Session and Perfect Forward Secrecy

So I consider E2EE and Perfect Forward Secrecy (PFS) to be equally important. This makes me wonder about Session and its supposed removal of PFS.

Why did Session remove PFS and what does Session do to compensate it so that it still remains highly respected among the privacy community? And if what Session does is an alternative to PFS, how does it compare to actual PFS in practice?

Side Thought: I really don’t know why iMessage is commonly thought to somehow be “better” than WhatsApp. IMO they seem to be equal parity, albeit iMessage is much more autocratic. Not sure if WhatsApp has PFS, but it appears iMessage lacks PFS, indicated by me asking about PFS in iMessage at an Apple Store and every employee was confused.

Today I learned what Perfect Forward Security is and without it does seem kind of weird for Session to not have that if it’s kind of common place.

I found this blog post from Session explaining their decision and how their Session protocol mitigates those concerns. The details go over my head, but at least they are acknowledging that the absence of PFS should be addressed. It seems that the main argument for why they’re going with their own protocol is to be able to provide decentralization.

I think the reason iMessage is viewed as better than WhatsApp by some (not me per se) is because Apple overall is better at privacy and security than Meta. Insert threat model caveat here. WhatsApp and iMessage work similarly from a user standpoint so I don’t think they’re too different.

Also, I don’t expect retail workers to be trained on what PFS is, so I’m not surprised that people in the Apple store couldn’t help you. :confused:

I am still trying to wrap my head around Session and its decentralized structure. It appears the swarms mechanism combined with its onion routing and decentralization does resemble forward secrecy. The temporary nature of the swarms of at least 5 nodes may make message and key-stealing much more difficult to pull off.

I look forward to see how this hyper-decentralization compares to the features Session took out. Meanwhile, it turns out WhatsApp ironically supports PFS and iMessage does not. Interesting detail to say the most. :expressionless:

Did you know? If you port your iMessage number from a carrier one to a VoIP one, you’ll get kicked out of iMessage phone-wise. Double brutal.