X, the platform formerly known as Twitter, is rolling out a feature it calls end-to-end encrypted chat, branded as Chat or XChat. On paper, it promises that only you and your recipient can read your messages. In practice, the design choices behind this launch leave large cracks in that promise — big enough that privacy experts say you should hold off using it for anything sensitive.
The company is pitching full end-to-end encryption, yet cryptographers examining what’s available today say the implementation falls short of industry norms set by mature systems like Signal. Several of the most concerning issues are acknowledged by X itself in its support materials.
How X’s setup undermines its own encryption
When you enable XChat, you’re asked to create a four-digit PIN. That PIN encrypts your private key — the secret that unlocks your messages — which X then stores on its servers. That design is the first problem. Best practice is to keep private keys exclusively on user devices, not in a company’s custody.
A four-digit PIN has only 10,000 combinations. Unless that key is locked inside hardware security modules (HSMs) with strict rate limits and wrapped by a strong key-derivation function such as Argon2 or scrypt, a determined insider could brute-force it. Security researcher Matthew Garrett flagged exactly this risk, noting that server-side key storage with low-entropy protection invites abuse if the infrastructure and controls aren’t rock solid.
HSMs exist to make tampering prohibitively difficult, even for the company that owns them. Without credible assurances — and independent verification — that HSMs and rigorous safeguards are in place, storing users’ decryption keys on the service remains a fundamental red flag.
No verification, no trust: the AITM problem
X also concedes that a malicious insider — or the service itself — could compromise conversations. That’s effectively an adversary-in-the-middle (AITM) risk: if the platform can swap in a different public key for your contact, it can silently intercept messages. Garrett points out that because X hands you your partner’s public key, you have no reliable way to prove X hasn’t invented a replacement.
Modern encrypted messengers mitigate this with user-verifiable safety numbers or QR codes, and increasingly with key-transparency systems. WhatsApp, which uses the Signal Protocol by default for more than two billion accounts, provides safety-code verification and has deployed a key-transparency service to detect server-side key swaps. Apple offers Contact Key Verification in iMessage for high-risk users. Without comparable verification, XChat asks users to trust what the server says — the opposite of what end-to-end encryption is designed to achieve.
Missing essentials: PFS, openness, and audits
X’s current implementation lacks perfect forward secrecy (PFS), a core property where every session — and often every message — gets a fresh ephemeral key. With PFS, even if one long-term key is compromised, an attacker can’t decrypt past conversations. Absent PFS, a single key exposure can unlock large swaths of history.
Openness is another gap. None of the protocol details or code are publicly available yet. Signal’s protocol is fully documented and open source, with years of scrutiny from academics and firms like NCC Group and Trail of Bits. Wire and Matrix (Olm/Megolm) publish specifications and commission audits. Apple, meanwhile, publicly documented its PQ3 upgrade to iMessage, moving to post-quantum-hardened key exchange. X says it plans to release a whitepaper and open-source its work, but trust in encryption is earned through third-party review, not promises.
Matthew Green, a cryptography professor at Johns Hopkins University, has also voiced concerns. His view aligns with a broad consensus in the field: until a design is transparent and independently verified, users should assume weaknesses exist.
What to use now — and what X must do
If your safety or livelihood depends on private messaging, use Signal. It’s open, audited, and incorporates state-of-the-art features like the Double Ratchet and a post-quantum hybrid handshake (PQXDH). WhatsApp’s default end-to-end encryption, built on the same core protocol, is also robust, with key verification options. iMessage adds meaningful protection when Contact Key Verification is enabled, especially for high-risk users.
For X to earn trust, it should publish a detailed threat model and protocol specification; open-source client and server components; add perfect forward secrecy and a clear verification UX (safety numbers/QR); deploy key transparency; secure keys in HSMs with verifiable controls; replace the four-digit PIN with a high-entropy passphrase protected by modern KDFs and strict rate limiting; and commission independent audits by recognized firms, alongside a meaningful vulnerability disclosure and bounty program. Until then, treat XChat as experimental, not a secure channel.