Twitter’s new encrypted messaging feature criticized by security and privacy experts | CNN Business
0
0
Washington
CNN
—
A new feature Twitter unveiled Wednesday that encrypts some direct messages between users has been widely scrutinized by privacy and security experts, raising questions about the future of user security on the platform.
Twitter’s early efforts to secure direct messages with encryption appear to be riddled with caveats, flaws and risks that could put users at risk, experts said after the company went public with its initial release.
With the first iteration of the feature, only users who are paying subscribers to Twitter Blue or whose organizations have paid to be verified with the company can use encrypted messages.
Also, encrypted messages can only be sent between two people, not between groups. Encrypting images, videos and other media is not supported. Both participants must have exchanged direct messages in the past, or the recipient of an encrypted message must already be following the sender.
Perhaps most importantly, Twitter acknowledged that even with the encryption feature enabled, the company itself and other third parties can still access users’ messages.
“I’m trying to be positive about Twitter rolling out encrypted DMs even though there are so many things about this system that make it feel like a v0.1 release, or are just obnoxious,” said Matthew Green, cryptographer and computer science professor. at Johns Hopkins University, a tweet.
Twitter’s former chief information security officer, Lea Kissner, publicly asked Twitter’s current engineering team to improve the feature quickly.
“Twitter people, seriously. I’ve left some design documents somewhere. Please use them,” Kissner told Bluesky. a rival platform.
Twitter has described encrypted messaging as key to the company’s future of becoming “the most trusted platform on the Internet.” But the release provides another example of how, under CEO Elon Musk, Twitter has moved forward with significant changes to the platform in the face of warnings from independent researchers about potential unintended consequences from incomplete or poorly implemented updates.
In a blog entry On Wednesday, Twitter said users of its latest app will be eligible to participate in encrypted direct messages. And it announced that it aims to provide a level of protection similar to other privacy-preserving apps that are highly recommended by security experts, such as Signal.
“The standard should be that if someone puts a gun to our head, we still can’t access your messages,” the blog post said. “We’re not quite there yet, but we’re working on it.”
But the company also acknowledged the feature’s limitations, including that the new encryption option “does not offer protections against man-in-the-middle attacks.”
“As a result, if someone, for example, a malicious insider, or Twitter itself as a result of a mandatory legal process, compromised an encrypted conversation, neither the sender nor the receiver would know,” the post said from the Twitter blog.
According to security experts, the lack of so-called end-to-end encryption makes Twitter’s implementation pointless.
“The ENTIRE PURPOSE of end-to-end encryption is to protect you against whoever controls the messaging servers,” Marcus Hutchins, aka MalwareTech, told Bluesky.
John Scott-Railton, cybersecurity and disinformation researcher, he tweeted that this warning means that “it is not safe for anyone concerned about privacy and security to assume that this has equivalent protections to things like [Signal].”
Twitter’s new feature also encrypts messages at the conversation level, not each individual message. This means that if a malicious actor gained unauthorized access to the keys, they could see the entire message chain. A stronger approach would be to assign each message its own encryption key, a feature that already exists in other applications.
Jonathan Mayer, a Princeton University computer scientist and former chief technologist at the Federal Communications Commission, said Twitter’s version of encryption would fail basic principles taught in an information security 101 course.
“We literally teach students not to do exactly what Twitter does,” Mayer said.
One of the biggest dangers of the feature for users is that they could be lulled into a false sense of security, Hutchins added, which would be far worse than Twitter not offering any encryption, because users could be lulled into sharing more Twitter messages than they don’t. step otherwise it would be
In an apparent response to the wave of criticism, Musk he tweeted early Thursday: “Try it, but don’t trust it yet.”
.
