TL;dr of the article :
- They keep your private key on their servers.
- Their implementation allows for AITM attacks.
- It’s closed source.
- There’s no perfect forward secrecy.
This secret stays between you, me, and Elon.
I hope politicians use the hell out of it, so we can see what they really think when it gets (inevitably) hacked in a few weeks.
If you chat on Xitter you‘re chatting with mecha Hitler.
They are stupid, but not that stupid.
Never attribute to malice what can be attributed to incompetence.
I used to give the benefit of the doubt but when there are bad incentives in play and shit keeps happening… then perhaps that is naïve sometimes, unfortunately.
Do you mean bad incentives?
And sure, I don’t disagree, but these people are also not actually that smart. I would worry more about this getting hacked in a week way before Elon gets a chance to use it against anyone.
Thanks, I do.
is it different with signal, telegram, whatsapp?
They keep your private key on their servers.
Then it’s literally not even E2EE, lol
What is the “A” in “AITM”?
Apple
Adversary
Agencies
Anal
Administrator
It’s just MITM but with extra steps
Ah yes, Malcolm in the Middle is behind this all along.
Asshole
Aliens
Elon.
Anyone
This is the first time I heard of AITM, thought it was a new name for MITM:
Are you sure that site is trustworthy? It kinda reads like an LLM being told to explain the difference between two names for the same thing and basically rephrasing the same thing. I’d imagine it might just be a different name to get rid of a male-coded word.
offering me end-to-end encrypted chat
No one - not even X - can access or read your messages
This key is then stored on X’s servers
So…they’re just blatantly lying?
It’s encrypted with a 4 digit pin so they’ll have to spend at least 316.8809e-10 years on brute-forcing it.
That’s why my PIN is 5 digits: 12345
One. Two. Three. Four. Five?
That’s amazing. I’ve got the same combination on my luggage.
Suck. Suck. Suck. Suck!
No - did you even read the article? An x employee confirmed that they’re using the “special” servers to store the keys that mean that they cannot see them. The author then says that the employee confirming it doesn’t mean they do, because the author doesn’t want it to be true.
There are hardware for that called hardware security modules, but yeah I definitely wouldn’t trust Twitter’s implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn’t to get that key
A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user’s password would be needed (for key derivation) or some other secret held by the user’s devices (in the TPM chip or equivalent)
So again, you think you know better than the employee simply because you want it to be done incorrectly.
I’ve run a cryptography forum for 10 years. I can tell snake oil from the real deal.
Musk’s Twitter doesn’t know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.
So again - you just don’t want it to be true, and you think the people that know more than you about it are lying.
You sound like an antivaxxer defending a crank
You sound like a conspiracy theorist defending wearing an aluminium foil hat.
“xchat” sounds like one of those porn chat rooms
Brain damaged people trust x again.
Shouldn’t trust it yet.
Or ever.
I do really like E2EE but why do I need it in everything?
If I want to talk to someone I would rather them message me on Signal or something that I trust more.
Yeah, way too many services have chats. I think it’s because every large platform wants to be an “everything app”. Messaging is a really easy to feature to implement to (theoretically) add value.
shouldn’t trust it yetshouldn’t trust it everQuick everyone, install this just so that if Pete Hegseth invites people to the next airstrikes chat group, your satirical JD Vance account will be next to the real JD Vance’s account and he’ll probably add you both and figure it out later.
Never trust any social media sites “private” chat.
Especially not one of the big ones run by weirdo fascists. You know Elmo is going to snoop on anyone relatively famous, or that just say something he doesn’t like.
In all honesty, there’s zero reason to even have accounts on them
Even if the server had zero knowledge of your private keys (which is doubtful), I’m sure the client code won’t have any backdoors. It’s only the social media “platform” owned by the world’s most thin-skinned billionaire.
if (message.contains("elon") || message.contains("musk")) { upload(chat.privateKey) }
…yet? How bout just not trusting it at all?
Hah, beat me by 17 seconds!
Yet? What kind of idiot would imagine that X would or could provide actual secure communication?
It’s like a regular encrypted chat but with peepholes and racism.
probably??? try definitely and ever
XChat, has some red flags.
With a white circle and a swastika inside?
Signal and encrypted email only.
Friends and I swapped our group chat to Signal the day Trump was inaugurated…the first time.
If things keep going the way they are, no one should be communicating on anything but encrypted messaging apps.
