Where are we on X Chat security?
Oct. 20th, 2025 03:45 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59AWS had an outage today and Signal was unavailable for some users for a while. This has confused some people, including Elon Musk, who are concerned that having a dependency on AWS means that Signal could somehow be compromised by anyone with sufficient influence over AWS (it can't). Which means we're back to the richest man in the world recommending his own "X Chat", saying
Elon is either uninformed about his own product, lying, or both.
As I wrote back in June, X Chat genuinely end-to-end encrypted, but ownership of the keys is complicated. The encryption key is stored using the Juicebox protocol, sharded between multiple backends. Two of these are asserted to be HSM backed - a discussion of the commissioning ceremony was recently posted here. I have not watched the almost 7 hours of video to verify that this was performed correctly, and I also haven't been able to verify that the public keys included in the post were the keys generated during the ceremony, although that may be down to me just not finding the appropriate point in the video (sorry, Twitter's video hosting doesn't appear to have any skip feature and would frequently just sit spinning if I tried to seek to far and I should probably just download them and figure it out but I'm not doing that now). With enough effort it would probably also have been possible to fake the entire thing - I have no reason to believe that this has happened, but it's not externally verifiable.
But let's assume these published public keys are legitimately the ones used in the HSM Juicebox realms[1] and that everything was done correctly. Does that prevent Elon from obtaining your key and decrypting your messages? No.
On startup, the X Chat client makes an API call called GetPublicKeysResult, and the public keys of the realms are returned. Right now when I make that call I get the public keys listed above, so there's at least some indication that I'm going to be communicating with actual HSMs. But what if that API call returned different keys? Could Elon stick a proxy in front of the HSMs and grab a cleartext portion of the key shards? Yes, he absolutely could, and then he'd be able to decrypt your messages.
(I will accept that there is a plausible argument that Elon is telling the truth in that even if you held a gun to his head he's not smart enough to be able to do this himself, but that'd be true even if there were no security whatsoever, so it still says nothing about the security of his product)
The solution to this is remote attestation - a process where the device you're speaking to proves its identity to you. In theory the endpoint could attest that it's an HSM running this specific code, and we could look at the Juicebox repo and verify that it's that code and hasn't been tampered with, and then we'd know that our communication channel was secure. Elon hasn't done that, despite it being table stakes for this sort of thing (Signal uses remote attestation to verify the enclave code used for private contact discovery, for instance, which ensures that the client will refuse to hand over any data until it's verified the identity and state of the enclave). There's no excuse whatsoever to build a new end-to-end encrypted messenger which relies on a network service for security without providing a trustworthy mechanism to verify you're speaking to the real service.
We know how to do this properly. We have done for years. Launching without it is unforgivable.
[1] There are three Juicebox realms overall, one of which doesn't appear to use HSMs, but you need at least two in order to obtain the key so at least part of the key will always be held in HSMs
The messages are fully encrypted with no advertising hooks or strange “AWS dependencies” such that I can’t read your messages even if someone put a gun to my head.
Elon is either uninformed about his own product, lying, or both.
As I wrote back in June, X Chat genuinely end-to-end encrypted, but ownership of the keys is complicated. The encryption key is stored using the Juicebox protocol, sharded between multiple backends. Two of these are asserted to be HSM backed - a discussion of the commissioning ceremony was recently posted here. I have not watched the almost 7 hours of video to verify that this was performed correctly, and I also haven't been able to verify that the public keys included in the post were the keys generated during the ceremony, although that may be down to me just not finding the appropriate point in the video (sorry, Twitter's video hosting doesn't appear to have any skip feature and would frequently just sit spinning if I tried to seek to far and I should probably just download them and figure it out but I'm not doing that now). With enough effort it would probably also have been possible to fake the entire thing - I have no reason to believe that this has happened, but it's not externally verifiable.
But let's assume these published public keys are legitimately the ones used in the HSM Juicebox realms[1] and that everything was done correctly. Does that prevent Elon from obtaining your key and decrypting your messages? No.
On startup, the X Chat client makes an API call called GetPublicKeysResult, and the public keys of the realms are returned. Right now when I make that call I get the public keys listed above, so there's at least some indication that I'm going to be communicating with actual HSMs. But what if that API call returned different keys? Could Elon stick a proxy in front of the HSMs and grab a cleartext portion of the key shards? Yes, he absolutely could, and then he'd be able to decrypt your messages.
(I will accept that there is a plausible argument that Elon is telling the truth in that even if you held a gun to his head he's not smart enough to be able to do this himself, but that'd be true even if there were no security whatsoever, so it still says nothing about the security of his product)
The solution to this is remote attestation - a process where the device you're speaking to proves its identity to you. In theory the endpoint could attest that it's an HSM running this specific code, and we could look at the Juicebox repo and verify that it's that code and hasn't been tampered with, and then we'd know that our communication channel was secure. Elon hasn't done that, despite it being table stakes for this sort of thing (Signal uses remote attestation to verify the enclave code used for private contact discovery, for instance, which ensures that the client will refuse to hand over any data until it's verified the identity and state of the enclave). There's no excuse whatsoever to build a new end-to-end encrypted messenger which relies on a network service for security without providing a trustworthy mechanism to verify you're speaking to the real service.
We know how to do this properly. We have done for years. Launching without it is unforgivable.
[1] There are three Juicebox realms overall, one of which doesn't appear to use HSMs, but you need at least two in order to obtain the key so at least part of the key will always be held in HSMs
AWS outage
Oct. 20th, 2025 10:11 amalierak posting in ![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
dw_maintenanceDW is seeing some issues due to today's Amazon outage. For right now it looks like the site is loading, but it may be slow. Some of our processes like notifications and journal search don't appear to be running and can't be started due to rate limiting or capacity issues. DW could go down later if Amazon isn't able to improve things soon, but our services should return to normal when Amazon has cleared up the outage.
Edit: all services are running as of 16:12 CDT, but there is definitely still a backlog of notifications to get through.
Edit 2: and at 18:20 CDT everything's been running normally for about the last hour.
Edit: all services are running as of 16:12 CDT, but there is definitely still a backlog of notifications to get through.
Edit 2: and at 18:20 CDT everything's been running normally for about the last hour.
physical update
Oct. 16th, 2025 10:03 amforgotten_ariaI still haven't full recovered from the COVID I had mid-September. Cardio tends to be rough.
I still have most of my strength though and I'm starting to regain some stuff I lost to the foot and shoulder.
The plantar faciitis still isn't quite healed, but I can now to Olympic lifts again. I'm still not running, jumping, or doing anything that requires bouncing on the ball of my foot. It is healing, just very slowly.
Fast squats are causing my calves to tighten up. Given all the other issues I've had with tendonitis and alike, I think I have weak calves and I should work on that.
I can kick up into a handstand again, which has been nice. I can swing from the bar again too, though my shoulder still hurts at night.
I had the smoothest set of wall balls in a very long time yesterday. These challenge my knees, ankles, shoulders, back, and a few other things, so having a good set means a lot of things are working well.
I still have most of my strength though and I'm starting to regain some stuff I lost to the foot and shoulder.
The plantar faciitis still isn't quite healed, but I can now to Olympic lifts again. I'm still not running, jumping, or doing anything that requires bouncing on the ball of my foot. It is healing, just very slowly.
Fast squats are causing my calves to tighten up. Given all the other issues I've had with tendonitis and alike, I think I have weak calves and I should work on that.
I can kick up into a handstand again, which has been nice. I can swing from the bar again too, though my shoulder still hurts at night.
I had the smoothest set of wall balls in a very long time yesterday. These challenge my knees, ankles, shoulders, back, and a few other things, so having a good set means a lot of things are working well.