Twitter DMs Insecure Compared To Signal/WhatsApp
Elon Musk at last launched the encrypted direct messages on Twitter. It's not easy to add encryption to a huge platform. The good thing is that Twitter has added a new security layer for some of its users. However, there are also some downsides. This is a long list.
Twitter launched encrypted direct messages on Wednesday. Musk had promised users this feature since he started running Twitter. The company explained the advantages and disadvantages of the feature in a post on their help center. However, there are still some weaknesses.
The company didn't call the feature "end-to-end" encrypted. This means others can still read messages. This includes hackers, government agencies, and even Twitter.
The help desk page says that Elon Musk thinks Direct Messages should be private. Messages should still be private even if someone threatens us. We are not perfect yet, but we are trying.
Twitter's encrypted messaging feature has serious flaws. These flaws are similar to flaws in other end-to-end encryption messaging apps. Twitter's flaws are even worse.
Facebook Messenger's encryption feature isn't automatically turned on but must be manually enabled. This has received criticisms. This feature doesn't prevent "man-in-the-middle" attacks which allow hackers to intercept messages and impersonate users. Apple's iMessage encryption has a better security system. Facebook Messenger's encryption feature doesn't have the "perfect forward secrecy" feature which makes spying on users harder. It also doesn't allow for group messaging or sending photos or videos. This feature is only available to verified users who pay $8 a month, limiting the network that can use it.
A computer science professor says that Twitter's new encrypted messaging feature is not as good as Signal or WhatsApp. These apps are known to have good features and security. Signal's encryption is used in WhatsApp and Facebook Messenger as well. Both Signal and WhatsApp are free, while Twitter Blue costs $8 per month and includes verification. The professor recommends using the free apps instead if you care about security, and it will also save you money.
Green says it's a first step. There is a positive side. Maybe it will improve.
Musk likes Signal. He talked to Moxie Marlinspike, the creator of Signal. Marlinspike previously worked for Twitter's security team and supported the idea of encrypting Twitter's DMs. Musk thinks they should try it.
Green was surprised. He consulted for WhatsApp and Facebook on encryption. Twitter's encrypted messaging lacks features. Signal and WhatsApp have end-to-end encryption, but Twitter doesn't. Twitter doesn't support encrypted photos, videos, and group chats. It also doesn't have constantly changing cryptographic keys like Signal. Keys encrypt each message and never repeat.
Signal has a security feature called "perfect forward secrecy." If someone's device is hacked and the key to decrypt messages is stolen, future messages can't be spied on. This is a basic feature of Signal. A security expert named Green is surprised that some systems lack this feature.
Twitter said they can't make the feature work while keeping the ability to see DMs on a new device. They won't make any changes to fix it. This is written on their help center.
Twitter is not able to prevent "man-in-the-middle" attacks, where Twitter itself can intercept users' messages. Messages are encrypted with the recipient's public key in end-to-end encryption systems. Only the recipient's private key on their device can decrypt them. However, Twitter can trick a user or be ordered by a government to invisibly encrypt messages to an eavesdropper's public key. The messages can then be read before being re-encrypted with the intended recipient's key and sent on.
iMessage has a weakness when it comes to end-to-end encryption. WhatsApp and Signal are better at stopping man-in-the-middle attacks. They use a key fingerprint to make sure messages go to the right person. Twitter does not have this yet but they plan to add it soon.
Twitter doesn't have end-to-end encryption. It's not clear if Musk's promised feature is why. Twitter hasn't even said they have true end-to-end encryption. Musk said his feature would protect messages from anyone, even under threat.
Riana Pfefferkorn, a security researcher at Stanford University's Internet Observatory, thinks that Zoom's product was launched too quickly and is not completely developed yet. In 2020, Zoom was punished by the Federal Trade Commission for falsely claiming to have "end-to-end" encryption. Pfefferkorn believes that Twitter avoiding that term means they're unsure if their system can meet that standard.
Twitter admits that its encrypted DM feature has issues on their help page, but their flaws may not be apparent to users through the web and app interface. Pfefferkorn is concerned that users may not understand the limitations. The help page tries to manage expectations, but it's uncertain if Twitter users will believe that encrypted DMs provide more privacy and security than they do in reality.
Twitter's encrypted DMs have a big problem. Only a small number of users can use them. Right now, you can only send them if you have a verified account. This means you're either an important organization or someone who pays $8 a month. It's not fair that people should have to pay for security like this, says Green. This should be free for everyone.
Twitter DMs that are end-to-end encrypted could be handy for sending secret messages to people you want to find, but don't have their phone numbers for. Unlike Signal and WhatsApp, you can talk to strangers more easily. But the encrypted DMs can only be sent between verified accounts, which restricts the network to a small number of Twitter users.
If you want to send a secure message on Twitter, there's only one way. It's been the same for years. First, send a direct message (DM). Then, get their Signal number. Finally, use Signal to begin an encrypted conversation that's end-to-end.
Lily Hay Newman also contributed to this report.
