Twitter's new encrypted DMs aren't better than the old ones
242 comments
·June 5, 2025tptacek
nickpsecurity
Let's not forget three things from prior leaks:
1. Core Secrets said the FBI "compelled" companies to secretly backdoor their products. Another leak mentioned fines by FISA court that would kill a company. I dont know if you can be charged or not.
2. They paid the big companies tens of millions to $100+ million to backdoor their stuff. Historically, we know they can also pressure them about government contracts or export licenses. Between 1 and 2, it looks like a Pablo Escobar-like policy of "silver or lead."
3. In the Lavabit trial, the defendant said giving them the keys would destroy the business since the market would know all their conversations were in FBI's hands. The FBI said they could hide it, basically lying given Lavabit's advertising, which would prevent damage to the business. IIRC, the judge went for that argument. That implies the FBI and some courts tell crypto-using companies to give them access but lie to their users.
Just these three facts make me wonder how often crypto in big platforms is intentionally weak by governemnt demand or sloppy because they dont care. So, I consider all crypto use in a police state subverted at least for Five Eyes use. I'll change my mind once the Patriot Act, FISC, secret interpretations of law, etc are all revoked and violators get prosecuted.
tptacek
There is no such thing as "fines by FISA court". FISA doesn't hear adversarial cases and doesn't have statutory authority or even subject matter jurisdiction to enforce compliance on private actors. FISA is an authorizer for other government bodies, who then use ordinary Article III courts to enforce compliance. Other than the fact that they're staffed by Article III judges and not directly overseen by Article III courts, the FISA court functions like a magistrate court, not a normal court. So: I immediately distrust the source.
People are going to come back and say "well yeah that's just what they tell you about FISA court, but I bet FISA courts fine people all the time", but no, it's deeper than that: private actors aren't parties to FISA cases. It's best to think of them as exclusively resolving conflicts between government bodies.
voxic11
You are just wrong:
> In some circumstances, nongovernmental parties may litigate the lawfulness of FISA orders or directives to provide information or assistance to the government. For example:
> A private company or individual that has been served with a directive to assist in acquiring information under Section 702 may petition the FISC to modify or set aside the directive. Conversely, the government may petition the FISC to compel the recipient to comply with the directive.
> In responding to the government’s petition, the private party has the opportunity to show cause for the noncompliance or argue that the order should not be enforced as issued.
> In 2007, Yahoo! Inc. refused to comply with directives issued by the government under provisions of FISA that have been replaced by Section 702. The government filed a motion with the FISC to compel compliance.
https://www.fisc.uscourts.gov/about-foreign-intelligence-sur...
The warrants the court issues do apply to private parties. Failure to comply with a warrant is contempt of court and the court can compel compliance by fines and other sanctions. You can read what that looks like in this FISA court ruling against Yahoo.
PDF warning: https://donohueintellaw.ll.georgetown.edu/sites/default/file...
nickpsecurity
It was a big company that said they'd be fined per day for non-compliance with mass surveillance. Core Secrets etc says that was done by FBI for FISA warrants. So, whoever enforces that.
I dont know the mechanics of it, like jurisdiction. It might be as you say. I just know they and their targets were both clear at different times they could force a company to do it.
pessimizer
The part nobody mentions about Crypto AG:
https://inteltoday.org/2020/02/15/crypto-ag-was-boris-hageli...
We've always done this.
b0a04gl
if this's using ephemeral keys with no forward secrecy and no ledger of interactions, what part of it’s actually bitcoin style besides the name?
cobbal
It uses cryptography (a little-known and mostly-useless offshoot of Crypto)
anon7000
Plus, one of the simplest forms of cryptography is a basic SHA, so the words is practically meaningless without more details
masklinn
Having no actual use?
jeroenhd
Bitcoin is great for prospecting, laundering money across borders, and scamming gullible people. It's also easier to hide a stash of stolen bitcoins from the authorities for after you get released from jail than it is to hide a stash of actual money. Bitcoin is certainly no alternative to actual money but it's not entirely useless.
I think these Twitter DMs only does the scamming the gullible part, as you need to pay to use the feature and this is scamming people into thinking they're paying for secure messaging.
8note
prospecting? like, finding diamonds or oil or copper or something?
is the bitcoin a fundraising mechanism for juniors or something?
can you explain tbe mechanism?
unstablediffusi
[flagged]
pureagave
[flagged]
mjg59
Key derivation from a PIN? Although that's an implementation detail of the key backup rather than anything inherent in the actual messaging so who knows.
deciduously
They use a hash function.
gizmo686
He didn't say it was Bitcoin style, just that it used "(Bitcoin style) encryption".
I was going to point out that Bitcoin does not use encryption; but technically I think it's signature algorithm (ecdsa) can be thought of as a hashing step, followed by a public-key based encryption step.
So, in the most charitable reading, it using ecliptic curve asymmetric encryption. Presumably for the purpose of exchanging a symmetric key, as asymmetric encryption is very slow. In other words, what basically everything written this decade does. Older stuff would use non EC algorithms, that are still totally fine, but need larger keys and would be vulnerable to quantum computers is those ever become big enough.
SAI_Peregrinus
> but technically I think it's signature algorithm (ecdsa) can be thought of as a hashing step, followed by a public-key based encryption step.
It really can't. If you're extremely drunk you can think of it as similar to hashing followed by a public-key based decryption step (signing uses the private key, as does decryption) but that's about as good an analogy as calling a tractor-trailer a container ship because both haul cargo. The actual elliptic-curve part of the operation isn't encryption or decryption, and thinking of it as such will lead to error.
RSA does have a simpler correspondence in that the fundamental modular multiplication operation is shared between decryption and signing (or between encryption and verification). But modular multiplication alone isn't secure, it's the "padding" that turns modular multiplication with a particularly-chosen modulus from some basic math into a secure encryption/signature system. And the padding differs, and the correspondence doesn't hold in real systems. RSA without padding is just sparkling multiplication.
varjag
I was going to point out that Bitcoin does not use encryption
Yeah Musk as not very technical person would hardly know the difference.
brobinson
Bitcoin does use encryption for messaging, but I don't know if this is what Musk was referencing: https://bitcoinops.org/en/topics/v2-p2p-transport/
ChrisArchitect
Earlier discussion:
X's new "encrypted" XChat feature doesn't seem to be any more secure
consumer451
Thanks. The top comment there gets pretty technical and ends with:
> ... As noted in the help doc, this isn't forward secure, so the moment they have the key they can decrypt everything. This is so far from being a meaningful e2ee platform it's ridiculous.
jeroenhd
The top comment is written by the person who wrote the blog post this thread is discussing.
consumer451
Ah, thanks. I try not to be guilty of just comment surfing, but this was not one of those times. :/
michaelg7x
Username matches the current URL
null
zzo38computer
It would be better to use separate software for encryption, and to get the public keys by meeting with them in place.
null
LAC-Tech
Question: I plan to visit Peking soon, can I use Twitter there without a VPN? Thanks.
dongcarl
Some roaming SIM cards aren't restricted by the Great Firewall, but in general, yes you'd need a VPN.
cyberax
ALL roaming SIMs aren't restricted unless the home telecom company cooperates. The roaming traffic passes over a global MPLS network to the home mobile network, so it's not restricted by the national firewalls.
fewdaysto2025
[dead]
diggan
> All new XChat is rolling out with encryption [...] This is built on Rust with (Bitcoin style) encryption
What does "Bitcoin style encryption" mean? Isn't Bitcoin mostly relying on cryptographic signatures rather than "encryption" as we commonly know it?
paxys
It doesn't mean anything, just sounds cool to people who don't know the tech well enough. Same reason why your HDMI cable is "gold plated for 10x speed!"
jsheard
Gold plating electrical contacts does at least do something useful though, it helps to prevent oxidization/corrosion. A better analogy would be gold plated TOSLINK cables, which unfortunately do exist.
kees99
A lot of quack tech is technically somewhat useful. Oxygen-free copper, occasionally used in "audiophile" cables - technically is a better electrical conductor (compared to regular copper), by a whooping low single-digit %.
Exact same effect could be achieved by making conductor that very same single-digit % thicker. Which is an order of magnitude cheaper. And ohmic resistance is not that important for audio-cables anyway.
seanhunter
I can tell you're no connoisseur. Gold-plating a digital connector like HDMI makes sure the zeros are really round and the ones are really pointy. If you have the right setup you can definitely tell the difference.
thewarpaint
The source of that comment is provably not someone with deep technical expertise so take that with a grain of salt.
arealaccount
Its there because he knows it’s going to trigger people and will get more attention
killdozer
It's explained in this video https://www.youtube.com/watch?v=sJNK4VKeoBM
77pt77
It's just a buzzword meant to add perceived value.
nicce
For me it feels like that after sending messages over 5 years, you need 1TB storage just for the Twitter app.
londons_explore
e2e encryption is easy if everyone knows public keys for everyone else. This is how GPG works for example.
However, the challenge is distributing those keys in a trustworthy way - because if someone can tamper with the keys during distribution, they can MITM any connection.
I assume this "bitcoin style" encryption is a blockchain or blocktree of every users public key now and throughout history. Ship the tree root hash inside the client app, and then every user can verify that their own entry in the tree is correct, and any user can use the same verified tree to fetch a private key for any other user.
kstrauser
I’m not sure you appreciate how large that data structure would be if you had to ship it inside the app.
CodesInChaos
The idea is to only distribute the root of the tree to a client, query the server for the username you want to look up, which then returns the key and a short proof that this username maps to that key within the hash tree identified by the known root.
londons_explore
It can be done with Merkel trees. You just ship the root hash.
Merkel trees are snapshot/read only though - so you then use a bitcoin style Blockchain to ship refreshed versions of the root tree hash (you can even ship it in the actual bitcoin Blockchain if you like, piggybacking on its proof of work to ensure different people don't see different root hashes)
JustFinishedBSG
I'm sure shipping a >150GB file to every user is perfectly fine and sound engineering.
viraptor
We pretty much know this can't be practically done in a distributed way. Even the public federated stores for gpg keys have been flooded so much they stopped being usable.
null
yndoendo
Would the real XChat be able to sue X-Twitter for name infringement?
pityJuke
Man, I remember being an IRC regular during the transition from XChat to HexChat. Now I learn HexChat is also dead :( [0]
nadermx
Maybe? XChat would have to show an established market in commerce in each market that x is infringing that they have an established commercial precense in. Also it's harder if xchat doesn't have a trademark in each of those regions.
remram
No, they would have to show an established market in commerce in ONE market that X is infringing.
null
null
pityJuke
I do find it funny that the library Twitter is using (according to TFA anyway) self-describes itself as:
> Caution
> Experimental library!
and
> While this library is just a wrapper around the well known Libsodium library it still comes with high potential of introducing new attack surfaces, bugs and other issues and you shouldn't use it in production until it has been reviewed by community.
[0]: https://github.com/ionspin/kotlin-multiplatform-libsodium
lifeinthevoid
Move fast and break encryption.
null
pier25
The Twitter brand is so strong it survives even after a rebrand.
romaaeterna
Given that Signal is pushing new code updates all the time, isn't it trivial for them to push new binaries that harvest messages/keys/whatever-they-want?
paxys
Their client is open source and is routinely audited. Their Android builds are fully reproducible. You can also build and run the app yourself if you want instead of downloading it from the app stores. It is virtually impossible for them to ship a backdoor, at least on Android, without the security community noticing.
romaaeterna
What exactly prevents them from doing a Windows build with an non-published change, signing it with the keys they control, and pushing it to an individual client through the upgrade servers which they control?
null
tabletcorry
Desktop clients communicate through mobile clients, so they don't have access to the key material.
dingaling
There is a window of vulnerability between a theoretically malicious update being pushed and the security community noticing that it doesn't correspond to a build of the published source. That might only be a few hours, or even minutes - but milliseconds would be enough to do most of its work.
jzb
Correct me if I'm wrong here -- let's say the Signal folks are breached or have been secretly waiting for just the right moment to push out some malicious code. How would they coordinate rolling it out to client devices to take advantage of that gap? I mean, depending on what the exploit was, they might be able to whack some percentage of users -- but it would be caught fairly quickly. I'm curious what sort of attack you're theorizing that would be worthwhile here.
romaaeterna
They control the update servers. So it's possible to target a single user with a single build that no one else ever sees. What percentage of users verify every release?
paxys
Sure, but only if you are blindly auto installing every update as soon as it is pushed. All you have to do to protect yourself is download the bundle, run a checksum and then install it.
perching_aix
Then you audit and build it on your own? Or implement your own client?
No free lunch. If comms security is that critical for you, outsourcing its assurance via trust is never going to cut it.
e44858
How easy would it be for them to ship a backdoor on iOS? With Apple's DRM it should be difficult to decrypt the IPA and compare it to the source code.
maqp
If your HW/OS doesn't allow verification of binaries, but your threat model requires doing that, then you need to use proper HW/OS that allows the verification. Also, iOS is proprietary so who knows what the OS is doing anyway. Also, this https://thehackernews.com/2014/01/DROPOUTJEEP-NSA-Apple-iPho...
paxys
If you are in the EU you can build the app from source and sideload it on your phone. Everyone else is out of luck. So yeah, either Signal or Apple can insert a backdoor into the app.
VWWHFSfQ
> It is virtually impossible for them to ship a backdoor [..] without the security community noticing.
OpenSSH was trivially backdoor'd [1] and distributed in several major distributions and the security community _did not_ notice until after it was already wild.
[1] https://www.ssh.com/blog/a-recap-of-the-openssh-and-xz-liblz...
qualeed
1) That was not "trivial", by any stretch of the definition. It was a 3-year long campaign by a (suspected to be) nation-state (or similarly resourced) actor! I don't think you can get any farther away from "trivial" if you tried.
2) From your link, it says: "Ubuntu 24.04LTS was a month away from being shipped with this backdoor, with other distros being on the same boat. Maybe the best way to describe it is this: had it gone undetected, Linux servers would have been running with a bomb waiting to be activated remotely." and "Luckily this backdoor was discovered in an early stage, and most of the Linux user community stays safe"
So, the security community _did_ notice.
xmodem
That was an attack targeting an optional dependency that receives significantly less scrutiny than OpenSSH proper. Which to be fair, is probably also the most plausible path if you wanted to attack Signal.
I would quibble with calling it "trivial" though.
yifanl
Sure. If you don't trust Signal to not do that, then you likely aren't using Signal.
thrance
Signal is open-source [1]. You can compile the code yourself and review each PR if you're that paranoid.
Pesthuf
Looks like the build is even reproducible. That makes me trust Signal even more.
https://github.com/signalapp/Signal-Android/blob/main/reprod...
JustFinishedBSG
Yes but an app that never pushes update can also do that
regularjack
Which one do you trust more?
null
I like everything Matthew Garrett writes but I can't resist being annoying about this:
Signal has had forward secrecy forever, right? The modern practice of secure messaging was established by OTR (Borisov and Goldberg), which practically introduced the notions of "perfect forward secrecy" and repudiability (as opposed to non-repudiability) in the messaging security model. Signal was an evolution both of those ideas and of the engineering realization of those ideas (better cryptography, better code, better packaging).
What's so galling about this state of affairs is that people are launching new messaging systems that take us backwards, not just to "pre-Signal" levels, but to pre-modern levels; like, to 2001.