An analysis of X(Twitter)'s new XChat features shows that X can probably decrypt users' messages, as it holds users' private keys on its servers
Technology
48
Beiträge
32
Kommentatoren
68
Aufrufe
-
This post did not contain any content.
Xchat is an irc client though.
-
Xchat is an irc client though.
The one true XChat
-
seriously, that's the most convoluted wording possible for a simple statement. If they have the private keys they have the private keys and there's no need for analysis.
Weird, I didn't see 'probably' once in your reply.
-
Which effectively means the messages aren't encrypted. Cool.
I mean they’re encrypted in transit. They’re just not end to end encrypted.
-
I'm surprised nobody posted the surprised_pikachu.gif yet.
-
This post did not contain any content.
Enshittification continues
-
This post did not contain any content.
Yes and? Do people who use X really care about privacy. Everyone who even remotely cared already jumped ship and moved on to matrix, signal, Simplex etc.
And im not even mentioning the fact X is owned by a psychopath. But hey let's pretend they care about your privacy.
-
This post did not contain any content.
Deleted
-
This post did not contain any content.
Stop using fascist things.
Stores, websites, apps, cars, hosting, operating systems, and all other providers of goods/services should be audited by you. You should then ask yourself if you want to give them your money and/or your trust.
-
Stop using fascist things.
Stores, websites, apps, cars, hosting, operating systems, and all other providers of goods/services should be audited by you. You should then ask yourself if you want to give them your money and/or your trust.
I'm trying, but they keep forcing it into devices I already own and even with turning it off in the settings sometimes it gets turned back on during updates. At least avoiding the X/shitter bot is easy enough, but the rest are just as invasive.
-
I mean they’re encrypted in transit. They’re just not end to end encrypted.
Do not look at all those (proprietary) E2EE definitions to closely - you might find several that define TLS as end to end...
-
I'm trying, but they keep forcing it into devices I already own and even with turning it off in the settings sometimes it gets turned back on during updates. At least avoiding the X/shitter bot is easy enough, but the rest are just as invasive.
Out of curiosity what devices are giving you these issues? I may know of some alternatives depending.
-
The one true XChat
inb4 the logo looks like this:
-
Out of curiosity what devices are giving you these issues? I may know of some alternatives depending.
Anything with a web browser. Work computers. Phone. Have to turn off the AI crap on all of those manually after they were added in updates.
Don't really believe turning off the settings keeps them from farming data either, since they constantly lie about what data they collect and use for training.
-
Do not look at all those (proprietary) E2EE definitions to closely - you might find several that define TLS as end to end...
I mean TLS is also encryption in transit, it’s in the name. And it would sorta be end to end if you’re terminating TLS at the end you’re trying to talk to.
-
This post did not contain any content.
If anyone except you has the private key, then your private messages are not private.
-
If anyone except you has the private key, then your private messages are not private.
To extend this, that includes YOU giving your key to another application to decrypt those messages.
For example if you use an app or browser extension, that app or browser extension has access to that key. Additionally the browser itself or operating system had access to the key.
Now they may be fully audited. They may have a great reputation. You may trust them. But they are part of the decryption (and if sending encryption) process.
It's a chain of trust, you have to trust the whole chain.
-
Anything with a web browser. Work computers. Phone. Have to turn off the AI crap on all of those manually after they were added in updates.
Don't really believe turning off the settings keeps them from farming data either, since they constantly lie about what data they collect and use for training.
For web browser's, check librewolf or brave, I would lean further towards librewolf just because it's oss which is something I value.
For search engines, we're in a weird spot right now because Microsoft is restricting the use of Bing's search API, but duck duck go is good, and ecosia as well, but they both may be in a rough spot soon.
Work computer you can't do much other than ask your supervisor to ask about moving away from ai stuff, all you can do directly is limit your personal information on your work station.
For phones, If you have apple, sorry, if not, you could look into changing the operating system on it to something like e/os or graphene os, they are both operating systems that are focused on privacy and security.
If you need anymore information about my recommendations, I am happy to help.
-
I mean TLS is also encryption in transit, it’s in the name. And it would sorta be end to end if you’re terminating TLS at the end you’re trying to talk to.
Thats the problem. Say, I'm offering you a cloud drive and tell you "your data is end to end encrypted". You sync data from your PC to my server and from my server to your mobile phone. Would that mean
- That everything between your devices is encrypted (=I can't see what you're saving, neither can "the state", hackers,...)or
- That your data is encrypted in transit, but is saved unencrypted on my server (which means everyone with access to my server can see your data) or
- It's encrypted in transit and also on my server, but the keys are also ony server, so that everyone with access to my server can in theory decrypt everything and access everything?
1 is what you want, 2 and 3 are often what you get...
-
Thats the problem. Say, I'm offering you a cloud drive and tell you "your data is end to end encrypted". You sync data from your PC to my server and from my server to your mobile phone. Would that mean
- That everything between your devices is encrypted (=I can't see what you're saving, neither can "the state", hackers,...)or
- That your data is encrypted in transit, but is saved unencrypted on my server (which means everyone with access to my server can see your data) or
- It's encrypted in transit and also on my server, but the keys are also ony server, so that everyone with access to my server can in theory decrypt everything and access everything?
1 is what you want, 2 and 3 are often what you get...
It’s not that I disagree with you on principle, I think you’re just kinda mixing up scenarios here, and the purpose of E2EE. E2EE refers to in transit data specifically. #1 should never be where your mind goes because E2EE does not imply your data will be encrypted at rest at the destination, that’s not what it’s for. E2EE is a critical factor when the untrusted facilitator party is between you and your intended recipient, not the recipient themselves.
Like in your scenario of a “cloud drive”, E2EE would not be a selling point of that service. The term you’re looking for in that scenario is “zero access encryption”.
Like you’re correct that E2EE does not imply that data stored in the cloud is encrypted at rest, but that’s because it isn’t meant to. Like this isn’t a dirty marketing trick. E2EE just needs to do what it says on the tin, which this X chat does not because they in order for it to be E2EE, it needs to be the case that only the recipient can decrypt it.
