The implementation seems to be libsodium sealed boxes, with the key material sequestered using the juicebox.xyz protocol. In itself this seems broadly fine, with the significant proviso as mentioned in https://help.x.com/en/using-x/encrypted-direct-messages that identity is not verified at present, and as a result it's trivially MITMable.
But there's something more subtle here. Juicebox means that your key material is remotely stored in encrypted form. In an ideal setup, it's split between multiple different realms operated by different people, and the key material is stored in HSMs. There's a complicated dance where you prove knowledge of the PIN without actually revealing the PIN, and then the remote realms hand over the key material and you reassemble it into your key by decrypting it with a key also derived from your PIN.
If Twitter is running their own Juicebox realms then you're having to trust them. Even if the realms are implemented as HSMs, they're in a position to see the encrypted key material as it exits the HSM. And if they're not in HSMs, then the encrypted key material is just sitting there where they can see it. This doesn't intrinsically give them the key, since it still needs the PIN to decrypt it - but the key derivation function from the PIN is just 32 rounds of argon2id with 16MB of memory use, and given the PIN is limited to 4 digits, that's going to take about a second of GPU aided brute forcing to drop out the actual key.
As noted in the help doc, this isn't forward secure, so the moment they have the key they can decrypt everything. This is so far from being a meaningful e2ee platform it's ridiculous.
This is a very thorough technical analysis—thanks for sharing! It seems like even though Juicebox itself uses libSodium sealed boxes and HSMs, the security is ultimately constrained by the 32 rounds of argon2id for the PIN derivation and Twitter’s ability to access the encrypted key material. Perhaps its biggest selling point is deployment flexibility rather than being a true end-to-end encrypted platform.
Since we're on the topic of having to trust X, is there any reason to believe X wouldn't insert some code into the client JS (behind some per-account flag) to exfiltrate your key or PIN, if they were ordered to do so?
I wouldn't rely on a website as a secure communication client, that seems like a job for an open-source native application. But I'm no expert.
Oh, yeah, with no infrastructure to actually attest to the website (or the app) being trustworthy you're inherently placing trust in Twitter. Use Signal.
In a nutshell: we have unclear comments from Musk and unclear statements in the FAQ (which might not have been written by a technical person). Until they release a technical white paper, we don’t know anything for sure.
The first time I heard about this "XChat" was through a screenshot of Musk's tweet where he said it has "bitcoin style" encryption. Honestly, it was obvious just from reading that, that Musk has absolutely no idea what he's talking about when it comes to cryptography, and that nobody he has talked to on the development team has any clue either.
That doesn't mean that we know for sure that the team doesn't have cryptography experts, but ... I have my doubts. Surely we'd have heard details by now if that was the case.
(I mean "Bitcoin style"! The most important part of encrypted chat is confidentiality, and no part of Bitcoin's architecture even ATTEMPTS to ensure confidentiality! Everything's permanently stored in plaintext on the public ledger FFS!!!!)
It sounds like an offhand comment that we shouldn’t read much into.
Bitcoin’s creator demonstrated an impressive mastery of cryptography—- it was made to be extremely resilient (including to quantum computing) and no one has ever broken it despite billions of dollars being on the line. Maybe Musk meant to say that he thinks his product will be similarly resilient.
He might also mean that the secp256k1 elliptic curve (which Bitcoin uses) is also used by their product in some way, such as for a key exchange.
You can read anything with the assumption that the writer is an absolute idiot, but I’d give the world’s richest man more credit than that.
You think Elon Musk doesn’t know what he’s talking about? Sorry, you might disagree with his politics, but the assertion that he doesn’t know what he’s talking about it absurd.
Some things Musk claimed have happened, others have not. For example, he promised that they would release a satellite Internet platform that was better than most of the others, and they did.
On the other hand, he promised that Grok 3 would be massively better than ChatGPT, and it turned out to be comparable at best.
> Currently, we do not offer protections against man-in-the-middle attacks. As a result, if someone—a malicious insider or X itself as a result of a compulsory legal process—were to compromise an encrypted conversation
I assume this means that the "encryption" is about as strong as base64.
It seems to me like this is what happens when you do impulsive, hype-driven development. I assume a junior walked into Elon's office, and pitched it with the words "Bitcoin style encryption, as a chat platform--Written in Rust, almost entirely developed my Grok3", and he was sold.
I'm not being cynical or funny, I legitimately think, after having worked with some hype-driven leadership people, that this is quite common and results in a lot of flawed slop products, which are hyped up by leaders who don't know what they're talking about.
Admitting that this sort of product doesn't do what they think it does would mean admitting that they are wholly incompetent and got tricked by the hype; and that's not acceptable. So it get sunk-cost-fallacied into being a real product even more.
In my experience, it's never "a junior". There are people who build their entire careers on doing things like this. The rest of the story is completely believable, despite put in an unnecessarily sarcastic tone.
Readit News
But there's something more subtle here. Juicebox means that your key material is remotely stored in encrypted form. In an ideal setup, it's split between multiple different realms operated by different people, and the key material is stored in HSMs. There's a complicated dance where you prove knowledge of the PIN without actually revealing the PIN, and then the remote realms hand over the key material and you reassemble it into your key by decrypting it with a key also derived from your PIN.
If Twitter is running their own Juicebox realms then you're having to trust them. Even if the realms are implemented as HSMs, they're in a position to see the encrypted key material as it exits the HSM. And if they're not in HSMs, then the encrypted key material is just sitting there where they can see it. This doesn't intrinsically give them the key, since it still needs the PIN to decrypt it - but the key derivation function from the PIN is just 32 rounds of argon2id with 16MB of memory use, and given the PIN is limited to 4 digits, that's going to take about a second of GPU aided brute forcing to drop out the actual key.
As noted in the help doc, this isn't forward secure, so the moment they have the key they can decrypt everything. This is so far from being a meaningful e2ee platform it's ridiculous.
Since we're on the topic of having to trust X, is there any reason to believe X wouldn't insert some code into the client JS (behind some per-account flag) to exfiltrate your key or PIN, if they were ordered to do so?
I wouldn't rely on a website as a secure communication client, that seems like a job for an open-source native application. But I'm no expert.
Deleted Comment
[0]: http://xchat.org
1) https://en.wikipedia.org/wiki/BitchX
If this hasn't been done already, I have a new weekend project!
It’s not the same XChat
That doesn't mean that we know for sure that the team doesn't have cryptography experts, but ... I have my doubts. Surely we'd have heard details by now if that was the case.
(I mean "Bitcoin style"! The most important part of encrypted chat is confidentiality, and no part of Bitcoin's architecture even ATTEMPTS to ensure confidentiality! Everything's permanently stored in plaintext on the public ledger FFS!!!!)
Bitcoin’s creator demonstrated an impressive mastery of cryptography—- it was made to be extremely resilient (including to quantum computing) and no one has ever broken it despite billions of dollars being on the line. Maybe Musk meant to say that he thinks his product will be similarly resilient.
He might also mean that the secp256k1 elliptic curve (which Bitcoin uses) is also used by their product in some way, such as for a key exchange.
You can read anything with the assumption that the writer is an absolute idiot, but I’d give the world’s richest man more credit than that.
Using crypto as a phrase makes it more interesting for journalists, gives them something to pad their articles with.
You say musk has no idea, but he has too talent working for him and they will explain stuff.
He will then think of the PR and Sales angle and adjust the product/press releases accordingly.
On the other hand, he promised that Grok 3 would be massively better than ChatGPT, and it turned out to be comparable at best.
I assume this means that the "encryption" is about as strong as base64.
Deleted Comment
I mean its just for notification to my app so its not something critical
I'm not being cynical or funny, I legitimately think, after having worked with some hype-driven leadership people, that this is quite common and results in a lot of flawed slop products, which are hyped up by leaders who don't know what they're talking about.
Admitting that this sort of product doesn't do what they think it does would mean admitting that they are wholly incompetent and got tricked by the hype; and that's not acceptable. So it get sunk-cost-fallacied into being a real product even more.
[0] https://wikipedia.org/wiki/The_Emperor%27s_New_Clothes