Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <CAOvwWh2tea8QjHf63Efhxh7-ESa2zoDv-e1Cwf2T=WRVuWZRmw@mail.gmail.com>
Date: Wed, 15 Jan 2025 01:21:20 -0500
From: Soatok Dreamseeker <soatok.dhole@...il.com>
To: oss-security@...ts.openwall.com
Subject: Session (a fork of the Signal private messaging app) is sus

Full details here:
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/

At a glance, what I found is the following:

   1. Session only uses 128 bits of entropy for Ed25519 keys. This means
   their ECDLP is at most 64 bits, which is pretty reasonably in the realm of
   possibility for nation state attackers to exploit.
   2. Session has an Ed25519 verification algorithm that verifies a
   signature for a message against a public key provided by the message. This
   is amateur hour.
   3. Session uses an X25519 public key as the symmetric key for AES-GCM as
   part of their encryption for onion routing.

Additional gripes about their source code were also included in the blog
post.

Happy hacking!
Soatok

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.