There was a security audit https://getsession.org/session-code-audit that result in this: "The overall security level of this application is good and makes it usable for privacy-concerned people."
I just skimmed that audit (from 2021) and hit ctrl-f for "forward secret" (no results) and then "ratchet"... which found this:
Even though there is no ratchet mechanism as in Signal, no correlation exists between ciphering keys
over time. This observation is made on the basis that crypto_box_seal creates a new key pair for each
message, and attaches the public key to the ciphertext. crypto_box_seal creates an ephemeral keypair
and uses the secret part with the recipient public key to craft a symmetric key in charge of ciphering
messages. The recipient will extract the ephemeral public key from the ciphered message and will use
their private key to regenerate the ephemeral symmetric key for this message.
Having an ephemeral DH public key included with each message does not make the symmetric key ephemeral and thus does not make the protocol forward secret, because the other side of the DH is the recipient's long-term key. So, an adversary who records some ciphertexts and then compromises the recipient's long-term private key years later can easily decrypt all of the old ciphertexts they collected.
There are several other reasons I wouldn't recommend Session, but the lack of forward secrecy is a big one.
I haven't read the rest of the audit but the fact that they gloss over the lack of forward secrecy and strongly imply that crypto_box_seal with one ephemeral key and one long-term key makes the symmetric key somehow "ephemeral" casts doubt on the credibility of the auditors.
compromises the recipient’s long-term private key years later
Thank you. I have read that the Session is not yet using quantum-resistant cryptographic algorithm. It is using X25519 which is an elliptic curve algorithm widely used for key agreement in TLS today. As a layman, I do not expect this to be a problem for a regular user (who is no target of the US three letter agencies) in the near future.
Thank you. I have read that the Session is not yet using quantum-resistant cryptographic algorithm. It is using X25519 which is an elliptic curve algorithm widely used for key agreement in TLS today. As a layman, I do not expect this to be a problem for a regular user (who is no target of the US three letter agencies) in the near future.
The lack of forward secrecy and lack of post-quantum encryption are orthogonal deficiencies. The development of a cryptanalytically-relevant quantum computer is only one of the ways that a long-term key could be compromised in the future, and forward secrecy without some PQ crypto does not actually even protect against that.
The reason to have forward secrecy (even if you don't have PQ) is that long-term keys can be compromised in the future by malware or device seizure. See the forward secrecy wikipedia article i linked in my previous comment for more information.
These are good cryptographic choices, albeit not PQ. The problem is that they aren't being combined in a forward secret manner. It is very possible to build a forward secret protocol from these primitives (as many other projects have done) but Session opted not to. They actually were originally using Signal's forward secret ratchet, but if i understand correctly it was too difficult for them so they just gave up on forward secrecy at some point and replaced it with this thing they have now.
While Simplex uses: Curve25519 / XSalsa20 256 / Poly1305
SimpleX actually added Streamlined NTRU Prime recently for quantum resistance. (And it was forward secret from the beginning, as one would expect of any protocol designed in the last 15 years or so...)