Twitter is reportedly working on finally adding end-to-end encryption (E2EE) for direct messages (DMs) exchanged between users on the social media platform.
This is a sought-after and massively requested feature that will help protect private communications from anyone sitting between the conversation parties or even legal requests.
Twitter had attempted to prototype an E2EE system back in 2018, naming it “Secret Conversation,” but it never materialized as a finished product and was later abandoned.
Recent work on bringing E2EE on Twitter DMs was spotted by mobile researcher Jane Manchun Wong, who found new additions to the source code of Twitter for Android, mentioning “encryption keys” on the platform.
“This number was generated from your encryption keys from this conversation. If it matches the number in the recipient’s phone, end-to-end encryption is guaranteed,” reads one of the strings in the source code.
Twitter’s current owner, Elon Musk, responded to Wong’s Tweets with a winking emoji, hinting the feature is indeed under development.
Why Twitter needs E2EE
End-to-end encryption ensures that messages leave the sender in encrypted form and are decrypted on the recipient end to allow reading them.
For this to work, the two parties have to use a cryptographic key pair to encrypt and decrypt the contents of their messages.
In most E2EE implementations, the sender uses the recipient’s digitally signed public key to encrypt their message, and the recipient uses their private key to decrypt it.
In Twitter’s case, Wong mentions a “conversation key,” so the implemented E2EE method might be “symmetric,” meaning that both people in a chat use the same key for encryption and decryption.
The sender’s message is transformed into unreadable ciphertext and remains in this state while in transit, so any intermediaries, like internet service providers, network snoopers, or even Twitter itself, will not be able to read the message contents.
If Twitter introduces E2EE on DMs, users will feel more comfortable about the security and privacy of their communications under even unfortunate circumstances like platform-impacting hacks.
For example, in July 2020, Twitter admitted that hackers who breached employee accounts and accessed administration panels could read the DM inbox of 36 high-profile users, downloading the contents of seven of them.
If Twitter had E2EE at the time, all the hackers would have gotten access to would be unreadable ciphertext, lessening the impact on the compromised users.
Other messaging platforms/apps using E2EE include Signal, Threema, WhatsApp, iMessage, Viber, Element/Matrix, Tox, Keybase, XMPP, Skype, and Wire.
Source: www.bleepingcomputer.com