Which effectively means the messages aren’t encrypted. Cool.
An analysis of X(Twitter)'s new XChat features shows that X can probably decrypt users' messages, as it holds users' private keys on its servers
Submitted 2 days ago by Pro@programming.dev to technology@lemmy.world
Comments
Sciaphobia@sh.itjust.works 2 days ago
athairmor@lemmy.world 2 days ago
It also effectively means they are reading those messages.
EncryptKeeper@lemmy.world 2 days ago
I mean they’re encrypted in transit. They’re just not end to end encrypted.
elvith@feddit.org 2 days ago
Do not look at all those (proprietary) E2EE definitions to closely - you might find several that define TLS as end to end…
cmnybo@discuss.tchncs.de 2 days ago
If anyone except you has the private key, then your private messages are not private.
MimicJar@lemmy.world 2 days ago
To extend this, that includes YOU giving your key to another application to decrypt those messages.
For example if you use an app or browser extension, that app or browser extension has access to that key. Additionally the browser itself or operating system had access to the key.
Now they may be fully audited. They may have a great reputation. You may trust them. But they are part of the decryption (and if sending encryption) process.
It’s a chain of trust, you have to trust the whole chain.
GamingChairModel@lemmy.world 1 day ago
It’s a chain of trust, you have to trust the whole chain.
Including the entire other side of the conversation. E2EE in a group chat still exposes the group chat if one participant shares their own key (or the chats themselves) with something insecure. Obviously any participant can copy and paste things, archive/log/screenshot things. It can all be automated, too.
Take, for example, iMessage. We have pretty good confidence that Apple can’t read your chats when you have configured it correctly: E2EE, no iCloud archiving of the chats, no backups of the keys. But do you trust that the other side of the conversation has done the exact same thing correctly?
Or take for example the stupid case of senior American military officials accidentally adding a prominent journalist to their war plans signal chat. It’s not a technical failure of signal’s encryption, but a mistake by one of the participants inviting the wrong person, who then published the chat to the world.
CubitOom@infosec.pub 2 days ago
Stop using fascist things.
Stores, websites, apps, cars, hosting, operating systems, and all other providers of goods/services should be audited by you. You should then ask yourself if you want to give them your money and/or your trust.
spankmonkey@lemmy.world 2 days ago
I’m trying, but they keep forcing it into devices I already own and even with turning it off in the settings sometimes it gets turned back on during updates.
Attacker94@lemmy.world 2 days ago
Out of curiosity what devices are giving you these issues? I may know of some alternatives depending.
bitjunkie@lemmy.world 1 day ago
That’s not what “private” means. If they have both keys, the wording “might be able to” is at best extremely misleading.
dubyakay@lemmy.ca 2 days ago
Xchat is an irc client though.
InFerNo@lemmy.ml 1 day ago
This is the first thing that came to mind. I used that for ao many years, then went on to Hexchat.
Quazatron@lemmy.world 2 days ago
I’m surprised nobody posted the surprised_pikachu.gif yet.
StopSpazzing@lemmy.world 2 days ago
unexposedhazard@discuss.tchncs.de 2 days ago
They control all the endpoints/clients so even if they didnt, they could change it at any moment as the code isnt open…
100_kg_90_de_belin@feddit.it 1 day ago
I mean, no yes man would enforce the fascist technocrat’ order of reading all those messages. You know, the same technocrat who bought Twitter with Saudi money to cripple resistance movements and steer the public toward the alt right. The one with a thing for eugenics.
nthavoc@lemmy.today 1 day ago
And yet people still keep using Twatter like it’s the only thing that has ever existed since the dawn of the internet. At this point, you deserve to get wrecked for still using this platform.
Trihilis@ani.social 2 days ago
Yes and? Do people who use X really care about privacy. Everyone who even remotely cared already jumped ship and moved on to matrix, signal, Simplex etc.
And im not even mentioning the fact X is owned by a psychopath. But hey let’s pretend they care about your privacy.
Vanilla_PuddinFudge@infosec.pub 1 day ago
If a corporate entity made it and hosts it, and it isn’t foss, don’t chat on it.
rottingleaf@lemmy.world 1 day ago
No way. Impossible. Of course convenience never has a price tag.
/s for typical users of today’s Web
lemmydividebyzero@reddthat.com 2 days ago
Enshittification continues
Venus_Ziegenfalle@feddit.org 2 days ago
That’s not “probably”. If they have the key they straight up have access. The key to my house can’t just probably unlock the door.
homesweethomeMrL@lemmy.world 2 days ago
seriously, that’s the most convoluted wording possible for a simple statement. If they have the private keys they have the private keys and there’s no need for analysis.
whostosay@lemmy.world 2 days ago
Weird, I didn’t see ‘probably’ once in your reply.