For reference: that's a major antivirus vendor. And there is a very obvious correct way to do this. In fact, I think it's the first time I see somebody mess this up.
I started looking into #XMPP clients with end-to-end-encryption support. First one was #Gajim, with its "charming" 90s messenger style. Encryption isn't the default here however, no progress on the corresponding issue. https://dev.gajim.org/gajim/gajim-plugins/-/issues/319
A lengthy and very detailed blog post by Matthew Green on why #Signal PINs are problematic: https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/
Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.
That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.
I'm not sure what percentage of user IDs you will see passing by. Another concern is however that the majority of the OpenDHT traffic appears to be originating at OVH-hosted nodes, not actual users. These should be able to associate your user ID and IP address.
And - yes, Loki Network is not the same as Session. But they are both developed by the same startup and the former is the foundation of the latter. And if that startup "tolerates" people with racist and sexist views, we know the toxic swamps that result from that.
Yet somehow his "dark humor" universally unloads on non-white people and women (never mind "Communists", seems to be a popular obsession in the US). And some anonymous pitched his newly developed Loki Network on 8chan, collecting some applause for creative protocol naming.
And now Jeff's crowd discovered my Mastodon account. So they predictably defend him as merely "shitposting" and having a "dark humor." And either way, Jeff never pitched Loki Network to 8chan. And even if he did, what does that have to do with Session? Yeah, sure...
I looked up Jeff's online presences. On Twitter he says "no fun allowed" but on his Pleroma instance he openly posts and links to racist and sexist content. He seems to be tightly embedded in the alt-right scene. So - yes, it all checks out.
Later 8chan was deplatformed and came back on Loki Network. The article calls it "inadvertent help" but it appears to be everything but that. The CEO is cited with the words "some Loki staff may have advised 8kun administrators 'to a limited extent'."
This German-language video shows Loki Network's main developer (Jeff/majestrate) pitch his baby on 8chan and being celebrated by the alt-right for it (at 27:46). For reference, Loki Network is the foundation of Session and developed by the same startup. https://media.ccc.de/v/36c3-10639-let_s_play_infokrieg
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.