Cryptography Experts Warn Against Trusting XChat’s End-to-End Encryption Due to Security Concerns and Lack of Transparency
The tech company, previously known as Twitter, has begun launching its new encrypted messaging service called “Chat” or “CompanyChat”. This innovation promises end-to-end encryption, ensuring that messages exchanged on it can only be viewed by the sender and recipient, with no third parties, including the company itself, gaining access.
However, cryptography experts have expressed concerns about the current implementation of encryption in CompanyChat. They argue that it falls significantly short compared to Signal, a technology renowned for its excellence in end-to-end encrypted chat.
In CompanyChat, upon clicking “Set up now”, users are prompted to create a four-digit PIN to encrypt their private key. This key is then stored on the company’s servers. The private key serves as a secret cryptographic key for each user, decrypting messages. Similar to many end-to-end encrypted services, a private key is paired with a public key, which senders use to encrypt messages intended for receivers.
This setup poses a concern for CompanyChat, as Signal stores a user’s private key on their device, not on servers. The location and security measures used for storing the private keys on the company’s servers are crucial questions.
Security researcher Matthew Garrett, who published a blog post about CompanyChat in June when the service was first announced, expressed worry that if the company does not use hardware security modules (HSMs) to store the keys, they could potentially manipulate or decrypt messages. HSMs are servers designed to make it harder for the company owning them to access data stored within.
An engineer from the company claimed in a June post that they do indeed use HSMs, but no proof has been provided so far. In response, Garrett stated, “Until that’s done, this is ‘trust us, bro’ territory.”
Another concern, admitted by the company on the CompanyChat support page, is the possibility of a malicious insider or the company itself compromising encrypted conversations. This is technically known as an “adversary-in-the-middle,” or AITM attack, which renders the purpose of an end-to-end encrypted messaging platform irrelevant.
Garrett stated that CompanyChat gives users a public key whenever they communicate with them, making it impossible to prove whether the company hasn’t created a new key and performed an AITM attack.
At present, none of CompanyChat’s implementation is open source, unlike Signal’s, which is meticulously documented. The company plans to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.”
Lastly, CompanyChat does not offer “perfect forward secrecy,” a cryptographic mechanism that ensures every new message is encrypted with a different key. If an attacker compromises a user’s private key, they can only decrypt the last message, not preceding ones. The company acknowledges this shortcoming.
Due to these concerns, Garrett advises that CompanyChat may not yet be trusted by users. He stated, “If everyone involved is fully trustworthy, the Company implementation is technically worse than Signal. And even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways… If they were either untrustworthy or incompetent during initial implementation, it’s impossible to demonstrate that there’s any security at all.”
Garrett is not the only expert voicing apprehensions. Matthew Green, a cryptography expert from Johns Hopkins University, shares similar sentiments. He says, “For the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs.” (CompanyChat is a separate feature that currently coexists with the legacy Direct Messages.)
The company did not respond to several questions sent to its press email address.
