Twitter has finally rolled out its long-awaited encrypted direct messages (DMs), providing an additional layer of privacy for users. However, there are certain limitations and security concerns associated with the feature. Currently, only verified users, including Blue subscribers and accounts associated with verified organizations, have access to encrypted DMs. Group messages are not compatible with encryption, and the feature does not protect against man-in-the-middle attacks.
For encryption to be enabled, the recipient must follow the sender, or they should have previously engaged in a conversation or accepted a DM request. Users eligible for encrypted conversations will find an option to enable encryption through a toggle on the new chat screen.
Encrypted conversations have distinguishable features, such as a lock badge displayed on the recipient’s profile picture and a banner indicating that messages are encrypted. However, the implementation of encryption on Twitter has certain limitations. Currently, encryption only supports one-to-one messages with text and links, excluding media content. Joining an existing encrypted conversation from a new device is not possible, as users can only use encryption on a total of 10 devices. Additionally, there is no key backup option, so logging out of an account will result in the loss of encrypted messages on that device.
Twitter does not provide information about the cryptographic standard used for encryption, only mentioning that it employs a combination of strong cryptographic schemes. The encryption feature lacks forward secrecy protection, leaving past conversations vulnerable if a compromised device is accessed. Signature checks and message verification features are also absent, making the system susceptible to man-in-the-middle attacks.
The current design flaws also allow Twitter to potentially disclose encrypted conversations to authorities under legal processes. Twitter acknowledges the need to address these concerns and aims to implement signature checks and safety numbers to prevent such compromises.
While Elon Musk has expressed interest in enhancing Twitter DMs to rival Signal, the current limitations prevent Twitter from offering the same level of protection as Signal or WhatsApp, which provide end-to-end encryption for all conversations. Twitter is committed to improving its encryption capabilities to ensure maximum privacy and security for its users.
