Nine months after revealing plans to develop a decentralized and encrypted chat application, BitTorrent has opened public testing for Windows, Mac and Android versions of the program Wednesday.
Called Bleep, the application supports voice calls and instant messages that are encrypted end-to-end between devices. There are no central traffic relay servers that could potentially expose communications to subpoenas and other forms of data collection by governments.
Instead, Bleep uses a custom distributed hash table (DHT) to find the IP (Internet Protocol) addresses of a user's contacts and allow them to communicate directly. The DHT is a lookup service distributed among all Bleep clients, forming a peer-to-peer network of nodes that is similar to the one used by BitTorrent file sharing programs.
For now the DHT used by Bleep is quite small, making it vulnerable to correlation attacks where an attacker injects a large number of nodes -- software clients that act as DHT nodes -- into the network giving them the ability to collect metadata and determine who is talking to whom and at what time. However, the program will eventually use the same DHT network as the popular uTorrent and BitTorrent clients, which has millions of active nodes at any given time, said Farid Fadaie, head of product for BitTorrent Bleep, in a blog post that details how the application works.
Bleep uses public-key cryptography. On installation it generates a private and public key pair that allows users to communicate in incognito mode. While incognito, users need to exchange QR codes or public keys to find and communicate with each other through the program.
However, users also have the option to register their public keys on a central server and to associate them with email addresses or telephone numbers, making themselves discoverable to other users though those identifiers. Use of this central lookup directory is a personal choice that sacrifices privacy for convenience, but once a contact is added the communication is still done directly device to device.
"Once a user accepts an invitation from a friend, the engine creates an encrypted tunnel over UDP [User Datagram Protocol] between the two peers," Fadaie said. "The messages that are sent over the tunnel are all end-to-end encrypted. We also support forward secrecy, which essentially means that we change the encryption key every once in a while to make it even harder to decrypt the traffic -- even if, by some miracle, the encryption key is compromised."
Users can install and test the program on their preferred platform, but they should keep in mind that these are alpha versions so they are likely to encounter bugs. It's probably best not to use the application for sensitive communications until a stable version is released.
The currently available Bleep version for Android can consume a large amount of battery and mobile data, so if their mobile data plan is limited users should configure it to work only over Wi-Fi. These issues are only temporary and the company is already working to fix them, said Jaehee Lee, senior product manager at BitTorrent, in a blog post.
"While you can move a username from desktop to mobile, Bleep does not yet support moving an existing account from Android to the desktop," Lee said. "And while you can receive messages on multiple devices; messages sent will not be seen across all devices."
The company is also working on a Bleep version for iOS, but will make it available at a later date.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.