Understanding Session Software and Its Decentralized Network

Author

Reads 7.1K

From above crop anonymous male programmer in black hoodie working on software code on contemporary netbook and typing on keyboard in workspace
Credit: pexels.com, From above crop anonymous male programmer in black hoodie working on software code on contemporary netbook and typing on keyboard in workspace

Session software is built on a decentralized network, which means it's not controlled by a single entity. This architecture allows for greater autonomy and resilience.

Decentralized networks are made up of many nodes, which work together to process transactions. In Session's case, this means that transactions are processed across multiple nodes, rather than a single central point.

This decentralized approach provides several benefits, including improved security and reduced risk of censorship. By spreading transactions across many nodes, the network becomes more difficult to manipulate or shut down.

Session's decentralized network is powered by a unique consensus algorithm, which enables secure and efficient transaction processing.

Features

Session doesn't require a telephone number or email address for account creation, instead using a randomly generated 66-digit alphanumeric number for user identification.

This unique approach to account creation makes it easy to get started with Session.

Communication between users is end-to-end encrypted using the Session protocol, ensuring that your messages and files are secure.

This level of encryption is verified by independent reviews, including one by the third-party Quarkslab in 2021.

Session has also migrated to its own network, the Session Network, a decentralized, open-source blockchain network designed to transmit encrypted data.

If this caught your attention, see: Cisco Network Registrar

Encryption

Credit: youtube.com, Session Private Messenger - Really Understands Privacy!

Session employs end-to-end encryption for all user communications, but its approach has evolved significantly from its Signal origins. Session started out using the Signal Protocol for one-on-one chats and the Sender Keys system for group chats, but it has since created its own system, called the Session Protocol.

The Session Protocol prioritizes simplicity and compatibility with the decentralized network, using well-vetted cryptographic primitives like X25519, Ed25519, ChaCha20/AES-GCM, Poly1305, and HKDF via the libsodium library. It leverages the crypto_box_sealed function for asymmetric authenticated encryption.

The Session Protocol has some notable design decisions. For one-on-one chats, it uses the sender's long-term Ed25519 key for signing and the recipient's long-term X25519 key combined with ephemeral keys for E2EE. In closed groups, it derives a shared group keypair and uses crypto_box_sealed with the sender's key and the group's public key. However, it drops Perfect Forward Secrecy (PFS) and strong cryptographic deniability, which has stirred up debate.

You might enjoy: Protocol Ftp

Credit: youtube.com, "Session" End 2 End Encrypted Messenger w/Custom Onion Routing

Here are the key differences between the Session Protocol and the Signal Protocol:

The Session Protocol's design choices have implications for security. Without PFS, if someone compromises a user's long-term private key, they could decrypt all past messages linked to that key. While Session claims that its architectural protections help, this still makes it less secure compared to protocols like Signal or Wire's Proteus.

Architecture and Network

Session uses a decentralized network of servers called Session Nodes, which are operated by community members globally. This network consists of around 2,000 to 2,200 nodes, making it a large and distributed system.

The decentralized structure of Session is crucial for its claims of censorship resistance and avoidance of single points of failure or data collection. It's a key factor in keeping conversations private.

Session Nodes are grouped into smaller teams called 'swarms', which help make sure messages are safely stored and can be found later. Each user is assigned to a specific swarm based on their Session ID.

People Looking at Diagram in an Office
Credit: pexels.com, People Looking at Diagram in an Office

Here's a breakdown of the main differences between Session and Wire:

The decentralized setup of Session relies on cryptocurrency and staking, which helps prevent Sybil attacks and keeps node operators motivated to run the network smoothly.

The Decentralized Network

Session's network is made up of around 2,000 to 2,200 nodes operated by community members globally, providing a large, distributed network of servers.

This decentralized structure is crucial for Session's claims of censorship resistance and avoidance of single points of failure or data collection.

To run a Session Node, people or groups need to put up a good amount of cryptocurrency, starting with $OXEN, which is the main token for the Oxen blockchain, and then switching to the new Session Token ($SESSION) when the network updates in 2025.

The staking requirement helps prevent Sybil attacks, where someone tries to take control by making lots of fake identities (or nodes), by making it super expensive for anyone trying to launch a big attack.

Credit: youtube.com, Unlocking Decentralized Network Architecture | How It Works Explained Simply | Lesson 25

Node operators also have a financial reason to keep things running smoothly; they earn rewards in $OXEN or the upcoming $SESSION tokens for doing their job well.

Here's a breakdown of the benefits of the staking mechanism:

  • Prevents Sybil attacks by making it costly for an adversary to control a large fraction of the network nodes.
  • Incentivizes good behavior and rewards node operators for doing their job well.
  • Disincentivizes malicious actions by risking the loss of stake.

The network adjusts how swarms are set up, keeping things balanced as nodes come and go, and messages stay stored until they are delivered or until they expire, which usually takes about 14 days.

Wire

Wire uses a centralized architecture, which is quite different from Session. This means that Wire's data is stored in a central location, whereas Session's architecture is more decentralized.

Wire requires an email address or phone number for registration, linking the account to an external identifier. This is unlike Session, which doesn't require this.

Wire uses the Proteus protocol, which is an earlier version of the Signal Protocol and does include perfect forward secrecy. However, Wire admits it collects more metadata than Signal, especially about contact lists, to make it easier to sync across devices.

Two business professionals brainstorming and planning software development with a whiteboard in an office.
Credit: pexels.com, Two business professionals brainstorming and planning software development with a whiteboard in an office.

Here are the key differences between Wire and Session:

  • Architecture: Wire uses a centralized architecture.
  • Identity: Wire requires an email address or phone number for registration.
  • Protocol & Metadata: Wire collects more metadata than Signal.

Wire has been independently reviewed and has put more effort into working with businesses. This could affect how they support and develop their free personal service in the future.

Auditing and Vulnerabilities

Session underwent a security audit by Quarkslab in 2021, covering its Android, iOS, and Desktop clients. The audit was completed in April 2021, during Session's transition from the Signal Protocol fork to the Session Protocol.

The overall assessment was positive, deeming the security level "good" and suitable for privacy-concerned users. However, the audit did uncover some vulnerabilities, including one severe issue on Android related to TLS verification when fetching the node list.

Several lower-severity issues were also found, such as potential information leaks and usability/security trade-offs. The non-standard 128-bit key generation was noted, but classified as low risk due to the lack of a practical exploit path.

A security researcher later published claims regarding vulnerabilities stemming from the 128-bit key generation and potential batch attacks. Session publicly refuted these claims, providing analysis arguing that practical attacks remain infeasible and that the researcher's proof-of-concept code contained flaws.

Despite the 2021 Quarkslab audit providing valuable assurance, it's essential to keep doing regular security checks due to significant developments like the full rollout of the Session Protocol, Groups v2 implementation, and the upcoming Session Network/Token migration.

Discover more: Firefox for Android

Audits and Vulnerabilities

Credit: youtube.com, What is a Cyber Security Audit and why it’s important

Audits and Vulnerabilities are crucial for verifying the security claims of complex cryptographic applications. Independent security audits are essential for identifying vulnerabilities and ensuring the security of these applications.

A notable example is the Quarkslab Audit conducted in 2021, which covered Session's Android, iOS, and Desktop clients. The audit occurred during Session's transition from the Signal Protocol fork to the Session Protocol.

The overall assessment was positive, deeming the security level "good" and suitable for privacy-concerned users. Key findings included one severe vulnerability on Android related to TLS verification when fetching the node list.

This vulnerability potentially allowed malicious CA attacks, which was promptly fixed by Session. Several lower-severity issues related to potential information leaks and usability/security trade-offs were also identified.

The non-standard 128-bit key generation was noted but classified as low risk due to the lack of a practical exploit path. Post-audit claims regarding vulnerabilities stemming from the 128-bit key generation and potential batch attacks were made by a security researcher.

Session publicly refuted these claims, providing analysis arguing that practical attacks remain infeasible and that the researcher's proof-of-concept code contained flaws. Regular security checks are necessary due to significant developments since the 2021 Quarkslab audit.

Analysis: Illicit Actors Use

3D Printer Bed Top View Technology Workspace
Credit: pexels.com, 3D Printer Bed Top View Technology Workspace

Illicit actors use Session for its strong privacy and security features, making it harder for authorities to track them down. One big reason people like this is that you don’t need to give a phone number or email when you sign up, which makes it harder for the police to track them down.

The distributed network architecture of Session makes it significantly harder for authorities to shut down the service entirely or block access compared to centralized platforms. This is because the service is decentralized, which means it's harder to shut down.

The onion routing mechanism of Session effectively hides users’ real IP addresses, making tracking and location identification difficult. This is similar to how some online services use virtual private networks (VPNs) to hide their IP addresses.

End-to-end encryption provides a secure communication channel, protecting the content of illicit discussions from eavesdropping. This is an important feature for those who want to keep their conversations private.

Recommended read: Saas Windows Azure

Two women engage in a written psychotherapy session in a stylish office space.
Credit: pexels.com, Two women engage in a written psychotherapy session in a stylish office space.

Here are some key features that make Session appealing to illicit actors:

  • Anonymity: No phone number or email required for sign-up.
  • Decentralization and Censorship Resistance: Distributed network architecture.
  • IP Address Obfuscation: Onion routing mechanism.
  • End-to-End Encryption: Secure communication channel.

However, Session isn’t as popular in the underworld compared to Telegram, suggesting that other factors contribute to its adoption among illicit actors. These factors may include ease of use, available features, and reliability.

Comparison and Analysis

Session stands out from other secure messaging apps like Signal, Wire, Threema, and Telegram, each with its own balance of security, privacy, ease of use, and features.

To really understand what makes Session unique, it's helpful to look at the differentiating factors between Session and its competitors. The table in the article highlights key differences, making it easier to compare and analyze each app.

Session's approach to security and privacy is notable, with a focus on end-to-end encryption and a zero-knowledge proof system. This means that only the sender and receiver can access the message content, ensuring maximum security.

The ease of use factor is also an important consideration, with Session aiming to provide a seamless user experience. In comparison, some other apps like Telegram have a more complex interface, which can be overwhelming for new users.

Broaden your view: Webcam Security Software

Woman in focus working on software development remotely on laptop indoors.
Credit: pexels.com, Woman in focus working on software development remotely on laptop indoors.

Session's feature set is also more limited compared to some other apps, which can be a pro or con depending on individual needs. For example, some users may appreciate the simplicity of Session, while others may find the lack of features limiting.

Ultimately, the choice between Session and other secure messaging apps depends on individual priorities and needs. By understanding the differentiating factors and features of each app, users can make an informed decision that suits their requirements.

For your interest: Phone Virus Cleaner Apps

User Experience and Issues

Session software can be a bit finicky, and users have reported issues with crashing and freezing.

One common problem is that Session doesn't always handle multiple tabs well, often leading to a crash.

However, users have found that closing unnecessary tabs can help prevent this issue.

Some users have also experienced issues with Session's search function, which can be slow or unresponsive at times.

User Experience and Known Issues

Session is a unique private messaging app that doesn't require personal data at signup, which is a game-changer in terms of user experience.

Credit: youtube.com, How to Identify UX Problems using Industry & Competitive Analyses | Free UX course (Lesson 10)

You can create a username and Session will generate a 64-character-long user ID or a QR code that you can share with friends to start chatting. Just scan their QR codes or enter their user IDs to get started.

Session doesn't request access to your device's contact list, which is great for those who value their privacy. This means you can add friends without compromising your personal data.

The app gives you a recovery phrase for your account, which you should save somewhere safe. This way, you can recover your messages if you need to log out or uninstall the app.

Fast Mode gives you instant notifications, but they're routed through Google's servers, which might raise some concerns about data security. Slow Mode lets Session occasionally check for new messages while running in the background on your device or computer.

User Experience and Issues

Signing up for Session is a breeze, you simply create a username and Session generates a 64-character-long user ID or a QR code that you can share with friends to start chatting.

Therapist listening and comforting a man during a counseling session indoors, fostering empathy and understanding.
Credit: pexels.com, Therapist listening and comforting a man during a counseling session indoors, fostering empathy and understanding.

The app doesn't require access to your device's contact list, which is a huge plus for those who value their online privacy.

Session gives you a recovery phrase for your account, which you should save somewhere safe in case you need to log out or uninstall the app.

Group chats on Session are end-to-end encrypted and support up to 100 participants, making it a great option for private conversations.

The group chat window is identical to the conversation window, so you won't have to learn a new interface.

You can add people to a group chat by tapping Create a Group in the app menu and clicking on the Contacts you wish to add.

However, if you want to interact with a larger group and possibly strangers, you'll need to join a Community, which is a self-hosted chat method that stores messages on someone's server.

This means that messages are only encrypted in transit to the server, making it less private than other chat methods on the app.

You can find active Community channels by having the Community's URL or QR code, but there's no easy way to browse for them within the app.

Secure Messaging Landscape

Credit: youtube.com, Secure Messaging

In the secure messaging landscape, Session Private Messenger stands out for its strong focus on keeping user identities anonymous and minimizing data collection. It achieves this by giving users Session IDs instead of phone numbers or emails.

Session's decentralized network and onion routing to hide IP addresses offer solid protection against surveillance and linking identities, which is a big plus for many users. However, it does come with some downsides.

One key issue is that Session sacrifices Perfect Forward Secrecy (PFS) and strong cryptographic deniability, making it vulnerable if someone cracks its long-term keys. This means users may be at risk of having past messages read.

The developers argue that they made this choice to keep things simple and decentralized, but it does leave users at some risk. This trade-off is something users should consider before using Session.

In fact, the article suggests that users whose primary threat is pervasive metadata surveillance, censorship, or the need for strong anonymity detached from real-world identifiers may find Session suitable. These users must be willing to tolerate potential reliability issues and understand the implications of the lack of PFS.

Credit: youtube.com, Signal vs. Session: Which Secure Messenger is Best?

For users who prioritize proven cryptographic standards like PFS or require maximum reliability and usability for general communication, alternatives like Signal or Threema may be better choices.

Here's a summary of the pros and cons of Session for different types of users:

  • Users whose primary threat is pervasive metadata surveillance, censorship, or the need for strong anonymity detached from real-world identifiers: Session may be suitable.
  • Users who prioritize proven cryptographic standards like PFS, or require maximum reliability and usability for general communication: Alternatives like Signal or Threema may be better choices.

Target Audience and Use

Session is designed for individuals who value their privacy and want to minimize their digital footprint.

Session is particularly useful for people who want to stay anonymous and avoid being watched.

Privacy-conscious individuals will appreciate Session's features, which allow them to communicate securely without revealing their phone numbers or generating traceable metadata.

Journalists use Session to communicate with sources without putting their anonymity at risk, especially in repressive regimes or when dealing with sensitive information.

Activists and human rights defenders rely on Session's anonymity and censorship resistance to organize and coordinate actions without being surveilled by state or non-state actors.

Whistleblowers also use Session to communicate anonymously and expose illegal or unethical activities without risking identification and retaliation.

Intriguing read: How to Use Dropbox Paper

Couple in a counseling session with a therapist in a modern and cozy setting.
Credit: pexels.com, Couple in a counseling session with a therapist in a modern and cozy setting.

Politicians and individuals with sensitive communications use Session for its end-to-end encryption and metadata protection features.

Here are some of the main groups that benefit from Session's features:

  • Privacy-Conscious Individuals
  • Journalists
  • Activists and Human Rights Defenders
  • Whistleblowers
  • Politicians and Sensitive Communications

Getting precise user details for Session is tough because it prioritizes privacy, but it's estimated that many users care about their online security and anonymity.

Development and Specs

Session's development began in 2018 under the Australia-based Oxen Privacy Tech Foundation, with the goal of creating a decentralized and highly secure messaging app.

The team behind Session started by forking another messenger, Signal, but soon deviated from it to create their own protocol, called "Session Protocol", which prioritized increased anonymity and decentralization.

In 2024, the Session Technology Foundation was established in Switzerland to take over the development and publication of the application, likely due to increasingly restrictive privacy and surveillance legislation in Australia.

Session supports a wide range of client software, including Android, iOS, Linux, macOS, and Windows.

Here are some key specs to keep in mind:

Development

Credit: youtube.com, Spec-Driven Development in the Real World

Development of Session began in 2018 under the Australia-based Oxen Privacy Tech Foundation. The project started as a fork of another messenger, Signal, aiming to build upon its foundation.

However, concerns about the centralized structure of Signal Protocol and potential metadata collection led the team to deviate and create their own protocol, called "Session Protocol". This approach prioritized increased anonymity and decentralization.

The team encountered various challenges, leading to the necessity of abandoning or modifying many features. In 2024, facing increasingly restrictive privacy and surveillance legislation in Australia, the Session Technology Foundation was established in Switzerland to take over the development and publication of the application.

The team's decision to create their own protocol, Session Protocol, was a significant departure from the original plan. This move prioritized user anonymity and decentralization, setting Session apart from other messaging apps.

A unique perspective: Best Software for Web Development

Specs

Session is a decentralized, highly secure, open-source messaging app that offers end-to-end encryption for all messages by default.

It supports a wide range of client software, including Android, iOS, Linux, macOS, and Windows.

Here are the details of the supported client software:

This makes it easy to use Session on any device you prefer.

Limitations

Two professionals collaborating on software development in a modern indoor setting.
Credit: pexels.com, Two professionals collaborating on software development in a modern indoor setting.

Session (software) has some limitations that are worth noting. One of the main limitations is the lack of support for two-factor authentication, which is a standard security feature to protect accounts against unauthorized access.

This means that if you're using Session, you'll need to rely on other security measures to protect your account. Two-factor authentication would add an extra layer of security by requiring a second form of verification, such as a code sent to your phone.

Another limitation is that Session's underlying protocols are still in a developmental phase. This can make it less secure than other communication apps that have more established protocols.

Here are some of the key limitations of Session (software):

  • Lack of support for two-factor authentication
  • Underlying protocols are still in a developmental phase

These limitations are worth considering if you're thinking about using Session for secure communication.

Private Messaging and Calls

Private messaging on Session is all about keeping things private and secure. You can't discover new people to chat with like on Telegram or find new friends like on WhatsApp, but that's kind of the point - it's for chatting without leaving a digital trail behind.

Credit: youtube.com, Session Private Messenger - Really Understands Privacy!

Session uses a decentralized network and a unique onion routing method to keep users and their messages private. This means your identity and messages are protected, but it also means you can't use it to cultivate an audience or find new friends.

To add contacts, you need to know their user ID or scan their QR code when they're physically nearby. This helps keep things private, but it also means you'll likely only use Session to talk to people you know and trust.

You can opt into voice and video calls, but keep in mind that your IP address will be visible to the person you're calling and a Session server. This isn't an anonymous mode of communication, so be aware of that.

The audio and video quality for both iOS and Android apps is clear, but group calling is not currently an option.

On a similar theme: Google Keep

Private Messaging

Private messaging is all about keeping your conversations private and secure. Session is a great option for this, as it uses a decentralized network and onion routing to keep users and their messages private.

Take a look at this: DuckDuckGo Private Browser

Credit: youtube.com, The MOST PRIVATE Messaging Apps

To add someone to your contact list, you'll need to know their user ID or scan their QR code when you're physically nearby. This means you'll likely only use Session to talk to people you know and trust.

Session's Conversations feature allows you to chat one-on-one with E2EE (end-to-end encryption) private messages. You can even add reaction GIFs or your own media files to the chat window.

One of the features I like about Session is that the first time a new chat partner sends you a file attachment, GIF, or photo, you have to consent to accept it by tapping on the file in the chat window. This adds an extra layer of security and control.

You can enable disappearing messages with a wide range of durations, which is helpful for keeping your conversations private. Android users also get in-app alerts if a chat partner takes a screenshot of the conversation window.

However, it's worth noting that messages can sometimes take a long time to get to the other party, and media files often load slowly. This is a small price to pay for ultra-private, secure, decentralized end-to-end encryption.

Here are some key features of Session's private messaging:

  • Decentralized network for sending messages
  • Onion routing to hide IP addresses
  • E2EE private messages
  • Disappearing messages with customizable durations
  • Android users receive in-app alerts for screenshot detection

Calls

Credit: youtube.com, Zangi Private Messenger / incoming & outgoing calls / from Android version

Calls are an essential feature of Session, allowing you to connect with friends and family in a private and secure way.

To start a voice or video call, you can opt into calling via the Privacy menu. This will inform you that your IP address will be visible to the person you're calling and a Session server, so it's not an anonymous mode of communication.

The audio and video quality for both the iOS and Android apps was clear. I've tried making calls on both platforms and can confirm that the quality is excellent.

Group calling is not currently an option for Session users. You can only make one-on-one calls, which is still a great way to connect with others.

To start a call, simply open a conversation with a contact and press the phone icon.

You might enjoy: Microsoft Start

Other Secure Messaging Apps

If you're looking for more secure messaging options, there's Signal and Wire, which both offer end-to-end encryption and secure communication.

Signal is particularly notable for its ease of use and strong focus on user security, with features like disappearing messages and group chats.

Wire, on the other hand, offers more of a traditional messaging experience, with features like file sharing and screen sharing.

Readers also liked: Signal (software)

Signal

Credit: youtube.com, Why I Trust Signal: My Go-To for Secure Messaging

Signal is a popular secure messaging app that's been around for a while. It's known for its reliability and ease of use.

Signal relies on central servers, which makes it easier to build and use, but also means there's a potential spot for data collection. This also makes it easier for governments or ISPs to block the app.

Signal has a strong focus on security, keeping features like PFS (Perfect Forward Secrecy) and cryptographic deniability to protect against key compromise. This gives you better protection against your messages being exposed.

One thing to note is that Signal requires you to register with a phone number, which can be a drawback for those who value complete anonymity. On the other hand, this makes it easier to find contacts and share IDs.

Here's a quick comparison of Signal with other secure messaging apps:

Telegram

Telegram is a popular messaging app, but it has some unique quirks when it comes to privacy and security.

Credit: youtube.com, I Reviewed Every Private Messenger in ONE VIDEO!

To use Telegram, you need a phone number, which can be a bit of a concern for those who value their anonymity.

Telegram doesn't automatically use end-to-end encryption (E2EE) for regular chats; it's only available for 'Secret Chats' and voice calls.

This means that Telegram can see your messages, even if they're encrypted between the client and server.

Here are some key differences between Telegram and other secure messaging apps:

  • Telegram uses centralized servers and closed-source server-side code, while Session is decentralized with open-source clients.
  • Telegram collects significant metadata, especially for non-secret chats, and uses its custom MTProto protocol, which has faced scrutiny.
  • Telegram is heavily utilized by cybercriminals due to its features and large user base.

Frequently Asked Questions

Is Session safe from police?

Session's encrypted group chats and user anonymity features make it difficult for third-parties, including law enforcement, to target and identify individual users

Can you be tracked using Session?

No, you cannot be tracked using Session, as it doesn't collect personal data like geolocation, device info, or usage statistics. Your online presence is kept private and anonymous.

Jennie Bechtelar

Senior Writer

Jennie Bechtelar is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for distilling complex concepts into accessible language, Jennie has established herself as a go-to expert in the fields of important and industry-specific topics. Her writing portfolio showcases a depth of knowledge and expertise in standards and best practices, with a focus on helping readers navigate the intricacies of their chosen fields.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.