this post was submitted on 10 Jun 2025
498 points (99.4% liked)

Technology

71359 readers
3541 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
498
An analysis of X(Twitter)'s new XChat features shows that X can probably decrypt users' messages, as it holds users' private keys on its servers (blog.cryptographyengineering.com)
submitted 4 days ago by Pro@programming.dev to c/technology@lemmy.world
43 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] cmnybo@discuss.tchncs.de 41 points 3 days ago (1 children)

If anyone except you has the private key, then your private messages are not private.

[–] MimicJar@lemmy.world 20 points 3 days ago (1 children)

To extend this, that includes YOU giving your key to another application to decrypt those messages.

For example if you use an app or browser extension, that app or browser extension has access to that key. Additionally the browser itself or operating system had access to the key.

Now they may be fully audited. They may have a great reputation. You may trust them. But they are part of the decryption (and if sending encryption) process.

It's a chain of trust, you have to trust the whole chain.

[–] GamingChairModel@lemmy.world 8 points 2 days ago (1 children)

It's a chain of trust, you have to trust the whole chain.

Including the entire other side of the conversation. E2EE in a group chat still exposes the group chat if one participant shares their own key (or the chats themselves) with something insecure. Obviously any participant can copy and paste things, archive/log/screenshot things. It can all be automated, too.

Take, for example, iMessage. We have pretty good confidence that Apple can't read your chats when you have configured it correctly: E2EE, no iCloud archiving of the chats, no backups of the keys. But do you trust that the other side of the conversation has done the exact same thing correctly?

Or take for example the stupid case of senior American military officials accidentally adding a prominent journalist to their war plans signal chat. It's not a technical failure of signal's encryption, but a mistake by one of the participants inviting the wrong person, who then published the chat to the world.

[–] lagoon8622@sh.itjust.works 3 points 2 days ago

Are you so sure Apple doesn't have your keys? How are they migrating the keys to your new device? It's all closed source