X, formerly Twitter, has started rolling out its new encrypted messaging feature called “Chat” or “XChat.”
The company claims the new communication feature is end-to-end encrypted, meaning messages exchanged on it can only be read by the sender and their receiver, and — in theory — no one else, including X, can access them.
Cryptography experts, however, are warning that X’s current implementation of encryption in XChat should not be trusted. They’re saying it’s far worse than Signal, a technology widely considered the state of the art when it comes to end-to-end encrypted chat.
In XChat, once a user clicks on “Set up now,” X prompts them to create a four-digit PIN, which will be used to encrypt the user’s private key. This key is then stored on X’s servers. The private key is essentially a secret cryptographic key assigned to each user, serving the purpose of decrypting messages. As in many end-to-end encrypted services, a private key is paired with a public key, which is what a sender uses to encrypt messages to the receiver.
This is the first red flag for XChat. Signal stores a user’s private key on their device, not on its servers. How and where exactly the private keys are stored on the X servers is also important.
Matthew Garrett, a security researcher who published a blog post about XChat in June, when X announced the new service and slowly started rolling it out, wrote that if the company doesn’t use hardware security modules, or HSMs, to store the keys, then the company could tamper with the keys — brute-forcing them for example since they are only four digits — and potentially decrypt messages. HSMs are servers made specifically to make it harder for the company that owns them to access the data inside.
An X engineer said in a post in June that the company does use HSMs, but neither he nor the company has provided any proof so far. “Until that’s done, this is ‘trust us, bro’ territory,” Garrett told TechCrunch.
The second red flag, which X admits on the XChat support page, is that the current implementation of the service could allow “a malicious insider or X itself” to compromise encrypted conversations.
This is what is technically called an “adversary-in-the-middle,” or AITM attack. That makes the whole point of an end-to-end encrypted messaging platform moot.
Garrett said that X “gives you the public key whenever you communicate with them, so even if they’ve implemented this properly, you can’t prove they haven’t made up a new key” and performed an AITM attack.
Another red flag is that none of XChat’s implementation, at this point, is open source, unlike Signal’s, which is openly documented in detail. X says it aims to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.”
Finally, X doesn’t offer “perfect forward secrecy,” a cryptographic mechanism by which every new message is encrypted with a different key, which means that if an …