X, formerly Twitter, has started rolling out its new encrypted messaging feature called “Chat” or “XChat.” The company claims this new communication feature is end-to-end encrypted, meaning messages exchanged on it can only be read by the sender and the receiver. In theory, no one else, including X, can access them.
However, cryptography experts are warning that X’s current implementation of encryption in XChat should not be trusted. They are saying it is far worse than Signal, a technology widely considered the state of the art for end-to-end encrypted chat.
In XChat, once a user clicks on “Set up now,” X prompts them to create a four-digit PIN. This PIN is used to encrypt the user’s private key, which is then stored on X’s servers. The private key is a secret cryptographic key assigned to each user that serves the purpose of decrypting messages. In many end-to-end encrypted services, a private key is paired with a public key, which is what a sender uses to encrypt messages to the receiver.
This storage method is the first red flag for XChat. Signal stores a user’s private key on their device, not on its servers. How and where exactly the private keys are stored on the X servers is also important. Security researcher Matthew Garrett wrote that if the company doesn’t use hardware security modules, or HSMs, to store the keys, then the company could tamper with them. For example, they could brute-force the keys since they are only four digits and potentially decrypt messages. HSMs are servers made specifically to make it harder for the company that owns them to access the data inside. An X engineer said in a post in June that the company does use HSMs, but neither he nor the company has provided any proof so far. Garrett stated, “Until that’s done, this is ‘trust us, bro’ territory.”
The second red flag, which X admits on the XChat support page, is that the current implementation of the service could allow “a malicious insider or X itself” to compromise encrypted conversations. This is what is technically called an “adversary-in-the-middle,” or AITM attack. That makes the whole point of an end-to-end encrypted messaging platform moot. Garrett said that X “gives you the public key whenever you communicate with them, so even if they’ve implemented this properly, you can’t prove they haven’t made up a new key” and performed an AITM attack.
Another red flag is that none of XChat’s implementation is open source, unlike Signal’s, which is openly documented in detail. X says it aims to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.”
Finally, X does not offer “perfect forward secrecy.” This is a cryptographic mechanism by which every new message is encrypted with a different key. It means that if an attacker compromises the user’s private key, they can only decrypt the last message, and not all the preceding ones. The company itself also admits this shortcoming.
As a result, Garrett does not think XChat is at a point where users should trust it just yet. He told TechCrunch, “If everyone involved is fully trustworthy, the X implementation is technically worse than Signal. And even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways. If they were either untrustworthy or incompetent during initial implementation, it’s impossible to demonstrate that there’s any security at all.”
Garrett is not the only expert raising concerns. Matthew Green, a cryptography expert who teaches at Johns Hopkins University, agrees. He stated, “For the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs.” XChat is a separate feature that lives, at least for now, alongside the legacy Direct Messages.
X did not respond to several questions sent to its press email address.