Hacker News new | ask | show | jobs
by gojomo 2270 days ago
There's an interesting fork of Signal, called 'Session', that aims to remedy many of the flaws in Signal's infrastructure/strategic choices. It's young - needing a lot more analysis & track record before earning serious credibility – but you can check it out at: https://getsession.org/

Some of its Signal-contrasting goals include:

* no phone numbers needed

* onion-routed messages

* multi-device sync

* no central point of failure

I also don't see anything in Session's materials that they're placing Intel™ SGX™ at key points in mandatory introduction/contact-uploading/cloud-backup steps – as Signal likes to do.
3 comments
Gaelan 2270 days ago
I mean, SGX is strictly an improvement over the same protocol without SGX.
link
gojomo 2270 days ago
If the protocol were designed to require an SGX-like component, sure, leaving it out would be fatal. But not improved over alternative design choices!
link
fmjrey 2270 days ago
> Intel™ SGX™

What difference does this make (genuine question)?

link
gojomo 2270 days ago
Many people don't trust Intel & the SGX technology.

Intel controls the initial attestation keys – so you're dependent on their goodwill. Much of the world will view Intel as being as cheerfully compliant with US government requests, including undisclosed & arguably-illegal requests. (That's just like how some in the US view Huawei as being compliant in undisclosed ways with the Chinese government's requests.)

Sophisticated, high-budget/state-supported attackers may be able to compromise SGX units, via physical analysis/disassembly/reassembly. (This might happen before a unit is placed in service, or just show up to the outside as a temporary service outage.) So any secrecy/security features provided by their qualities could be a false promise.

Numerous flaws have been discovered, and more are likely to be discovered, in SGX. Try: https://www.google.com/search?q=SGX+flaws

Some security experts deeply distrust both SGX specifically, and the general idea that such a piece of hardware could provide the touted benefits against sufficiently-sophisticated attackers.

link
senectus1 2270 days ago
how did i not know about this!?

This is awesome.. Looks like its Australian as well.. even better!

link
gojomo 2270 days ago
I have mixed feelings about that aspect - as the Australian government has often seemed more encryption-hostile than other countries, almost to the extent that it might be rehearsing limits that other countries would like to impose later.

But it does seem the Loki Foundation & Session project are attempting to engineer-around surveillance threats from local jurisdictions.

link