X is now offering me end-to-end encrypted chat — you probably shouldn't trust it yet | TechCrunch
https://techcrunch.com/2025/09/05/x-is-now-offering-me-end-to-end-encrypted-chat-you-probably-shouldnt-trust-it-yet/Open linkView original on reddthat.com315
Comments98
TL;dr of the article :
This secret stays between you, me, and Elon.
I hope politicians use the hell out of it, so we can see what they really think when it gets (inevitably) hacked in a few weeks.
What is the "A" in "AITM"?
This is the first time I heard of AITM, thought it was a new name for MITM:
https://www.blueshielditns.com/post/man-in-the-middle-vs-adversary-in-the-middle-understanding-the-differences-and-staying-safe
Are you sure that site is trustworthy? It kinda reads like an LLM being told to explain the difference between two names for the same thing and basically rephrasing the same thing. I'd imagine it might just be a different name to get rid of a male-coded word.
Adversary
It’s just MITM but with extra steps
Ah yes, Malcolm in the Middle is behind this all along.
Anal
Anyone
Aliens
Elon.
Apple
Asshole
Administrator
Agencies
Then it's literally not even E2EE, lol
is it different with signal, telegram, whatsapp?
If you chat on Xitter you‘re chatting with mecha Hitler.
They are stupid, but not that stupid.
Never attribute to malice what can be attributed to incompetence.
I used to give the benefit of the doubt but when there are bad incentives in play and shit keeps happening.. then perhaps that is naïve sometimes, unfortunately.
Do you mean bad incentives?
And sure, I don't disagree, but these people are also not actually that smart. I would worry more about this getting hacked in a week way before Elon gets a chance to use it against anyone.
Thanks, I do.
So...they're just blatantly lying?
Right, they have the key, and the lock, but the key isn't in the lock, so it's utterly impossible for them to access it.
Typical corpo doublespeak
It's encrypted with a 4 digit pin so they'll have to spend at least 316.8809e-10 years on brute-forcing it.
That's why my PIN is 5 digits: 12345
One. Two. Three. Four. Five?
That's amazing. I've got the same combination on my luggage.
Suck. Suck. Suck. Suck!
No - did you even read the article? An x employee confirmed that they’re using the “special” servers to store the keys that mean that they cannot see them. The author then says that the employee confirming it doesn’t mean they do, because the author doesn’t want it to be true.
There are hardware for that called hardware security modules, but yeah I definitely wouldn't trust Twitter's implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn't to get that key
A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user's password would be needed (for key derivation) or some other secret held by the user's devices (in the TPM chip or equivalent)
So again, you think you know better than the employee simply because you want it to be done incorrectly.
I've run a cryptography forum for 10 years. I can tell snake oil from the real deal.
Musk's Twitter doesn't know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.
So again - you just don’t want it to be true, and you think the people that know more than you about it are lying.
You sound like an antivaxxer defending a crank
You sound like a conspiracy theorist defending wearing an aluminium foil hat.
The Muskrat lying? No, never!
...yet? How bout just not trusting it at all?
Hah, beat me by 17 seconds!
That "yet" is the narrative hook to trick us into feeling like it will soon be trustworthy, and that our assumed suspicions refer to a temporary state of untrustworthiness. Clever girls!
Feels like Bluesky’s federation promise.
I think you can install your own bluseky instance and federated with others.
I don’t consider the PDS stuff to be fully federated. That’s just keeping your data on a different server, as far as I understand it. To be federated it needs to be a full interoperable server like mastodon, or lemmy.
You should also be able to host a non federated instance, or one with limited federation.
If they have moved past that, and I can open a server and have people sign up for accounts, then I stand corrected.
Bluesky federates across different layers, it's modular, it doesn't have a comparable same-layer federation. It is fully interoperable, just not by the method you're used to.
You can host your own partial appview now (caching and indexing your and your friends' comment), and multiple people have managed to run their own relays for cheap (caching most of the posts in the network), and you can pull the rest of data you need to browse from the other relays and use the service as usual. You can run your own moderation labeler, use your own app, just your own account, etc...
Just look at the interoperable blacksky project by a bunch of black devs making their own infrastructure for accounts and moderation, etc.
To be non federated, all you have to do is not announce your server and not accept arbitrary connections
Due to content addressing, limited federation isn't really a thing by the usual definition. You can filter content from any PDS you don't like, but can't really control who can see already public posts
Correct, foolish human! Now sign up.
How about: "You probably should trust or use X at all... ever."
Hey y'all. Reminder not to trust a platform owned and operated by a Nazi manchild.
Yet? What kind of idiot would imagine that X would or could provide actual secure communication?
Shouldn't trust it yet.
Or ever.
YET?
Brain damaged people trust x again.
It's proprietary, how could you possibly trust it?
Do you think this is the face of a liar
The face of this liar makes my face go on fire
With a white circle and a swastika inside?
"xchat" sounds like one of those porn chat rooms
Why are people evening using this site anymore? It’s been severely compromised.
What some call "normies" besides most celebrities.
most likely vendor lockin and i hate it its common on social media.
Cause it has an audience unlike mastodon or bluesky. All the other alternatives are dead.
Your hero just joined bluesky so not that dead
but bluesky(i think similar to twitter but slightly lower users??) has a bigger audience then mastodon, most people i saw there still use twitter.
Our good friend Elon cannot be trusted? I don't believe you, this must be propaganda to discredit his good manners.
Accusing gentle Elon of a misdeed?
If you trust ANYTHING Musk has for you well then have I got a bridge to sell you.
probably??? try definitely and ever
Quick everyone, install this just so that if Pete Hegseth invites people to the next airstrikes chat group, your satirical JD Vance account will be next to the real JD Vance's account and he'll probably add you both and figure it out later.
Never trust any social media sites "private" chat.
Especially not one of the big ones run by weirdo fascists. You know Elmo is going to snoop on anyone relatively famous, or that just say something he doesn't like.
In all honesty, there's zero reason to even have accounts on them
Even if the server had zero knowledge of your private keys (which is doubtful), I'm sure the client code won't have any backdoors. It's only the social media "platform" owned by the world's most thin-skinned billionaire.
I wouldnt trust X with a picture of my shoes
Yet? More like never.
I don't trust anything coming out of Elon's fascisthole. Deleted the app when he bought it and never looked back.
I refuse to even click on links. If a friend sends me an X link to something funny/interesting I tell them "I don't click on Nazi links" and ask them to find me another source.
Signal and encrypted email only.
Friends and I swapped our group chat to Signal the day Trump was inaugurated...the first time.
If things keep going the way they are, no one should be communicating on anything but encrypted messaging apps.
Or ever.
Or ever
It’s like a regular encrypted chat but with peepholes and racism.
All of this has the same vibes as the time Brigham Young University amended their code of conduct to allow people to come out as queer, let some students come out, and then changed the CoC back and expelled the students.
shouldn't trust it yetshouldn't trust it everDon't trust it at all.
I do really like E2EE but why do I need it in everything?
If I want to talk to someone I would rather them message me on Signal or something that I trust more.
Yeah, way too many services have chats. I think it's because every large platform wants to be an "everything app". Messaging is a really easy to feature to implement to (theoretically) add value.
Cool, and I bet it will be just as trustworthy as WhatsApp (i.e. not at all).
Probably shouldn't? How 'bout definitely shouldn't, ditto for Twitter in general. Give ATproto shit all you want but at least you can move to an independent PDS with it.
Granted ActivityPub is still ideal over ATproto, but both are better than a centralized black box.
LOL nope. I'd use anything else. As in NO X.
It was eyerolling back when that dickhead decided to sell blue checkmarks instead of issuing them only to verified celebrities.
Ah, new ways for Kegsbreath to expose his idiocy.
I trust it but there is a major misunderstanding of end to end encryption. Some implementations the platform holder does not have a key to decrypt data but it is far from a requirement. All end to end means is there's a blocker preventing the network from seeing what you send not twitter who im assuming has a copy of the key.
That is NOT end to end encryption. That is transport layer encryption. So basically SSL
End to end is from sender to recipient. No one in the middle should be able to read anything
It's like ssl but done at the application layer. Nobody in the middle can read it except it's nobody in the middle of you and twitter and twitter and the recipient. If you put something on a platform and they have the key they will always be able to read it if they want to.
are you being dense on purpose? sender and recipient are both users. never twitter.
i'm not saying that twitter's messaging is secure. the opposite. what i'm saying is that you statement of "All end to end means is there’s a blocker preventing the network from seeing what you send not twitter" is 100% objectively wrong.