iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Twitter has announced it is implementing a long-awaited encrypted messaging function, and while it does currently work, there are limitations to the service still being ironed out.
The social media company made the announcement overnight, along with the intention that — eventually — even Twitter would be unable to see the content of encrypted messages, but that feature is still down the track, apparently.
“As Elon Musk said, when it comes to direct messages, the standard should be, if someone puts a gun to our heads, we still can’t access your messages,” Twitter said in a post on its Help Center page.
“We’re not quite there yet, but we’re working on it.”
To use the feature, users must be using the latest version of Twitter, and both the sender and receiver need to have either a verified account or be associated with a verified organisation. The recipient must either follow the sender or has already sent messages to the sender.
Assuming you meet the criteria, you’re good to go.
The new, more secure messaging works by providing a public key on a per-device basis (for up to 10 devices) that is paired with a private key held by Twitter. Each encrypted conversation also has its own unique key, which is shared between the devices the sender and receiver are operating on.
You can either flip a toggle on a new conversation to make it encrypted or create a new encrypted chat from the conversation settings of an already-existing exchange. Encrypted conversations are denoted by a lock icon on the avatar of the person you are talking to.
There are, however, a range of limitations to the new feature, though Twitter has said it is working on removing most of them.
For instance, encrypted conversations can only be held between two people — encrypted group chats will come at a later date. Nor is it possible to report encrypted conversations, and such chats can only exchange text and links. Other media, such as images, is also being worked on.
And while there is a 10-device limit per user, there is currently no way to see the devices that you have registered, nor can you de-register a device.
But possibly the biggest issue is a lack of protection from man-in-the-middle attacks.
“As a result, if someone — for example, a malicious insider, or Twitter itself as a result of a compulsory legal process — were to compromise an encrypted conversation, neither the sender [nor] receiver would know,” Twitter said.
However, the company is working on implementing both “signature checks” to verify the providence of a message and “safety numbers”, which will allow two users to verify the devices that are part of an encrypted conversation.
“When signature checks and safety numbers are implemented, man-in-the-middle attacks should be difficult, if not impossible,” Twitter believes, “and both senders and recipients should be alerted in the event of an attack”.
Is encrypted messaging on Twitter worth the cost of a blue tick? Only you can be the judge.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
