X's End-to-End Encryption: Should You Trust It?

XChat: Concerns Regarding New Encryption Feature

Formerly known as Twitter, X has begun the rollout of a new, end-to-end encrypted messaging service designated “Chat,” or “XChat.”

End-to-End Encryption Claims and Expert Scrutiny

The company asserts that this new communication method provides end-to-end encryption, ensuring that only the message sender and recipient can read exchanged messages. This implies that access is restricted, even from X itself.

However, cryptography specialists are issuing cautions, stating that the present implementation of encryption within XChat lacks trustworthiness. They contend that it falls short of the security standards set by Signal, a platform widely recognized for its advanced end-to-end encrypted chat technology.

Key Storage and Potential Vulnerabilities

Upon initiating setup, XChat prompts users to establish a four-digit PIN. This PIN is then utilized to encrypt the user’s private key, which is subsequently stored on X’s servers.

The private key is a crucial cryptographic element, enabling the decryption of messages. It functions in conjunction with a public key, used by senders to encrypt messages intended for the recipient.

This key storage method represents a significant concern. Unlike Signal, which stores a user’s private key locally on their device, XChat retains it on its servers.

Hardware Security Modules (HSMs) and Trust

Security researcher Matthew Garrett, in a June blog post, highlighted the importance of using Hardware Security Modules (HSMs) for key storage. Without HSMs, the potential exists for the company to compromise the keys, potentially decrypting messages.

HSMs are specialized servers designed to enhance data security and limit access even by the owning company.

While an X engineer indicated the use of HSMs, no concrete evidence has been provided. Garrett emphasized that, without verification, the situation relies on trust alone.

Admitted Risks: Adversary-in-the-Middle Attacks

X acknowledges on its XChat support page that the current implementation is susceptible to compromise by a malicious insider or even X itself, potentially enabling “adversary-in-the-middle” (AITM) attacks.

Such an attack undermines the fundamental purpose of end-to-end encrypted messaging.

Garrett further explained that X provides the public key during communication, creating a vulnerability where the company could potentially substitute a new key and execute an AITM attack, even with proper implementation.

Lack of Open Source Transparency

Currently, XChat’s implementation is not open source, contrasting with Signal’s openly documented code. X intends to release a technical whitepaper and open-source its implementation later this year.

Absence of Perfect Forward Secrecy

XChat does not currently offer “perfect forward secrecy,” a security measure where each message is encrypted with a unique key. This means that if a user’s private key is compromised, only the latest message is vulnerable, not the entire message history.

The company has openly admitted this limitation.

Expert Consensus: Caution Advised

Consequently, Garrett advises against trusting XChat at this stage. He stated that, even assuming full trustworthiness, the X implementation is technically inferior to Signal.

He also pointed out that compromised trust, either through malicious intent or incompetence during implementation, could render the system entirely insecure.

Matthew Green, a cryptography expert from Johns Hopkins University, shares these concerns, recommending against trusting XChat more than existing unencrypted Direct Messages until a thorough audit is conducted by a reputable source.