Twitter rolls out encryption for direct messages but with key limitations

Both the sender and recipient must be verified, while group conversations and attached media aren't supported by the encryption.

ZDNET (www.zdnet.com)

Twitter rolls out encryption for direct messages but with key limitations

Both the sender and recipient must be verified, while group conversations and attached media aren't supported by the encryption.

For an existing chat, tap the Info icon. If the option is available, you'll see a button for Start an encrypted message that you can just click. For a new chat, turn on the switch to enable encrypted mode. Write your message, and then send it.

So what is the difference between what they're rolling out and what they added in 2023? Support for more users, maybe? Support for non-verified users?

EDIT: Apparently it had been disabled earlier this week?

X’s encrypted DMs are being put on pause.

The company is pausing the feature “while we work on making some improvements,” according to a post. X, then Twitter, launched encrypted DMs in May 2023, but they had some limitations. [Media: https://twitter.com/XEng/status/1927826425173696988]

The Verge (www.theverge.com)

This article implies that it was to address some of the limitations in the 2023 feature, though isn't explicit about what is being addressed:

According to the document, encrypted DMs are only available if you are a verified user (somebody who pays for Twitter Blue), a verified organization (an organization that pays $1,000 per month), or an affiliate of a verified organization (which costs $50 per month per person). Both the sender and recipient must be on the latest version of the Twitter app (on mobile and web). And an encrypted DM recipient must follow the sender, have sent a message to the sender in the past, or accept a DM request from the sender at some point.

Sure as hell wouldn't trust it unless they publish their trust system docs and verification tools.

The question is whether this actually is E2EE, as it's easy to fake by using a man in the middle attack and hard to prove. The only real way to prove it for sure is to run a third party security audit, like Signal does.

Taking down the old system doesn't inspire confidence either, as this downtime could easily been used to interrupt old conversations in order to implement a way to decrypt the messages on the servers before passing it on to the actual recipient, as all keys would have to be re-issued.

Even then, lots of other options.....

Somehow I don't believe them.

Maybe the mods should add another rule to the sidebar saying only negative X posts are allowed, since that's clearly all the "community" wants lol.

The fact this is being treated as bad news is unbelievable.

With recent advances, there is nothing released online that can be believed. A. I fakes are everywhere and in everything

So I wouldn't trust them even then.

Untrue. Many Zero-Trust platforms out there that give you the tools to confirm when you are in fact e2e encrypted. They publish their docs, open source their tools, and give verification tools to check.

Haha! Yeah, sure it is.

Anything, even your tools can be faked. Anything. You may not like it, and for the most part most mundane data isn't worth faking, but there's no real way to trust any online anymore

Go ahead kids, downvote

But prove I'm wrong. Show me where any number reported by anything online cannot be faked. Show me.

You can't , because if there's money, it's being done.

Just like trump will never become president, the overconfident tech bros and ketamine junkies will never be able to get your encrypted data. Sure. Believe that.

I think it's because many people (including me) doubt it's actually private and secure. The last thing you should ever trust xitter with is your privacy and security. If it actually is private and secure, that's great

There wasn't any in the first place, fundamentally.

Riiiight. First time I'm hearing of network traffic being faked. You must be blowing the lid off of something HUGE here

You're not as smart as you think.

everything can be spoofed. Hell your comment could be.

Network traffic is faked all the time

https://www.csoonline.com/article/2514488/what-is-fake-network-traffic-and-how-does-it-complicate-security-efforts.html

Hell that article is a year old, so your info is a bit dated.

You have a good evening

Fair enough

Who holds the encryption keys? If it's X/Twiiter, I wouldn't trust it at all, especially considering who owns it.

I'm confused about this conversation. Are you the idiot here, or do you think I am?

Your AI generated article doesn't have any actual information, doesn't deal with MITM attacks, and has zero context about how anything it mentions could be used to attack what we're discussing here.

Unless you have a quantum responder in the chain, there isn't a currently known way to fake an exchange of keys to infiltrate secure channels secured by keys.

Not only would this destroy the currently existing Internet, you'd be seeing floods of information exfilateates for sale on the black market.

Not only have you not contributed to this conversation, you've proven to be absolutely ignorant about the topic, and you are awarded no points.

God have mercy on your soul.

I dont buy the security of that shit for a second.