X's new "encrypted" XChat feature doesn't seem to be any more secure

The implementation seems to be libsodium sealed boxes, with the key material sequestered using the juicebox.xyz protocol. In itself this seems broadly fine, with the significant proviso as mentioned in <a href="https:&#x2F;&#x2F;help.x.com&#x2F;en&#x2F;using-x&#x2F;encrypted-direct-messages" rel="nofollow">https:&#x2F;&#x2F;help.x.com&#x2F;en&#x2F;using-x&#x2F;encrypted-direct-messages</a> that identity is not verified at present, and as a result it&#x27;s trivially MITMable.<p>But there&#x27;s something more subtle here. Juicebox means that your key material is remotely stored in encrypted form. In an ideal setup, it&#x27;s split between multiple different realms operated by different people, and the key material is stored in HSMs. There&#x27;s a complicated dance where you prove knowledge of the PIN without actually revealing the PIN, and then the remote realms hand over the key material and you reassemble it into your key by decrypting it with a key also derived from your PIN.<p>If Twitter is running their own Juicebox realms then you&#x27;re having to trust them. Even if the realms are implemented as HSMs, they&#x27;re in a position to see the encrypted key material as it exits the HSM. And if they&#x27;re not in HSMs, then the encrypted key material is just sitting there where they can see it. This doesn&#x27;t intrinsically give them the key, since it still needs the PIN to decrypt it - but the key derivation function from the PIN is just 32 rounds of argon2id with 16MB of memory use, and given the PIN is limited to 4 digits, that&#x27;s going to take about a second of GPU aided brute forcing to drop out the actual key.<p>As noted in the help doc, this isn&#x27;t forward secure, so the moment they have the key they can decrypt everything. This is so far from being a meaningful e2ee platform it&#x27;s ridiculous.

As a user of XChat[0] since 1999, I can tell you that it&#x27;s definitely not encrypted or secure. Don&#x27;t believe the hype!<p>[0]: <a href="http:&#x2F;&#x2F;xchat.org" rel="nofollow">http:&#x2F;&#x2F;xchat.org</a>

In a nutshell: we have unclear comments from Musk and unclear statements in the FAQ (which might not have been written by a technical person). Until they release a technical white paper, we don’t know anything for sure.

&gt; Currently, we do not offer protections against man-in-the-middle attacks. As a result, if someone—a malicious insider or X itself as a result of a compulsory legal process—were to compromise an encrypted conversation<p>I assume this means that the &quot;encryption&quot; is about as strong as base64.

It seems to me like this is what happens when you do impulsive, hype-driven development. I assume a junior walked into Elon&#x27;s office, and pitched it with the words &quot;Bitcoin style encryption, as a chat platform--Written in Rust, almost entirely developed my Grok3&quot;, and he was sold.<p>I&#x27;m not being cynical or funny, I legitimately think, after having worked with some hype-driven leadership people, that this is quite common and results in a lot of flawed slop products, which are hyped up by leaders who don&#x27;t know what they&#x27;re talking about.<p>Admitting that this sort of product doesn&#x27;t do what they think it does would mean admitting that they are wholly incompetent and got tricked by the hype; and that&#x27;s not acceptable. So it get sunk-cost-fallacied into being a real product even more.

Not your keys, Not your data

E2EE is almost pointless in smartphone apps. If the same organization controlling the infrastructure controls the two ends it&#x27;s effectively a no-op.

They plan to train on the chat aren&#x27;t they?

&gt; &quot;as a result of a compulsory legal process&quot;<p>What does this mean?

Self chatting features will be live by the end of the year.

Just port it to Wayland. &#x2F;s