Skip to content

Verified users on Twitter now get encrypted DMs

  • by
  • 4 min read

Photo: Phil Pasquini / Shutterstock.com

More than six months since Twitter owner Elon Musk confirmed plans for the feature in November 2022, Twitter has officially started rolling out encrypted DMs as it looks to improve the messaging experience on the app. However, as is the case with everything on Twitter these days, the feature does have some caveats. 

First up, users need to satisfy the following conditions in order to get access to encrypted DMs.

  • Both the sender and receiver need to be on the latest Twitter Android and iOS apps. 
  • Both the sender and receiver need to be paid or notable verified users or affiliates to a verified organisation. 
  • The recipient either follows the sender, has sent a message to the sender previously or has accessed a DM request from the sender before. 

Users eligible for the feature will see an encrypted message toggle in the top right when sending new DMs. Encrypted and unencrypted DMs are also differentiated by showing a small lock icon badge on the avatar of the users’ respective chats. 

In the News: YouTube will block videos if it detects an adblocker

Encrypted DMs but at what cost?

In addition to being put behind the Twitter Blue paywall, the encrypted DMs rollout leaves much to be desired. The announcement comes with a lot of restrictions that indicated it might not be a practical feature to use for a while.

Eligible users will have to manually enable encrypted DMs. | Source: Twitter

At the moment, encrypted group chats aren’t supported. Twitter says it’ll “soon be expanding this feature to group conversations”, but the aforementioned conditions will make it harder for users to enjoy encrypted group chats on the micro-blogging site. 

Additionally, an encrypted message can only include text and links as media and other attachments aren’t supported yet. If you attempt to send media in an encrypted conversation, the action won’t be completed. New devices also cannot join existing encrypted conversations, and this includes reinstalling the Twitter app on your phone. 

Twitter is allowing users a maximum of 10 devices for encrypted messages. That said, considering you can’t access encrypted DMs first sent on one device on another, it doesn’t make sense to be sending encrypted DMs left and right from multiple devices. This is also a security threat as Twitter doesn’t support the ability for users to see a list of registered devices and de-register them. 

There’s no protection from man-in-the-middle attacks at the moment either so if a third party were to intercept your messages, neither the sender nor receiver would know. However, Twitter is “working on mechanisms for a future release” that will let devices verify the authenticity of the content and origin of the message via signature checks and allow a pair of users to verify the devices that have access to a particular encrypted conversation using a feature called Safety Numbers. 

Telling the difference between encrypted and unencrypted DMs should be easy. | Source: Twitter

If you log out of your Twitter account, all messages, including encrypted ones, will be deleted from that specific device. That said, since Twitter isn’t removing your private key from the device, logging back in again will let you re-fetch and decrypt your encrypted conversation. This is only until the company implements its key backup feature, which will erase keys on logout. 

Speaking of private keys, you need to be very careful with yours. If an attacker gets their hands on your Twitter private key they can decrypt all the encrypted messages sent and received by that specific device. What’s worse is that Twitter has decided to not address this issue as “user experience doesn’t work well with forward secure messaging protocols”.

In the News: YouTube will block videos if it detects an adblocker

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>
Exit mobile version