498
An analysis of X(Twitter)'s new XChat features shows that X can probably decrypt users' messages, as it holds users' private keys on its servers
(blog.cryptographyengineering.com)
this post was submitted on 10 Jun 2025
498 points (99.4% liked)
Technology
71355 readers
3581 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
No it doesn’t, and I defined E2EE exactly one way. E2EE stands for “End to end encryption”, which means it’s encrypted at one end, decrypted at the other end, and not in the middle.
It doesn’t matter if they store a copy of your message on an intermediary server, the keyword there is intermediary. They are not the recipient, so they should not have the ability to decrypt the content of the message, only the recipient should. If they are able to decrypt your message, despite not being the recipient, it’s not E2EE.
A cloud drive is an entirely different case because the cloud drive is not an intermediary. They literally are the second E in E2EE. A cloud drive can have the ability to decrypt your data and still be E2EE because they are the recipient. You both seem to be under the impression that a cloud drive is an “intermediary” between your devices but it’s not. It’s a destination.
To explain it a bit simpler, imagine we’re in elementary school sitting at our desks and you’re sitting two desks away from me with one person between us:
E2EE = I encrypt my note with a simple cipher that I shared with you and only you before class. I pass my note to the kid between us to pass to you. He can’t read the note, and if he writes down a copy of my note before passing it to you it doesn’t matter because he still won’t be able to read it because he’s doesn’t have the cipher because he’s not the recipient, you are. He passes you the note and you can do whatever you want with it, including decrypting it, because you know the cipher. All the E2EE has done is ensured the kid in the middle can’t read the note. It has nothing to do with whether or not you can read the note.
Zero Access Encryption = I encrypt my note with a cipher that only I know. The kid in the middle can’t read this note, and neither can you. Then I use E2EE to encrypt that with a different cipher, the one that you do know, and hand the note to the kid in the middle to hand to you. The kid in the middle can’t read the note, and neither can you.
You probably didn't understand me. I'm saying that a company can just arbitrarily decide (like you did) that the server is the "end" recipient (which I disagree with). That can be done for chat messages too.
You send the message "E2EE" to the server, to be stored there (like a file, unencrypted), so that the recipient(s) can - sometime in the future - fetch the message, which would be encrypted again, only during transport. This fully fits your definition for the cloud storage example.
By changing the recipient "end", we can arbitrarily decode the message then.
I would argue that the cloud provider is not the recipient of files uploaded there. In the same way a chat message meant for someone else is not meant for the server to read, even if it happens to be stored there.
They cannot. Thats not how E2EE works. If they can arbitrarily decide that, then it isn’t E2EE.
It cannot, if you’re using E2EE.
That’s not how E2EE works. What you are describing is encryption that is not end-to-end. E2EE was designed the solve the issue you’re describing.
It does not. Cloud storage is a product you’d use to store your data for your own use at your own discretion.
It is if you uploaded files to it, like on purpose.
You’re confusing E2EE and non E2EE encryption.
Alternatively, we need to stop saying E2EE is safe at all, for any type of data, because or the arbitrary usage.
We don’t need to stop saying E2EE is safe, because it is. There is no arbitrary usage. Either it’s E2EE. If a company lies to you and tells you it’s E2EE and it’s not E2EE that’s not arbitrary usage, it’s just a lie.
You are obviously not interested in listening to a word I'm saying. Goodbye.
You’re talking about things that you don’t understand on a fundamental level. Maybe stick things you do understand?