Elon Musk has long been promised launch of encrypted direct messages on Twitter has arrived. Like most attempts to add end-to-end encryption to a huge existing platform – never an easy proposition – there are good, bad and ugly ones. The good: Twitter has added an optional layer of security for a small subgroup of its users that has never existed in Twitter’s 16-plus years of being online. As for the bad and ugly: Well, that list is a lot longer.
Last night, Twitter announced the release of encrypted direct messages, a feature that Musk had assured users of since its very first days at the head of the company. To Twitter’s credit, it accompanied the new feature with a help center article breaking down the strengths and weaknesses of the new feature with unusual transparency. And as the article points out, there are plenty of weaknesses.
In fact, the company seems to have stopped calling the feature “end-to-end” encrypted, the term that would mean only users on the two ends of conversations can read messages, rather than hackers, government agencies that can eavesdrop. . those messages, or even Twitter itself.
Like Elon Musk saidwhen it comes to Direct Messages, the default should be, if someone puts a gun to our heads, we still can’t access your messages,” the help desk page reads. “We’re not quite there yet, but we’re there busy with.”
In fact, the description of Twitter’s encrypted messaging feature that follows that initial caveat almost seems like a laundry list of the most serious flaws in every existing end-to-end encrypted messaging app, now all combined into one product – along with a few additional flaws who are all their own.
The encryption feature is opt-in, for example, is not on by default, a decision that Facebook Messenger has drawn criticism for. It expressly does not prevent “man-in-the-middle” attacks that would allow Twitter to invisibly spoof users’ identities and intercept messages, long considered the most serious flaw in Apple’s iMessage encryption. It doesn’t have the “perfect forward secrecy” feature that makes spying on users more difficult, even after a device is temporarily compromised. It does not allow group messaging or even sending photos or videos. And perhaps most seriously, it currently restricts this substandard encrypted messaging system to only the authenticated users who message each other – most of whom must pay $8 per month – massively limiting the network it could use.
“Obviously this isn’t better than Signal or WhatsApp or anything that uses the Signal Protocol, in terms of features, in terms of security,” said Matthew Green, a computer science professor at Johns Hopkins University who focuses on cryptography, referring to the Signal Messenger app widely regarded as the modern standard in end-to-end encrypted calling and texting. Signal’s encryption protocol is also used in both WhatsApp’s standard encrypted communications and Facebook Messenger’s opt-in encryption feature, known as Secret Conversations. (Both Signal and WhatsApp are free, compared to the $8 per month for a Twitter Blue subscription that includes verification.) “You should use those things if you really care about security,” says Green. “And they’ll be easier because you don’t have to pay $8 a month.”
