Resources

Font size: +

Twitter launches encrypted private messages

twitter-encrypted-messages

Twitter aims to become the most trusted platform on the internet by implementing encrypted Direct Messages. This feature ensures that even if someone forces Twitter to access messages, they would be unable to do so.

Twitter generates device-specific key pairs consisting of private and public keys. The public key is registered automatically when a user logs in on a new device, while the private key remains on the device and is never shared with Twitter. Each conversation is encrypted with a unique key, which is securely exchanged between participating devices using the private-public key pairs. Strong cryptographic schemes are used to encrypt all messages, links, and reactions before they leave the sender's device. Messages are decrypted on the recipient's device for reading. Twitter plans to release a technical whitepaper and open-source the implementation later in the year. To send and receive encrypted messages, users must meet certain criteria: both sender and recipient must be using the latest Twitter apps, both must be verified users or affiliated with a verified organization, and the recipient should either follow the sender, have previously messaged the sender, or have accepted a Direct Message request from the sender.

Here are the limitations of Twitter's encrypted Direct Messages:

  1. Group chats: Currently, encrypted messages can only be sent to a single recipient, but Twitter plans to expand this feature to include group conversations in the future.

  2. Content: Encrypted messages can only contain text and links; media and other attachments are not supported at the moment. Reactions to encrypted messages are also encrypted. While the messages themselves are encrypted, metadata (such as recipient and creation time) and linked content (except for the links themselves) are not.

  3. New devices: New devices cannot join existing encrypted conversations. If you log into Twitter on a new device, existing encrypted conversations and their messages will be filtered out, and you won't be able to access them.

  4. Device registration/de-registration: Users are currently limited to a maximum of ten devices for encrypted messages. Once this limit is reached, you cannot send or receive encrypted messages on any new devices. There is no support for viewing a list of registered devices or de-registering a device.

  5. Verify integrity of conversations: Currently, Twitter does not provide protection against man-in-the-middle attacks, which means compromising an encrypted conversation would go undetected. However, Twitter is working on implementing mechanisms such as signature checks and safety numbers to verify content authenticity and device access, which will make such attacks difficult and alert both senders and recipients.

  6. Reporting: Due to the encrypted nature of the conversation, it is not possible to report an encrypted message to Twitter. If you encounter an issue with a participant in an encrypted conversation, you should report the account itself.

  7. Logout and Key backup: Logging out of Twitter will delete all messages, including encrypted messages, from the current device. The private key is not erased from the device upon logout, but Twitter plans to erase keys on logout once the key backup feature is available. Users should be cautious when using the product on shared devices.

  8. Forward Secrecy: Twitter's implementation is not "forward secure," meaning if a registered device's private key is compromised, all encrypted messages sent and received by that device can be decrypted. This is done to maintain the user experience of storing and downloading DM history. Twitter does not plan to address this limitation.

  9. Encrypted message deletion: When you delete an encrypted message, it is only deleted from your account, not the other participant's inbox. Deleting or leaving an encrypted conversation does not prevent the other person from sending you a Direct Message in the future. The deleted data is instantly removed from your device and will soon be removed from all your other devices, but the recipient may still be able to see the deleted message or conversation.

 

Source: Twitter; Image source: Pixabay

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, 21 November 2024