According to Neowin, the Session Technology Foundation has proposed a major upgrade called Session Protocol V2, based on user and security community feedback. The three core improvements are perfect forward secrecy for messages, post-quantum cryptography to guard against future quantum computing attacks, and enhanced linked device management. The foundation decided against perfect forward secrecy in the current protocol for simplicity, a move that previously raised privacy concerns. A detailed specification for the new protocol is scheduled for release in 2026 for community review. The organization notes that none of the attacks these features guard against are currently practical, and no evidence of such attacks on its network exists.
Why This Upgrade Matters Now
Here’s the thing: Session is playing a long game, and that’s smart. The current lack of perfect forward secrecy (PFS) has always been a bit of a sore point for a messenger that bills itself as ultra-secure. Their original reasoning—keeping things simple and decentralized—made some sense, but it left a theoretical door open. If your long-term key was ever nabbed, *all* your past messages could be decrypted. With PFS, that risk evaporates. Each message gets its own temporary key. It’s a fundamental shift from protecting a vault to protecting each individual letter inside it.
The Quantum Question
The post-quantum cryptography (PQC) move is arguably even more forward-thinking. We’re talking about defending against “harvest now, decrypt later” attacks, where an adversary scoops up encrypted data today hoping to crack it with a powerful quantum computer tomorrow. Is that a real threat right now? No. But by the mid-2030s, experts think it could be. So, Session is essentially building a new fence today for a wolf that might show up in a decade. It won’t help with messages already harvested, but for future comms, it’s a critical layer of future-proofing. The fact they’re baking this in now shows they’re serious about long-term privacy, not just marketing buzzwords.
Devices and The Real-World Risk
For most users, the improved linked device management might be the most tangible upgrade. The current system’s weakness is a classic single point of failure: if one linked device is compromised, an attacker can silently add more devices to your account. That’s a nightmare scenario for control. The new per-device key system should slam that door shut, giving users much finer control and awareness. It addresses a very practical, non-theoretical attack vector. Basically, it makes the system more resilient against the kind of targeted, personal security breaches that are far more likely than a quantum attack.
The Long Road Ahead
Now, don’t go checking for an update just yet. The 2026 timeline for a detailed spec means we’re in for a wait. And that’s actually good. A rushed crypto protocol is a dangerous one. This multi-year design and review process, open to the community, is how you build something truly robust. Session is wisely tempering excitement by noting these aren’t fixes for active exploits. But that’s the point of good security, right? You patch the roof before it rains. This upgrade seems less about fighting today’s fires and more about building a fortress that can withstand tomorrow’s storms. If they pull it off, it’ll be a significant leap for what’s already a niche but highly regarded privacy tool. You can read their official proposal on the Session blog.
