X, formerly Twitter, has started rolling out its new encrypted messaging feature called “Chat” or “XChat.”
The company claims the new communication feature is end-to-end encrypted, meaning messages exchanged on it can only be read by the sender and their receiver, and — in theory — no one else, including X, can access them.
Cryptography experts, however, are warning that X’s current implementation of encryption in XChat should not be trusted. They’re saying it’s far worse than Signal, a technology widely considered the state of the art when it comes to end-to-end encrypted chat.
In XChat, once a user clicks on “Set up now,” X prompts them to create a four-digit PIN, which will be used to encrypt the user’s private key. This key is then stored on X’s servers. The private key is essentially a secret cryptographic key assigned to each user, serving the purpose of decrypting messages. As in many end-to-end encrypted services, a private key is paired with a public key, which is what a sender uses to encrypt messages to the receiver.
This is the first red flag for XChat. Signal stores a user’s private key on their device, not on its servers. How and where exactly the private keys are stored on the X servers is also important.
Matthew Garrett, a security researcher who published a blog post about XChat in June, when X announced the new service and slowly started rolling it out, wrote that if the company doesn’t use hardware security modules, or HSMs, to store the keys, then the company could tamper with the keys — brute-forcing them for example since they are only four digits — and potentially decrypt messages. HSMs are servers made specifically to make it harder for the company that owns them to access the data inside.
An X engineer said in a post in June that the company does use HSMs, but neither he nor the company has provided any proof so far. “Until that’s done, this is ‘trust us, bro’ territory,” Garrett told TechCrunch.
The second red flag, which X admits on the XChat support page, is that the current implementation of the service could allow “a malicious insider or X itself” to compromise encrypted conversations.
This is what is technically called an “adversary-in-the-middle,” or AITM attack. That makes the whole point of an end-to-end encrypted messaging platform moot.
Garrett said that X “gives you the public key whenever you communicate with them, so even if they’ve implemented this properly, you can’t prove they haven’t made up a new key” and performed an AITM attack.
Another red flag is that none of XChat’s implementation, at this point, is open source, unlike Signal’s, which is openly documented in detail. X says it aims to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.”
Finally, X doesn’t offer “perfect forward secrecy,” a cryptographic mechanism by which every new message is encrypted with a different key, which means that if an attacker compromises the user’s private key, they can only decrypt the last message, and not all the preceding ones. The company itself also admits this shortcoming.
As a result, Garrett doesn’t think XChat is at a point where users should trust it just yet.
“If everyone involved is fully trustworthy, the X implementation is technically worse than Signal,” Garrett told TechCrunch. “And even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways … If they were either untrustworthy or incompetent during initial implementation, it’s impossible to demonstrate that there’s any security at all.”
Garrett isn’t the only expert raising concerns. Matthew Green, a cryptography expert who teaches at Johns Hopkins University, agrees.
“For the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs,” Green told TechCrunch. (XChat is a separate feature that lives, at least for now, with the legacy Direct Messages.)
X did not respond to several questions sent to its press email address.
