Español
X, formerly known as Twitter, has begun rolling out its new encrypted messaging feature, branded as “Chat” or “XChat.” The company says conversations will be protected with end-to-end encryption, meaning only the sender and recipient should be able to read them — not even X itself.
But according to cryptography and security experts, the current implementation of XChat falls far short of that promise and should not yet be considered reliable.
How XChat Works — and Why Experts Are Concerned
To set up XChat, users are prompted to create a four-digit PIN. This PIN encrypts their private key, which is then stored on X’s servers. In true end-to-end encrypted systems, such as Signal, private keys are stored locally on the user’s device, never on the provider’s infrastructure.
Security researcher Matthew Garrett highlighted that if X is not using Hardware Security Modules (HSMs) to protect those keys, the company could tamper with them — or even brute-force the four-digit PINs — potentially allowing message decryption. While an X engineer has claimed HSMs are in use, no technical proof has been provided. As Garrett put it: “Until that’s done, this is ‘trust us, bro’ territory.”
Risks of Insider or Provider Compromise
Even X acknowledges that “a malicious insider or X itself” could compromise encrypted conversations under the current setup. This type of attack, known as an Adversary-in-the-Middle (AITM), undermines the very essence of end-to-end encryption.
Garrett further noted that users cannot verify whether the keys provided by X are genuine or fabricated, leaving the door open for such attacks.
Lack of Transparency and Forward Secrecy
Unlike Signal, which is fully open-source and well-documented, XChat’s design remains closed. The company says it plans to release a whitepaper and open-source its code later this year, but until then, independent verification is impossible.
Additionally, XChat does not implement Perfect Forward Secrecy (PFS) — a key security feature that ensures each message is encrypted with a new key. Without PFS, if a private key is compromised, attackers could decrypt not only the most recent message but also past conversations.
Expert Consensus: Not Secure Enough Yet
Given these issues, experts advise caution.
- Garrett emphasized that even if X were fully trustworthy now, “they could stop being trustworthy at any point” — leaving users exposed.
- Matthew Green, a Johns Hopkins cryptography professor, echoed this warning: “Until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs.”
For now, XChat exists alongside the legacy Direct Messages system, but users should assume it provides no stronger protection than standard, non-encrypted chats.
X did not respond to repeated requests for comment.
