David Bridges
With the rollout of X’s innovative new messaging platform, XChat, to all X Premium subscribers, the company has also released updated documentation detailing the enhancements to its direct message (DM) encryption system, which is an integral part of the new chat experience.
To summarize, X initiated the launch of message encryption for its Premium subscribers last year; however, the initial implementation fell short of the security standards that X desired. Notably, Elon Musk even described the earlier version as “clunky,” indicating that it was not suitable for secure one-on-one messaging.
While encryption for X’s audio and video calls was successfully implemented after Musk’s acquisition of the platform, achieving comprehensive encryption for direct messages necessitated a substantial overhaul of X’s backend messaging infrastructure. This transformation aimed to enhance user security and privacy.
X has completed the necessary upgrades, and the platform is now poised to implement encrypted DMs as the default setting for all users, ensuring that privacy is a top priority.
However, there are important specifics within this upgraded encryption system that users should be aware of.
As detailed by X:
“Upon entering Chat for the first time, a unique private-public key pair is generated for each user. Users are prompted to create a PIN (which remains on the device) to securely store their private key on X’s infrastructure. This private key can be retrieved from any device provided the user remembers their PIN. Additionally, a per-conversation key is utilized to encrypt the content of messages. The private-public key pairs facilitate the secure exchange of the conversation key between users engaged in the chat.”
While a four-digit PIN may not represent the highest level of security, it offers X users a straightforward method to access its encrypted DM feature, balancing user convenience with an element of security.
X further emphasizes that it employs:
“… a combination of robust cryptographic techniques to encrypt every message, link, and reaction associated with an encrypted conversation before they leave the sender’s device and remain encrypted while stored on X’s infrastructure.”
Though the encryption key may represent a potential vulnerability, it’s worth noting that this approach is relatively standard, albeit with a simpler PIN lock compared to many other encryption systems.
To send and receive encrypted messages within the app, both the sender and recipient must be using the latest version of the X app on iOS (encryption is not yet available for Android or web users). Additionally, the recipient must follow the sender, have accepted a previous DM from them, or have initiated contact with the sender before.
Thus, there must be a mutual indication of interest from both parties before encryption can be activated, fostering a more secure communication environment.
X also highlights that group messages and media can now benefit from encryption; however, it’s essential to note that there will still be a record of any shared posts:
“The contents of an encrypted direct message are always protected, including any links, media, or files shared. Reactions to encrypted direct messages are also encrypted. It is vital to understand that while the content of the messages is encrypted, associated metadata (such as recipient details, creation time, etc.) remains unencrypted. If any posts are shared within an encrypted chat, X will retain a record of those shared posts.”
Furthermore, it’s important to know that if you log out of X, your direct messages will be automatically deleted from that specific device:
“If you log out from X at any time, all messages, including encrypted direct messages, on your current device will be erased; however, this action will not affect any other devices where you are logged in. Upon logging out, X will remove all private keys and conversation keys. If you log back in on the same device, your device will be able to retrieve and decrypt the encrypted conversations using the private key that the device had access to prior to logging out.”
While you will have the option to recover your messages, the process may feel a bit unusual depending on how it is implemented.
Overall, this implementation represents a straightforward approach to basic encryption, though the reliance on a four-digit passcode raises some concerns regarding its security strength.
Nonetheless, it provides users with a more secure alternative, and X is optimistic that the enhanced security measures will encourage more users to engage in financial transactions within the app once X Payments are introduced.
X has announced plans to open-source its encryption system information later this year, further enhancing transparency and user trust in its security protocols.
Mason Thompson
Ivy Caldwell
