Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
X, previously Twitter, have Starting out of roll Its new encrypted messaging feature is known as “chat” or “Exchat”.
The company has claimed the new communication feature Encrypt from the end to the endThis means that the messages exchanged in it can only be read by the sender and their receiver and – theoretically – no one else, including X, can access them.
Cryptography experts, of course, are warning that Xchat should not depend on the current encryption application of X. They say that it is worse than the signal, when a technology comes from the end to the end of the chat from the end to the end, the industry is widely considered.
In Exchat, once a user clicks “Set Up”, X begs them to create a 4-digit pin, which will be used to encrypt the user’s personal key. This key is then stored on X servers. The personal key is basically a secret cryptographic key prescribed for each user that serves the intended to decrypt the messages. Like many end -to -end encrypt services, a personal key is associated with a public key, which uses to encrypt the sender receiver.
This is the first red flag for Exchat. The signal stores a user’s personal key on their device, not on their servers. It is important to have exactly how and where and where to save on X servers.
Security researcher Who has published a blog post About Exchat in June, when X declared new service and gently It started rollingWrites that the company is called hardware protection module or HSMS to save keys, but the company can tamper with keys and decrypt messages possible. HSMS is the servers specially made that makes it stronger for their owned companies.
An X engineer D The company that uses HSM in a post in June, but both he or the company has not yet provided any evidence. Garret told TechCrunch, “Until it is over it is ‘believe us, brother’ region.
The second red flag, Which x acknowledges itself On the support page of X chat, the current implementation of the service “A malicious underlying or X itself” may allow to compromise with conversation.
This is technically a “called”Opposition“Or AITM attacks that
Garrett said that “X gives you a universal key whenever you contact them, so if they apply it properly you cannot prove that they have not made any new key,” and performs an AITM attack.
Another red flag is any of the implementation of Exchat is the opposite of the open source at the moment, the opposite of the signal, which EnrolledThe X Say Its aim is to “expose the source of our implementation and to describe the encryption technology by the end of this year by technical whitepaper.”
Finally, X does not offer “The perfect forward privacy“A cryptographic process by which each new message is encrypted with a separate key, which means that if an attacker compromises the user’s personal key they can just decrypt the last message and not all the previous ones are the Acknowledgment This deficit.
As a result, Garrett do not think that Exchat is at a stage where users should still believe it.
“If everyone involved is fully credible, the implementation of X is technically worse than the signal,” Garrett told TechCrunch. “এবং এমনকি যদি তারা শুরু করার জন্য পুরোপুরি বিশ্বাসযোগ্য ছিল তবে তারা বিশ্বাসযোগ্য হওয়া বন্ধ করতে পারে এবং একাধিক উপায়ে বিশ্বাসের সাথে আপস করতে পারে […] If they are unfaithful or ineligible during the initial implementation it is impossible to show that there is any protection at all. “
Garrett is the only expert to raise anxiety. Cryptography expert at Johns Hopkins University agreed.
Green told TechCrunch, “For the moment, until it is full audit by someone named, I would not believe more than the current unpreded DMS,” told Green TechCrunch. (Exchat is a separate feature that survives with at least legacy direct messages)))
X did not answer several questions sent to X’s press email address.
