Formerly Twitter, X has begun rolling out a new encrypted messaging feature called “chat” or “XChat.”
The company claims that the new communications capabilities are end-to-end encrypted. This means that the exchanged message can only be read by the sender and its recipient, and in theory no one else can access it, including X.
However, encryption experts have warned that we should not trust the current implementation of X's current encryption in XChat. They say that when it comes to end-to-end encrypted chat, it's much worse than Signal, a technology that widely considered the latest in art.
In Xchat, when a user clicks “Set Up Now”, X will prompt you to create a 4-digit pin. This is used to encrypt the user's private key. This key is stored on X's server. A private key is essentially a private encryption key assigned to each user and serves the purpose of decrypting the message. Like many end-to-end encrypted services, the private key is paired with the public key. This is what the sender uses to encrypt the message to the receiver.
This is Xchat's first red flag. Signals store the user's private key on the device, not on the server. The way and where private keys are stored on the X server are also important.
Security researcher Matthew Garrett, who released a blog post about XChat in June when X announced its new service and began to slowly unfold, wrote that if a company does not use a hardware security module or HSM to store keys, it can tamper with keys. HSMS is a server specially made to make it more difficult for the company that owns its own data to access internal data.
The X engineer said in a June post that the company uses HSMS, but neither he nor the company provided any previous evidence. “Until that's done, this is the territory of 'trust us, fellows',” Garrett told TechCrunch.
The second red flag that X admits on its XCHAT support page is that the current implementation of the service could allow “malicious insiders or X itself” to compromise encrypted conversations.
This is what is technically called an “intermediate enemy” or AITM attack. This will make the overall point of an end-to-end encrypted messaging platform MOOT.
Garrett ran the AITM attack, saying that X “gives a public key every time you communicate with them, so even if they implement this properly, you can't prove they haven't created a new key.”
Another danger flag is that at this point, none of the Xchat implementations are open source. This is openly and in great detail, unlike Signal's. X said that through a technical whitepaper later this year, he aims to “make implementations open source and provide a detailed explanation of encryption technology.”
Finally, X does not provide “Perfect Forward Secrecy.” This is an encryption mechanism in which all new messages are encrypted with a different key. This means that if an attacker compromises a user's private key, they can decipher the last message, not all previous messages. The company itself acknowledges this drawback.
As a result, Garrett doesn't think Xchat needs users to trust it yet.
“If everyone involved is completely reliable, X implementation is technically worse than signal,” Garrett told TechCrunch. “And even if they were completely trusted at first, they could stop being trusted and compromise on trust in multiple ways… If they can't be trusted or incompetent during the first implementation, it's impossible to demonstrate that there is absolutely no security.”
Garrett is not the only expert to raise concerns. Matthew Green, a cryptographic expert who teaches at Johns Hopkins University, agrees.
“At this point, I don't trust DMS at the moment, until I get a full audit from a reputable person,” Green told TechCrunch. (XChat is another feature that lives on using legacy direct messages, at least for now.)
X did not respond to some questions sent to your press email address.