens if the user loses his private key? Also, are there any easy backup methods in place so the user can prevent losing said private key?

KeeJef commented 4 years ago

Interesting. What happens if the user loses his private key? Also, are there any easy backup methods in place so the user can prevent losing said private key?

The user is given access to and encouraged to write down their 12 word mnemonic seed when they create an account or at any time in the settings menu, with this phrase they can restore their private key (identity) and re-initiate previous sessions. In the future we will allow the user to password encrypt their seed and store it other locations, but that's not yet implemented

blacklight447 commented 4 years ago

Sounds very promising. Im not sure if the software is mature enough to be a major recommendation just yet, and we also would have to see how the loki network will develop itself further (is it going to die down like most startup anonymity networks, or will it maybe thrive.) About that, if the worsed case scenario happens and loki doesn't make it, will it be possible to alter session to move to another platform like Tor?

KeeJef commented 4 years ago

About that, if the worsed case scenario happens and loki doesn't make it, will it be possible to alter session to move to another platform like Tor?

I don't anticipate that happening since the network is already about 1030 nodes strong. But technically, yes, it would require ripping the custom onion routing logic we have in our code out, but i see no reason it couldn't be switched to use Tor.

ian-tedesco commented 4 years ago

1.0.2 released and I'm impressed! I would like to see this being added.

Yeah, it works pretty sweet and it doesn't have shitty Google dependencies like Signal.

Signal hasn't had the need to run on google for notifications for years now, and even with the google version, google only sees that you have a notification, not what the notification is about.

Yes it need Google notifications, I downloaded the .apk from Signal recently and they won't let you install the software if you don't have Google store installed, and also if you don't have Google services install you need to enter to the application to receive messages, if not it goes kinda buggy and won't notify you, this issue doesn't happen with Session.

ian-tedesco commented 4 years ago

Sounds very promising. Im not sure if the software is mature enough to be a major recommendation just yet, and we also would have to see how the loki network will develop itself further (is it going to die down like most startup anonymity networks, or will it maybe thrive.) About that, if the worsed case scenario happens and loki doesn't make it, will it be possible to alter session to move to another platform like Tor?

I've been using it for almost two weeks now and I can say it works really really good, in comparison to Briar or Jami, which are also listed, if that's considered mature.

lrq3000 commented 4 years ago

Super interesting discussion, thanks a lot everyone! I also found their blog posts very interesting about their vision of private messaging, particularly the first one:

blacklight447 commented 4 years ago

@5a384507-18ce-417c-bb55-d4dfcc8883fe i have been using signal for more then 2 years without any google services on my device and recieve notifications perfectly fine.

Mikaela commented 4 years ago

As this was brought up in #general:privacytools.io, I checked it quickly and commented this:

I don't like it being Electron and I don't really understand their answer "Is Session peer-to-peer?" - what are service nodes, are they centralized only in their control or can anyone host them and are they federated? Otherwise it looks promising other than being Electron and I am not capable of auditing it

Emphasis I added for GitHub.

KeeJef commented 4 years ago

As this was brought up in #general:privacytools.io, I checked it quickly and commented this:

I don't like it being Electron and I don't really understand their answer "Is Session peer-to-peer?" - what are service nodes, are they centralized only in their control or can anyone host them and are they federated? Otherwise it looks promising other than being Electron and I am not capable of auditing it

Emphasis I added for GitHub.

The desktop version is Electron based primarily since we have forked the existing Signal applications. For us to develop and maintain native clients for all OS'es would be extremely resource intensive. Although we do recognize that Electron is not the most highly secure framework available.

Regarding the Service Node network. They are federated, and anyone with the required Loki stake can start running one and earn a reward for storing and routing user messages. The Loki foundation is not in control of the Service Node network, there are hundreds of individual node operators with altogether about 1050 Service Nodes in operation.

The reason Session isnt peer to peer is that you always connect to the Service Node network to send and store messages to other users, you never connect directly to another user as that would expose your IP address and limit the ability for messages to be sent asynchronously.

ghost commented 4 years ago

This would be great I’m deciding on switching to session as it doesn’t need a phone or email to sign up

dngray commented 4 years ago

This would be great I’m deciding on switching to session as it doesn’t need a phone or email to sign up

No reason to wait for it to be mentioned on PrivacyTools, why not switch now and tell us how it you found it.

ghost commented 4 years ago

This would be great I’m deciding on switching to session as it doesn’t need a phone or email to sign up

No reason to wait for it to be mentioned on PrivacyTools, why not switch now and tell us how it you found it.

Found it from reddit on the privacy section but I am gonna switch but if it was on privacy tools it would give me some reinsurance that it’s safe and secure. I know it’s a based on the electron blockchain which I heard wasn’t the best. But it does use signals protocol

KeeJef commented 4 years ago

I know it’s a based on the electron blockchain which I heard wasn’t the best.

It is not based on the Electron blockchain (AFIK that doesn't exist), the Desktop application is using the Electron Javascript framework, as is Signal. As @dngray said you can go ahead and have a go using Session, its still early days so the user experience isn't quite as easy as Signal and you might run into bugs.

ghost commented 4 years ago

Oh thanks for the correction that’s why you should believe some reddit user 😂

blacklight447 commented 4 years ago

I think session will be a great addition to the site on day, but we are currently mostly waiting for it to become more mature as software and as a service (by seeing how the loki network will expand and grow.)

GintokiHub commented 4 years ago

I have admired the effort of the loki team (don't know them). To try and make some kind of midway best of two tor and i2p together anonymity network, first of all. Honestly I think it might be able to be posted as a rec, for people whom need only send messages to one another. However when, if they implement actual voice calling tech in there I think this truly will spark a lot of peoples interest.

KeeJef commented 4 years ago

I have admired the effort of the loki team (don't know them). To try and make some kind of midway best of two tor and i2p together anonymity network, first of all. Honestly I think it might be able to be posted as a rec, for people whom need only send messages to one another. However when, if they implement actual voice calling tech in there I think this truly will spark a lot of peoples interest.

I don't think Session should be omitted from the Privacytools.io site, just because it doesn't have voice calls, there are a few things that we want to do before recommending that Session is listed on the site

These features are all actively being worked on right as we speak and i think when these features are in and testers from this group can see that they work reliably, then there would be no reason not to list Session in the messenger section.

lrq3000 commented 4 years ago

Full three hop onion routing is enabled in Session, instead of one hop proxy routing.

I was going to mention the simplified routing scheme, but if the 3 hop onion routing is implemented soon, then that would be awesome!

I agree that even without voice calls, with the upcoming updates Session would be at least Worth Mentioning IMHO, until its stability is sufficiently field tested to potentially be a recommendation similarly to Briar (although I'm not sure whether it should be classified as P2P or Federated - Status.im which is based on Ethereum nodes is under Federated so maybe we should go along the same way for Session?)

lrq3000 commented 4 years ago

BTW thanks a lot @KeeJef for taking the time to update us, that's really appreciated (and great work on Session!).

Ah I also just noticed you published a preprint, congratulations and great work! I'll add this to the top message for reference :-)

GintokiHub commented 4 years ago

I don't think Session should be omitted from the Privacytools.io site, just because it doesn't have voice calls, there are a few things that we want to do before recommending that Session is listed on the site

Oh that wasn't what I was trying to imply. I'm just really thrilled if when it would get to that point. For me it if at that point, if then working this would be my dream messenger come true so..

lrq3000 commented 4 years ago

For me it if at that point, if then working this would be my dream messenger come true so..

@GintokiHub I agree with you and would very much like to see VoIP (and let's dream voice calling ;-) ) through the lokinet. Maybe someday! :D Right now the future of private messaging seems bright with the emerging implementations of E2EE in WebRTC using Secure Frames, and with the lokinet it would also be anonymous to some extent.

@KeeJef please let us know when the points you mentioned are ready for large use, I can test and make a PR :-)

ph00lt0 commented 4 years ago

Session has trackers from Google Firebase, doesn't seem like something PTIO should recommend.

lrq3000 commented 4 years ago

@ph00lt0 I guess this issue explains why Firebase is used?

I remember reading a blog post about the difficulties with pushing updates to Android devices without using a connection to a centralized server that could diminish anonymity, maybe it was on the Session blog but I can't remember or find with Google where.

lrq3000 commented 4 years ago

PS: it seems that using Firebase is optional, although enabled by default if I understand correctly the issue linked above?

subsys-R9boq8 commented 4 years ago

PS: it seems that using Firebase is optional, although enabled by default if I understand correctly the issue linked above?

It's possible to use Firebase Cloud Messaging as a push service, but users can opt not to use it, and the setting screen is explicit enough (pop out after first run of app update) to consider it no harmful intention.

Though it still feels strange enough to me, because using FCM doesn't require Firebase Analytics, right?

And the analytics result of Exodus only returns one Java class (com.google.firebase.analytics.connector.AnalyticsConnector), which is not the case for normal apps (for example: pixiv 8 classes start with com.google.firebase.analytics.) that embedded Firease Analytics.

ph00lt0 commented 4 years ago

@subsys-R9boq8 this is exactly my point. It's not about the push notifications. Although I would say it should use alternative methods either way. The use of trackers like Firebase Analytics is just wrong.

subsys-R9boq8 commented 4 years ago

@ph00lt0 Yes, and it also sounds strange, Firebase Analytics seems quite broke in Session-Android.

KeeJef commented 4 years ago

We have never actually used Firebase analytics in a production version of the application, these static code analyzers seemed to be picking up the inclusion of the Google Firebase library (Used for FCM) as and flagging that, but as of last week we have excluded those parts that were getting flagged by Exodus and now we are passing https://reports.exodus-privacy.eu.org/en/reports/network.loki.messenger/latest/.

You can see the PR here https://github.com/loki-project/session-android/pull/219

Regarding FCM for push it is only ever used if the user opts in to use it,and there is a big onboarding screen explaining the consequences/benefits, you can use Session Google free if you just use background notifications.