X is rolling out a new encrypted messaging feature called Chat, also referred to as XChat, with the promise of end-to-end encryption. In theory, that means only the sender and recipient can read messages, not even the platform itself. In practice, cryptography experts say the current implementation falls short of industry best practices and shouldn’t be relied on for sensitive conversations yet.
Here’s what XChat is doing and why security researchers are concerned.
How XChat’s encryption works today
– When you turn on XChat, you’re asked to set a 4-digit PIN. That PIN encrypts your private key, which X then stores on its servers.
– In end-to-end encrypted systems, your private key decrypts incoming messages while your public key lets others encrypt messages to you.
– The biggest difference from services like Signal is that XChat keeps users’ private keys on company servers rather than exclusively on devices.
Why experts are skeptical
– Server-side key storage: Storing private keys on company servers introduces risk. Signal, for example, keeps private keys on user devices, reducing the chance a company insider or attacker could access them.
– Unproven HSM usage: An engineer has said the company uses Hardware Security Modules (HSMs) to protect keys. HSMs are specialized systems designed to shield keys even from the company itself. However, experts note there’s no independent proof or attestation yet. Without verifiable HSM protections, users are essentially being asked to take the company’s word for it.
– Adversary-in-the-middle risk: The platform currently mediates delivery of public keys. Researchers warn that without a robust, verifiable way to confirm keys, a malicious insider or the service itself could swap in a different key and silently intercept messages. The company’s own support documentation acknowledges that a malicious insider or the service could potentially compromise encrypted conversations in the current version.
– No public code or protocol documentation yet: Unlike more established secure messengers, XChat’s cryptographic design isn’t open source at this time. The company says it plans to publish a detailed whitepaper and open the implementation later this year, but until that happens, independent audits aren’t possible.
– No Perfect Forward Secrecy (PFS): XChat currently does not enable PFS, which means a compromise of your private key could expose not just a single message but potentially a large history of messages. The company acknowledges this limitation.
What top cryptographers are saying
– Security researcher Matthew Garrett argues the design is weaker than well-established secure messengers, even in a best-case scenario where everyone involved is fully trustworthy. He warns that without verifiable safeguards and transparency, users cannot be confident in the platform’s security.
– Johns Hopkins cryptography professor Matthew Green advises treating XChat, for now, with the same caution as unencrypted DMs until a reputable, independent audit is completed.
Where things stand
– XChat is rolling out alongside legacy Direct Messages.
– The company has indicated plans to open source the implementation and provide deeper technical documentation later, but there’s no audit timeline or public attestation for critical protections like HSMs.
Bottom line for privacy-conscious users
If you need truly private communication today, experts recommend waiting. Until there’s an open specification, independent security audits, verifiable key protection via HSMs, a robust method to verify keys, and Perfect Forward Secrecy, XChat should not be considered on par with established end-to-end encrypted messengers. For now, avoid sharing sensitive information through this feature and keep an eye out for the promised technical disclosures and audits.
