Twitter's Encrypted DMs Require Blue Subscription, Aren't Totally Secure

pcmag.com:

First tipped back in November, Twitter now allows users to send encrypted direct messages to each other, but the new feature is locked behind a paywall and far from totally secure.

In a new Help Center post(Opens in a new window), Twitter explains it wants the standard for direct message security to be, "if someone puts a gun to our heads, we still can’t access your messages." That isn't the case from day one for encrypted direct messages, but ultimately it's what owner Elon Musk wants to achieve.

In order for encrypted direct messages to work, both the sender and the receiver will need to be either verified or using a verified organization's account. For individual users, it means a Twitter Blue subscription is required. Both parties will also need to be using the latest Twitter apps, be that on the web, Android, or iOS. The recipient also needs to be following the sender, or "has sent a message to sender previously, or has accepted a Direct Message request from the sender before."

For now, there are a number of limitations to using this new feature, including:

Encrypted messages can only be sent to a single recipient, not groups

Media and attachments aren't supported yet, just text and links

New devices can't join existing encrypted conversations

There's a limit of 10 devices per user for encrypted messages and you can't de-register devices

Only the message is encrypted, not the metadata or any content linked to in the message

Encrypted messages cannot be reported to Twitter

Logging out of Twitter will automatically delete all encrypted messagess on the device used to log out

There are currently two notable encrypted message security issues Twitter admits to. The first is no protection against man-in-the-middle