this post was submitted on 21 Oct 2025
316 points (96.7% liked)
Technology
76418 readers
2614 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There are hardware for that called hardware security modules, but yeah I definitely wouldn't trust Twitter's implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn't to get that key
A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user's password would be needed (for key derivation) or some other secret held by the user's devices (in the TPM chip or equivalent)
So again, you think you know better than the employee simply because you want it to be done incorrectly.
I've run a cryptography forum for 10 years. I can tell snake oil from the real deal.
Musk's Twitter doesn't know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.
So again - you just don’t want it to be true, and you think the people that know more than you about it are lying.
You sound like an antivaxxer defending a crank
You sound like a conspiracy theorist defending wearing an aluminium foil hat.
If you can't demonstrate that you know more about cryptography then me, it's time for you to admit you're wrong
You said this
So again - you're just hoping that they've done it wrong, based on nothing other than you wanting them to have done it wrong. They've told you they did, but you don't believe them based on...............nothing........nothing whatsoever......other than your hatred.
Feel free to tell me how your knowledge of cryptography proves that it's done incorrectly though. Please.
This is incoherent bullshit.
You're choosing to pretend it's nothing so you can dismiss legitimate criticism.
An engineer hearing about some novice trying to build a plane using difficult methods that only one or two companies with immense expertise has succeeded at would be correct to assume that plane would be unsafe.
A doctor hearing about a tiny clinic attempting treatments that only big medical research facilities have pulled off are correct to assume they're charlatans.
A cryptographer hearing about somebody attempting to build E2EE using methods that very few are capable of implementing correctly and without having the expertise on hand are correct to call that snakeoil.
Cryptography is INFAMOUSLY complex. E2EE is infamously difficult to make easy ("Johnny still can't encrypt"). The worst part is that cryptographic failures are almost always 100% silent!
There's a reason almost everybody copies Signal's protocol, and that everybody else who does it in-house keeps having vulnerabilities.
Multi user key management (PKI) specifically is wildly complex.
They're doing cryptography in the browser - famously difficult to make it work decently because there's no reliable code pinning solution, no reliable protected key storage (no TPM protected keystore) and absolutely no auditability. And that's on top of the risk of getting served malicious Javascript via XSS attacks, or by the host getting hacked, or by a maliciously issued certificate (there's 800+ certificate authorities, FYI, no cert pinning = easy for a state level actor to MITM)
They're not doing transparency logs of user keys. Even whatsapp has started doing that.
I haven't seen evidence of them attempting user key verification
Twitter/X has only displayed signs of LACKING the necessary expertise.
To pretend that's wishful thinking from me just reveals how little you care about expertise.
You have seen nothing to say that they aren’t doing it correctly, or that the employee who confirmed that they are doing it correctly lied.
You’re literally just full of copium and hopium because you hate Elon.
Again, you sound like an antivaxxer, and you're ignoring his history of failure, including SPECIFICALLY FAILING AT ENCRYPTED DM BEFORE
https://www.theverge.com/2023/5/16/23725247/twitter-encrypted-dm-security-vulnerabilities-linda-yaccarino
You're questioning experts with absolutely no justification other than your own animosity, assuming the experts too are driven by animosity instead of true concerns
Not sure why you keep trying to bring anti-vaxxers into the conversation lol. Typical far left bullshit.
You have literally zero evidence that this E2EE is done insecurely. Zero.
No “experts” have any evidence that it’s done insecurely either. You’re clearly driven by animosity here, everyone can see that.