
After Twitter Hack, Senator Asks Why DMs Aren't Encrypted - caution
https://www.vice.com/en_us/article/jgxdwy/twitter-encrypted-direct-messages-dms-ron-wyden
======
m90
Would E2EE really help in a scenario where the attacker gains account level
access (as opposed to a database leak or similar)?

Unless data would be encrypted using a per device key (which would come with
UX consequences I doubt Twitter would accept), anyone who gains access to the
account would still be able to read and write DMs, even when they would be
encrypted. Or do I miss something here?

~~~
justSayin000001
What you described wouldn’t be e2ee. If a person can login and have access to
read or write DMs then it means the device gets the key from the server.
Keeping the keys on the server completely misses the point of e2ee. The keys
need to be stored on the individual devices. Also, it would be pretty easy to
share keys between your devices.

~~~
m90
I think a common approach would be using password-derived keys which would
_not_ be stored on any server, but could still be used across multiple
devices.

> Also, it would be pretty easy to share keys between your devices.

Genuine question: What's the most common and easy way of doing that at the
moment?

~~~
justSayin000001
From your statement about “anyone who gains access to the account would still
be able to read and write DMs, even when they would be encrypted” I thought we
were looking for an approach that gives more security. Having the account
password seed the encryption would still leave us with the same problem.

Easiest way I have seen is when an apple device asks if you want to share the
wifi password with another device.

