The anonymous and private messenger, Session, could be about to get a huge Session messenger security update. The Session Technology Foundation has now proposed Session Protocol V2, a major upgrade that boosts security and is based on the feedback it has received from users and the security community. The three major improvements are perfect forward secrecy messaging apps, post-quantum cryptography, and improved secure messaging linked devices management.
With perfect forward secrecy (PFS), messages sent on Session will be protected, even if your long-term key or device is compromised. When Session gets PFS, it will generate new session keys for new messages so that if one key gets compromised, your other messages stay secure.
The company decided not to support perfect forward secrecy in its current Session Protocol for the sake of simplicity and decentralization, but it raised concerns in the privacy community.
Another big item in the new protocol is post-quantum cryptography messaging. This helps to future-proof message security against "harvest now, decrypt later" (HNDL) attacks by quantum computers. As a bit of background, HNDL attacks are where an adversary vacuums up encrypted messages and keeps them until a time in the future when quantum computers are capable of decrypting them.
Quantum computing developments have been coming on in leaps and bounds recently, and by the mid-2030s, experts claim we could have useful quantum computers. While PQC won"t protect encrypted messages already collected, the feature will protect new messages.
Finally, the protocol will bring improved linked device management via the introduction of unique per-device keys that enhance device identification and control. In the current version of the protocol, a compromised device with access to the long-term key allows attackers to link new devices to the account without the user"s knowledge.
The new Session Protocol is still undergoing design. As the work becomes more mature, a more detailed specification will be released in 2026 for scrutiny by the community and security researchers.
While it will be good when Session gets this new protocol upgrade for user security, Session says that it is important to note that none of these attacks are currently practical. It also said that it has not seen any evidence of any such attacks on the Session network, but still understands the concerns people have raised.