Oddbean

No, not like Session at all. We are not going to throw away double ratchet, and we are not going to create cryptocurrencies based on public blockchains. If we ever replace double ratchet with any other scheme, we would replace it with the more secure one, not with a less secure one like Session did. We are moving to a very different direction from Session's: https://simplex.chat/blog/20240516-simplex-redefining-privacy-hard-choices.html Also, the design of the private routing achieves the level of metadata privacy that onion routing in Session doesn’t provide - I can comment more on it, but here is the post: https://simplex.chat/blog/20240604-simplex-chat-v5.8-private-message-routing-chat-themes.html I understand that Session fans might be angry about my criticism of Session, but its crisis is of their own doing - Session's decision to remove double ratchet was a wrong one - users who choose Session need double ratchet, at least. The path for Session to regain users' trust would be: 1) get double ratchet back, with all its qualities, and figure out how to solve multidevice without compromising encryption security - I’d happily collaborate on that, as an acceptable solution doesn’t exist yet. 2) make node ownership optionally transparent and let clients choose nodes owned by known and different operators (to avoid unknown operators who potentially collude undermining onion routing promises - these promises only hold under the assumption that operators of nodes chosen for the circuit do not collude). 3) decentralise media storage in the same way messages are decentralised - Session may as well adopt XFTP protocol we designed - it's independent from messaging, and that can create some collaboration points too. 4) add a notification when another device access the same profile via recovery code. 5) protect access to recovery code in the app with PIN. In its current state Session is simply dangerous to use for any scenarios requiring privacy and security. Solving points 4 and 5 would remove Session from "dangerous" territory and make it simply “not too secure”. I don't understand why it wasn't already done after the public conversation with Keith several months ago, see the links here: https://x.com/SimpleXChat/status/1755216356159414602 Solving 1 would make it secure. Solving 2 and 3 would make it private. It's correct to point out SimpleX network limitations, and we work on resolving them. But by misleading the audience about Session level of privacy and security you are creating risks that may cost some people their lives or freedom - this is really bad for the community and detrimental for your reputation as well.

Yes I agree it sucks he removed forward secrecy. Yes I agree that simpleX hides metadata better when BOTH parties want to be invisible. Yes I agree that he should make the pin and notification on devices would be good. Yes I agree it would be better if you could pick your entrance node like Tor. This isn’t a real debate because I have no say in what KeeJef does. Remember, I am a USER of session, and NOT a developer. So my goal is to educate people on the pros and cons. We use a Session bot we made to distribute content, I’d like to do the same for SimpleX in the future. But I’m not going to do it if it’s a toxic culture. What I do like about Session is a complete separation of physical locations from identity or communication, the ability to own your identity like a crypto wallet, and rotate the key to a new identity via the blockchain. As we outlined in our uncensored discussion for it’s use on a VPS. http://simplifiedprivacy.com/uncensored This makes Session more suited for pure censorship, unlike simpleX with government domain name identities. If you think about it, SimpleX heavily relies on a secure off-band mode of communication to begin with, to prevent bogus URLs from being sent as man in the middle. Now, you said you’re adding PGP keys, and that’s great. I look forward to it. But I’m still relying on the regular government internet stack to deliver me the public key. SimpleX excels at TWO way anonymity. Session excels at ONE way anonymity, since anyone can quickly tap into your blockchain name and verify it easily. Many people in life may want to be invisible, but in most cases you don’t. A journalist doesn’t want to be invisible, I want to know that I’m talking to the right journalist. A crypto-trader doesn’t want to be invisible, I want to know that I’m sending funds to the right trader. Additionally, users can achieve the same thing as SimpleX by having multiple Session identities on Linux. I like SimpleX, and I’m excited you have made progress. I’m NOT saying don’t use it. I’ve just grown frustrated over the last few months with the simpleX linux clients having errors that caused me to abandon accounts, which makes the whole thing real vulnerable to phising attacks. As I mentioned in chat previously, SimpleX’s reliance on android first is one I disagree with as mobile devices are not secure. Also, the motivation to host your own server is somewhat confusing, if using your own server causes you to stand out. I hope your voucher system fixes this. At the end of the day, I’m not looking to cause fighting for the sake of drama. I get excited about freedom technology for the love it. I wonder if you bashing Session 24/7 while adopting very similar features is in the same vein. I think KeeJef should be the one to debate with you, not me.

I don't understand how does establishing 1st communication doesn't always require connecting offband. You can always someone because they told you how to do so in another medium, there is no way around it, no amount of "decentralized identity layer" would prevent that. The exception is when you new meet people in the medium itself and can just initiate a conversation directly.

My Session ID is "Support". My SimpleX code is: https://simplex.chat/contact#/?v=1-4&smp=smp%3A%2F%2FZKe4uxF4Z_aLJJOEsC-Y6hSkXgQS5-oc442JQGkyP8M%3D%40smp17.simplex.im%2FjlgwnohJoxn1yz9bhJ_3m6JhanIbgOME%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEArsSD2oa0yAYYTXuSKj_3uw5uQo0LU77i3jeoXtK6kjU%253D%26srv%3Dogtwfxyi3h2h5weftjjpjmxclhb5ugufa5rcyrmg7j4xlch7qsr5nuqd.onion Which one is easier to verify or fake? Which one can I blast out and people type to easily reach me under the cover of a mixnet?