X, East Twitter, has called its new encrypted messaging feature as “chat” or “Exchat”.
The company claims that the new communication facility is end-to-end encrypted, which means that the message exchange on it can only read by the sender and their receiver, and in-principle-in-principle-including-Koi and, including X, cannot access them.
Cryptography experts, however, are warning that the current implementation of X of encryption in Excat should not be rely on. They are saying that this is worse than the signal, a technique is widely considered to be the status of art when it comes to end-to-end encrypted chat.
In Xchat, once a user clicks on “set up now”, X motivates them to make a 4-conductive pin, which will be used to encrypse the user’s private key. This key is then stored on the X server of X. Private key is essentially a secret cryptographic key assigned to each user, which works for the purpose of decrying messages. As in many end-to-end encrypted services, a private key is combined with a public key, which uses to encrypse messages to a sender receiver.
This is the first red flag for Xchat. The signal stores the private key of a user on its device, not on its server. How and where private keys are stored on the X server, it is also important.
Matthew Garat, a Safety Researcher Who published a blog post Regarding Xchat in June, when X declared a new service and gradually began to roll it, it was written that if the company does not use it called hardware security modules, or HSMS, to store keys, then the company can manipulate the keys and potentially decrying messages. HSMS are servers that are specially designed to make them hard for the company that owe them to reach data inside.
An X engineer Said In a post in June that the company uses HSM, but neither it nor the company has provided any evidence so far. Garat told Techkachchan, “Until this is done, it is ‘we believe, brother’ area,” Garat told Techchchan.
Second red flag, Who accepts x only In the X chat support page, it is that the current implementation of the service may allow “a malicious internal formula or the self” to compromise on encrypted conversations.
This is the technically called “anti-in-media” or AITM attack. It creates a full point of an end-to-end encrypted messaging platform moot.
Garat said that X “Whenever you communicate with them, gives you a public key, so even if they have implemented it properly, you cannot prove that they have not created a new key,” and the AITM attack.
Another red flag is that any of the implementation of Xchat, at this point, is an open source opposite the signal, which is, which is which is Openly elaborateX They say Its purpose is “to open our implementation and to describe the encryption technique in depth through a technical whitepaper later this year.”
Finally, X does not offer “Perfect forward privacy“A cryptographic mechanism by which each new message is encrypted with a separate key, which means that if an attacker compromises the private key of the user, they can only decrypt the last message, and not all the former people. Believe This deficiency.
As a result, the garat not feels that Xchat is at a point where users should yet rely on it.
“If everyone is completely reliable, the X implementation is technically worse than the signal,” Garat told Techcrunch. “And even if they were completely reliable to start, they can stop being reliable and compromise in many ways (…) If they were either incredible or disabled during early implementation, it is impossible to demonstrate that there is any protection.
Garat is not the only specialist who increases concerns. Matthew Green, a cryptography specialist who teaches at the University of Johns Hopkins, agrees.
Green told Techcrunch, “At the moment, I will not believe that I will not trust it until someone is distinguished.” (Xchat is a separate feature that at least for now, inheritance lives with direct messages.)
The X did not answer several questions sent to its press email address.
