Elon Musk’s long-standing promise encryption launch direct messages on Twitter has arrived. Like most attempts to add end-to-end encryption to an existing large platform — never an easy proposition — there is good, bad, and bad. Pros: Twitter has added an optional layer of security for a small group of users with never existed for over 16 years online by Twitter. As for the bad and the bad: Well, that list is much longer.
On Wednesday night, Twitter announced the release of encrypted direct messages, a feature Musk has assured users will come from his first days running the company. To Twitter’s credit, it came with the new feature with a post on its help center Break through the new feature’s strengths and weaknesses with unusual transparency. And as the article points out, there are a lot of weaknesses.
In fact, the company seems to have stopped calling the feature “end-to-end” encryption, a term that means only users at either end of a conversation can read messages, rather than hackers, agencies. Government agencies can eavesdrop on those messages, or even Twitter itself.
“Like Elon Musk speakwhen it comes to Direct Messages, the standard should be, if someone puts a gun to our head, we still can’t access your messages,” the help desk page says. “We’re not done yet, but we’re working on it.”
In fact, the description of Twitter’s encrypted messaging feature following that initial warning seems almost like a list of the most serious vulnerabilities in any end-to-end encrypted messaging app. available, now all combined into one product—along with several other accessories. Errors that are all their own.
For example, opt-in encryption is not enabled by default, a decision for which Facebook Messenger has received much criticism. It clearly doesn’t stop man-in-the-middle attacks that allow Twitter to invisibly spoof users’ identities and intercept messages, long considered the most critical flaw in iMessage encryption. Apple’s. It doesn’t have a “perfect forward security” feature that makes it harder to track down users even if the device is temporarily compromised. It doesn’t allow group messaging or even sending photos or videos. And perhaps most seriously, it currently restricts this secondary encrypted messaging system to only verified users messaging each other—most of them pay $8 a month—restricting a lot of networks. can use it.
“This is clearly no better than Signal or WhatsApp or anything that uses the Signal Protocol, in terms of features,” said Matthew Green, a professor of computer science at Johns Hopkins who focuses on cryptography. , security. Signal Messenger App considered by many to be the modern standard in end-to-end encrypted calling and messaging. Signal . Encryption Protocol are also used in both WhatsApp’s encrypted communication by default and Facebook Messenger’s opt-in encryption feature called Secret Conversations. (Both Signal and WhatsApp are free, compared to $8 per month for a Twitter Blue subscription that includes verification.) “You should use those instead if you really care about security,” Green said. “And they’ll be easier because you won’t have to pay $8 a month.”
