The social network X, formerly known as Twitter, has begun rolling out a new encrypted messaging service called XChat. It formally presents itself as a completely end-to-end encrypted platform: correspondence can only be read by its participants, and the service itself would not have access to the content.
However, cryptographers are already pointing out that the current implementation is far from reliable and falls short of recognized standards like Signal.
The first concern is how XChat handles keys. Upon activation, the user is asked to create a four-digit PIN, which is used to encrypt the private key. This key is then stored on X’s servers, not on the user’s device. This is not the case with Signal: the secret key always remains local.
It is unclear whether hardware security modules (HSMs) are used to protect the keys. Without them, an operator could theoretically guess the PIN and access the correspondence. An X representative claimed in the summer that HSMs were used, but no confirmation has been published so far, leading experts to speak of a “regime of complete trust in the company’s words.”
XChat’s second weakness is described by the company itself on its support page : The correspondence can be compromised by a “malicious insider or by X”. This threat is known as a “man-in-the-middle attack, in which the service replaces the key and effectively gains the ability to read the messages. In this case, X provides the user with a public key without the ability to verify whether it has been replaced. As a result, users have no way to verify the authenticity of the protection.
The third problem is the closed nature of the code. Unlike Signal, which is well documented and open to scrutiny, XChat is still completely proprietary. The company promises to publish a technical paper and make it open source in the future, but there is no specific timeline.
Finally, XChat does not support the so-called Perfect Forward Secrecy mode, in which each message is encrypted with a separate key. For this reason, compromising a private key allows an attacker to access your entire correspondence history, not just the most recent messages.
Prominent researcher Matthew Garrett notes that even if X developers are trusted now, they can change the rules and weaken protection at any time, and users will not be able to prove otherwise. His opinion is shared by Matthew Green, a cryptography professor at Johns Hopkins University, who recommends not relying on the new service more than regular unencrypted personal messages.
Despite repeated requests from journalists, X’s press service has not yet provided any answers to questions about XChat’s security.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
