Session Messaging App: A Cryptographic Security Audit
2025-01-20
Security engineer Soatok published a blog post questioning the cryptographic design of the Session messaging app. The post highlights Session's use of 128-bit seeds for Ed25519 key generation, making it vulnerable to batch collision attacks; a proof-of-concept is provided. Furthermore, the post criticizes design flaws in Session's signature verification process and the removal of forward secrecy. Soatok concludes that Session's cryptographic design poses significant security risks and advises against its use.
Tech