Matthew GarrettTwitter's new encrypted DM system stores your private key material on Twitter-owned services, protected with nothing more than a 4-digit PIN. If hostile, or if legally compelled to, Twitter could easily decrypt all your messages. It's also MITMable and doesn't secure metadata. Use Signal.
Jonathan@mjg59 good article
apftwb@mjg59 shocking news
Rastal
stux⚡️@mjg59
tl;dr - no. Use Signal. Twitter can probably obtain your private keys, and admit that they can MITM you and have full access to your metadata.
yup
Snow
Patrick Morris Miller@mjg59 Hey, that's the combination to my luggage!
Maxi 12x 💉@mjg59 I was actually confused, Twitter is long dead, and I don’t see why we should use this old name even if it enrages Musk a bit. There is nothing culturally left of the old Twitter. We also don’t talk about "Sun" when we are talking about Oracle’s Java and other products.
fcalva
Hisham
RalfMaximus
Navi 
@navi Read further: https://chaos.social/@frumble/114631997010840664
Maxi 11x 💉 (@[email protected])
@[email protected] @[email protected] Call it FaXistan then, but "Twitter" is just gone.
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️
Garrett Wollman@mjg59 Even better, don't use the nazi site and tell all your correspondents that you can't be found there any more.
Kaito@mjg59 Twitter might be bad but it NEVER asked me for my phone number.
2xfo@kaito02 @mjg59
Signal stores the timestamp of your last connection and nothing else. There's nothing to subpoena and no data that can leak from their side.
Twitter is ran by a Nazi and makes money on its user data. Plus, i haven't been there in years but it literally asked for my phone number hundreds of times because i refused to give it.
Lyn
Niels Moseley@mjg59 I'm going to live in a shack in the woods..
PypeBros@mjg59 does signal works if your android doesn't have any mobile SIM card ? (i.e. solely over WiFi)
@PypeBros yes, although you do need an available phone number for initial registration it doesn't need to be associated with the device you're running Signal on
RejZoR@mjg59 Just don't use Shitter at all. It was bad before and after Elon Musky took it over it just became mega dingus social network.
Graeme 🏴@mjg59 Yeah - just get off of twitter! It's worse than a cesspit.
Draken BlackKnight@mjg59
Since everyone's reading this on here it's a safe bet most people have already deleted their accounts from the deadbirdsite already.
Since everyone's reading this on here it's a safe bet most people have already deleted their accounts from the deadbirdsite already.
David H. McCoyEndorsed by the Trump Cabinet…
Ehay2kGreat post, thanks!
This line is so true: "...merely using good cryptography doesn't mean you end up with a good solution."
With post-quantum encryption (deservedly) getting a lot of attention these days, I see a lot of solutions out there that claim they are secure "because we use [insert legitimate cryptography here] and our smart guys say it's good." Some even have home-made crypto and that makes me cringe.
I prefer 3rd party validation, by NIST or similar entity at a minimum.
Kevin Riggle@mjg59 shocked, shocked
�@mjg59 tell me you don't care for encryption without telling me you care for encryption
"4 digit pin"
alina🐾💖✨🏳️⚧️@mjg59 BITCOIN STYLE ENCRYPTION (as easy to pwn as web3 apps)
Alyssa Voronin@mjg59 I can see it now:
* Right wing violence organized by Twitter DM - Musk: "I can't turn the messages over to the authorities! They're all encrypted!"
* Any other form of protest organized by Twitter DM - Musk: "I was legally obligated to decrypt and turn over the mesages!"
dbread@mjg59 What's Twitter?
Shredd Tone 
@mjg59 I recall Musk in an interview stating the he was shocked to find that companies and authorities could access users DM's so easily and wants to implement encryption for private messaging.
Now the question is: how surprised do you think he'll be if they could all still be able to access users messages?
Andy Mouse@mjg59 Sometimes I wish folks would stop recommending Signal as a 'secure' alternative.
It's another centralised service based in the US. 🙄
Collecting your phone number. 🙄
@andymouse read the protocol docs. There is no trust placed in the server.
@mjg59 Nah, don't need to. Fully centralised, processes phone numbers, based in the US. Gag order.
Or are you saying phone numbers are never touching Signal's servers? Then why do I need to enter one?
Or that my phone number isn't tied to my account? Then how can I verify my account with it?
If Signal wanted to be private then phone numbers are optional and I can set up a Signal server in my living room.
But... It's not. Never was about that.
@andymouse read the docs or stop speaking, you're not equipped to have a position here
@mjg59 mhmm 🥱 let's talk in a few years
James Just James@mjg59 Can you tell me why Signal refuses to release all the infra and automation code to all of their backend services?