Session (a fork of the Signal private messaging app) is sus

[Soatok Dreamseeker <soatok.dhole () gmail com>]

Full details here:
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/

At a glance, what I found is the following:

   1. Session only uses 128 bits of entropy for Ed25519 keys. This means
   their ECDLP is at most 64 bits, which is pretty reasonably in the realm of
   possibility for nation state attackers to exploit.
   2. Session has an Ed25519 verification algorithm that verifies a
   signature for a message against a public key provided by the message. This
   is amateur hour.
   3. Session uses an X25519 public key as the symmetric key for AES-GCM as
   part of their encryption for onion routing.

Additional gripes about their source code were also included in the blog
post.

Happy hacking!
Soatok