X, formerly Twitter, has started rolling out<\/a> its new encrypted messaging feature called \u201cChat\u201d or \u201cXChat.\u201d\u00a0<\/p>\n The company claims the new communication feature is end-to-end encrypted<\/a>, meaning messages exchanged on it can only be read by the sender and their receiver, and \u2014 in theory \u2014 no one else, including X, can access them.\u00a0<\/p>\n Cryptography experts, however, are warning that X\u2019s current implementation of encryption in XChat should not be trusted. They\u2019re saying it\u2019s far worse than Signal, a technology widely considered the state of the art when it comes to end-to-end encrypted chat.\u00a0<\/p>\n In XChat, once a user clicks on \u201cSet up now,\u201d X prompts them to create a four-digit PIN, which will be used to encrypt the user\u2019s private key. This key is then stored on X\u2019s servers. The private key is essentially a secret cryptographic key assigned to each user, serving the purpose of decrypting messages. As in many end-to-end encrypted services, a private key is paired with a public key, which is what a sender uses to encrypt messages to the receiver.\u00a0<\/p>\n This is the first red flag for XChat. Signal stores a user\u2019s private key on their device, not on its servers. How and where exactly the private keys are stored on the X servers is also important.\u00a0<\/p>\n Matthew Garrett, a security researcher who published a blog post<\/a> about XChat in June, when X announced the new service and slowly started rolling it out<\/a>, wrote that if the company doesn\u2019t use hardware security modules, or HSMs, to store the keys, then the company could tamper with the keys \u2014 brute-forcing them for example since they are only four digits \u2014 and potentially decrypt messages. HSMs are servers made specifically to make it harder for the company that owns them to access the data inside.\u00a0<\/p>\n An X engineer said<\/a> in a post in June that the company does use HSMs, but neither he nor the company has provided any proof so far. \u201cUntil that\u2019s done, this is \u2018trust us, bro\u2019 territory,\u201d Garrett told TechCrunch.\u00a0<\/p>\n The second red flag, which X admits<\/a> on the XChat support page, is that the current implementation of the service could allow \u201ca malicious insider or X itself\u201d to compromise encrypted conversations.<\/p>\n This is what is technically called an \u201cadversary-in-the-middle<\/a>,\u201d or AITM attack. That makes the whole point of an end-to-end encrypted messaging platform moot.\u00a0<\/p>\n Garrett said that X \u201cgives you the public key whenever you communicate with them, so even if they\u2019ve implemented this properly, you can\u2019t prove they haven\u2019t made up a new key\u201d and performed an AITM attack.\u00a0<\/p>\n Another red flag is that none of XChat\u2019s implementation, at this point, is open source, unlike Signal\u2019s, which is openly documented in detail<\/a>. X says<\/a> it aims to \u201copen source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.\u201d<\/p>\n Finally, X doesn\u2019t offer \u201cperfect forward secrecy<\/a>,\u201d a cryptographic mechanism by which every new message is encrypted with a different key, which means that if an attacker compromises the user\u2019s private key, they can only decrypt the last message, and not all the preceding ones. The company itself also admits<\/a> this shortcoming.\u00a0<\/p>\n As a result, Garrett doesn\u2019t think XChat is at a point where users should trust it just yet.\u00a0<\/p>\n \u201cIf everyone involved is fully trustworthy, the X implementation is technically worse than Signal,\u201d Garrett told TechCrunch. \u201cAnd even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways\u00a0\u2026 If they were either untrustworthy or incompetent during initial implementation, it\u2019s impossible to demonstrate that there\u2019s any security at all.\u201d<\/p>\n Garrett isn\u2019t the only expert raising concerns. Matthew Green, a cryptography expert who teaches at Johns Hopkins University, agrees.\u00a0<\/p>\n \u201cFor the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs,\u201d Green told TechCrunch.\u00a0(XChat is a separate feature that lives, at least for now, with the legacy Direct Messages.)<\/p>\n X did not respond to several questions sent to its press email address.<\/p>\n<\/div>\n![\"\"](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/09\/x-chat-menu.png\")
<\/figure>\n