Twitter's new encrypted DMs aren't better than the old ones
a year ago
- #encryption
- #privacy
- Twitter's encrypted DMs were initially flawed, allowing easy key injection and lacking features like sending pictures.
- Elon Musk announced 'XChat', a new encrypted messaging platform, but it still has significant security issues.
- The new system uses Libsodium's boxes for encryption but lacks forward secrecy, making past messages vulnerable if a private key is leaked.
- Twitter's old system had scaling issues and didn't allow new devices to decrypt old messages.
- The new approach uses the Juicebox protocol to store private keys, protected by a PIN, but the PIN can be brute-forced relatively easily.
- Juicebox's security relies on trustworthy backends, but Twitter controls all backends, making them potentially untrustworthy.
- Twitter can still MITM (man-in-the-middle) messages by providing fake public keys, and metadata leakage remains a significant issue.
- Signal is recommended as a more secure alternative, offering better encryption and privacy features.