If Bleep Is Not P2P, Whom Do I Need To Trust And When?

[SEC]

In the article named How Does Bleep Work posted at http://engineering.bittorrent.com/2014/09/17/how-does-bleep-work/

section "Private Invitations" states:

 

Once two users have each other’s public key, they can find each other’s IP and port on the DHT and establish a direct connection (or via a relay server, if the network condition doesn’t allow direct connections). 

 

This raises some questions:

 

1. How do I know whether my particular conversation is direct P2P?

2. How often is the communication P2P and how often is it relayed through a server?

3. When the communication is relayed through a server, whom do I need to trust, and how can they trust themselves to not be pressured in the future into some kind of a government surveillance program, in a manner similar to Lavabit and SilentCircle?

 

Any replies addressing these privacy concerns will be appreciated.

 

Thanks.

[farid]

Regardless of messages going directly (p2p) or through the relay server, the following holds:

 

1- your friends know your IP address. This may change in the future. 

2- Bittorrent Inc. doesn't know what identity is sending message to what identity (i.e. what public key is talking to what public key). 

 

The only difference between going directly or through the relay server is that Bittorrent Inc. knows what IP is talking to what IP (keep in mind that the mapping between IP addresses and public keys is not known to Bittorrent Inc.)

 

We will provide an option in a future release to disable the relay server if a user wants to only send messages directly (when possible). This will obviously mean that some messages won't be delivered (if a direct connection is not possible).

[SEC]

As I understand from your answer, Bleep does not guarantee direct (p2p) transmission of messages and future versions of the app may provide information and options concerning relayed vs. direct transmission.

 

Your answer 1: for me, it is OK if my friends know my transient IP address.

 

Question on your answer 2: What ID does Bittorrent Inc. use to address the sender and the recipient? I am trying to understand whether the server receives information about the public keys (or other account-identifying information), and chooses not to record this info (at the moment). Ideally, such information is simply unavailable at the server. Is this the case? What is the assurance of it (at least in terms of an explanation of how this is made possible)?

 

Additionally, Bleep's claim to novelty is: “Speak Freely. Person to Person. Private instant messaging via secure, distributed technology. No cloud required.” In this context:

 

3. What is meant by "Person to Person.", different from traditional communicators (e.g. Skype which sometimes relays and sometimes communicates p2p)?

 

4. What is meant by "No cloud required.", when a relay sever operated by Bittorrent is described as generally required in your answer?

 

Thanks in advance for your answers to the above 3 questions concerning the privacy assurance of Bittorrent Bleep communications.

[farid]

Each peer can establish a connection with the relay server. That connection has a unique random ID (which has no correlation to its public/private key). The peer stores that information on its DHT blob (similar to the way it does for its IP/port). This information is only visible to peer's friends. A friend can use the IP:port to connect directly or can use the token to ask the relay server to connect it to the other peer. As mentioned before, the server doesn't know what identity (i.e. public key) is talking to what identity. 

 

The technical details of how Skype works is not officially published (but you can find articles here and there and and gather more information about it). I don't want to speculate and guess how it works in a technical piece. I can only comment on how Bleep works. 

 

A relay server is never considered a cloud because of many reasons including: it doesn't store anything, It's merely a facilitator of an otherwise impossible connection, only sees encrypted data in transit and doesn't even know who it's from (or to who is it being sent). The relay server is incapable of processing the data that it sees to extracts any meaningful information from it (other than what IP is talking to what IP).

 

Having said that, for users who only want to have a direct connection (and are ok with not being able to connect when a direct connection is impossible), we will provide an option to disable the use of the relay server.

[SEC]

Re: A relay server is never considered a cloud because of many reasons including: it doesn't store anything, It's merely a facilitator of an otherwise impossible connection, only sees encrypted data in transit and doesn't even know who it's from (or to who is it being sent).

 

The above definition of cloud computing provided by Bittorrent satisfies the "No cloud required." claim, also by Bittorrent.

 

This definition, however, appears to contradict the definition of cloud computing provided by the National Institute of Standards and Technology. NIST SP800-145 contains a definition of cloud computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf), which reads as follows:

 

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

 

A relay server, even if designed not to log access or store data, appears to fall within at least one of the 4 other computing resource categories considered a cloud, which are:

- networks,

- servers,

- applications,

- services.

[SEC]

In the spirit of helping Bittorrent deliver more of what Bleep users want, any reader of this post is invited to express his/her viewpoint on the following:

 

From the questions posed above and Bittorrent's transparent feedback on them, it becomes clear that the following holds true for the mode of message transmissions via Bleep:

 

1. Is it P2P? "Sometimes." 

2. Is it Serverless? "Sometimes." Currently the user doesn't know when a message was delivered via a Bittorrent Server vs. P2P.

3. Does it require a Cloud? Depends on the definition of Cloud Computing being used. If the standard NIST definition is used, then "Yes."

 

Please comment on how you would like each answer to be in order for you to have confidence in Bleep's privacy.

 

Would you like to be aware of how any particular communication of yours is about to be handled per the above criteria?

 

Would you like Bittorrent to take a stand on any of the above modes of transmissions and guarantee it?

 

Personally, I am most concerned about not knowing what is happening to my messages and when, and also not having any clarity of what Bittorrent is willing to assure going forward...

[farid]

I did try to address your concern but it seems like you missed it. I did say that:

 

"

We will provide an option in a future release to disable the relay server if a user wants to only send messages directly (when possible). This will obviously mean that some messages won't be delivered (if a direct connection is not possible).

"

 

Obviously in this mode, all of your messages will be sent directly without any relay server being involved. Knowing if a specific message was/is sent directly or not is not really useful because there are some other types of messages that are not exposed in the UI (like sending presence notifications to your contacts). If we only show to the user that a particular text message was sent direct or not, we may still have sent some messages indirectly (like presence notifications) but there isn't any way for us to communicate this to the user without confusing them.

 

The only reliable non-confusing way is that the user explicitly asks us to not use the relay server for any messages (presence, voice, text, etc). That way, he/she will know that all messages are sent directly.

 

I am sure if you wait for when we actually release this feature you will be pleasantly surprised.

[SEC]

I just love pleasant surprises. And I hope this to be the case with Bleep. 

 

It will be very difficult to surprise me, however, and here is why: I do not believe that a piece of software has to be open source to be trustworthy. It is sufficient that the company making it committed to the result and the result can be independently verified. I am also not prone to consider the security of a communication system based on hypothesized conspiracy theories about it.

 

However, I do believe in verifying the claims of where my communications go via Wireshark. I downloaded the Android version of Bleep based on the claim in the 2nd sentence of its Android Play store Description as follows:

 

- "Bleep is a peer-to-peer chat client, meaning there’s no central server that can see your messages or metadata."

 

Based on the above, Bittorrrent claims that its servers cannot see my messages, regardless of whether my messages are encrypted or not. Is this true?

 

My cellular data provider is AT&T. Currently, Wireshark tells me that 100% of my messages go through the Bittorrent cloud server. This means that if I turn on the P2P-only feature you are promising, I will not be able to connect to anyone on my contact list.

 

Farid, can you please explain how I am likely to be pleasantly surprised from the next Bleep release after I inspect it though Wireshark?

 

If I have missed any important details - my apologies - please provide the details on this thread.

 

Thanks in advance.

[reallynow]

I just love pleasant surprises. And I hope this to be the case with Bleep. 

 

It will be very difficult to surprise me, however, and here is why: I do not believe that a piece of software has to be open source to be trustworthy. It is sufficient that the company making it committed to the result and the result can be independently verified. I am also not prone to consider the security of a communication system based on hypothesized conspiracy theories about it.

 

However, I do believe in verifying the claims of where my communications go via Wireshark. I downloaded the Android version of Bleep based on the claim in the 2nd sentence of its Android Play store Description as follows:

 

- "Bleep is a peer-to-peer chat client, meaning there’s no central server that can see your messages or metadata."

 

Based on the above, Bittorrrent claims that its servers cannot see my messages, regardless of whether my messages are encrypted or not. Is this true?

 

My cellular data provider is AT&T. Currently, Wireshark tells me that 100% of my messages go through the Bittorrent cloud server. This means that if I turn on the P2P-only feature you are promising, I will not be able to connect to anyone on my contact list.

 

Farid, can you please explain how I am likely to be pleasantly surprised from the next Bleep release after I inspect it though Wireshark?

 

If I have missed any important details - my apologies - please provide the details on this thread.

 

Thanks in advance.

Good questions, Sec. It looks like these folks need to figure out what they're doing more before they release the actual product.

[SEC]

Indeed. To answer the thread subject: an entity to be trusted here has been missing in action for a long time...

 

In conclusion, Bittorrent is presently not guaranteeing any of the following Bleep features to be true for any particular communication:

 

- Direct Peer to Peer message transmission

- Serverless/cloudless operation

- The absence of metadata at the Bittorrent servers. Who talked to whom and when, can be logged by Bittorrent servers if someone were to insist on it.

 

Perhaps an answer by Bittorrent, a new Bleep release, or comments by Bleep users who have performed packet inspection on it could change the above picture in the future.