Is this going to be open source ?
Unless the code is verifiable by third parties and we have reproducible builds then trust is just transferred to Bittorrent Inc.
It's possible that BitTorrent's business model is going to change, but with the original BitTorrent, they kept the client closed source but the protocol was open, allowing for a wider variety of BitTorrent clients. It seems quite possible that they'll do the same thing for BitTorrent Chat (if not for BitTorrent sync as well), at which point an open-source client will likely be created that's compatible with the original.
Either way, even if it were open source, it's new software, not stable software. Chances are almost any new software is going to be fairly leaky and buggy for some time. At the moment, I would personally trust BitTorrent chat somewhat more than Google, Microsoft, etc. to not deliberately put back-doors in their clients (not to mention it's not like those companies are claiming their stuff is end-to-end encrypted anyway, as far as I know), and I'd trust them to write higher-quality software with fewer severe exploits than many of the nascent open-source alternatives out there at the moment. That said, in a few years, I fully expect to be using something open-source for this sort of thing, whether it's Tox or TorChat or an alternative BT Chat client, and for the moment I don't plan on using any of the current "private chat" programs for anything important.
Even if it's not open source, that's not necessarily a bad thing. BitTorrent Sync seems to have set a bar and prompted development of open source equivalents[1]. If this gives open source secure messaging software a bit of competition, I'm happy that it exists.
1. Not that there wasn't open source sync software before, but a lot of it didn't have a gui, or was based on git, or something like that.
Well here's the thing though, skype isn't p2p anymore, they've switched to a sever based model, is in that sense this is slightly more secure in that only those involved in the conversation have access to it.
The interesting part is their claim they somehow made DHT public key to IP discovery (mapping) "encrypted" and "secure". Sadly, I hadn't found any further details.
Using a public key to authenticate an IP address is trivial. You just sign the address (and a timestamp for how long it's valid) with the private key.
Making it private is the interesting bit. Obviously you can't have privacy in the sense that someone who knows your public key can't use it to discover your IP address, because doing that is the DHT's purpose. So what they're probably talking about is that somebody observing the DHT can't use it to learn public keys, IP addresses or both. But it would be nontrivial to do that in a way that isn't useless (e.g. storing under public key fingerprint instead of public key: now you don't have my public key, and having fingerprint is totally different, right?)
There are a few issues with using GPG over gtalk, gmail, mail, etc:
1- The metadata still exists. If you use gpg with any email server, the provider of that service knows that YOU contacted someone (and they know who that someone is). They also know "when" this happened. In fact, if metadata is not a concern, there are other much simpler solutions than using GPG. Technically speaking iMessage (or many other messaging apps) should give you the same result (well, if you trust Apple to be doing what they claim to be doing). With Bittorrent Chat, there is none of that. Bittorrent Inc. does not know who is talking to whom at what time.
2- It's difficult to use GPG (or OTR, etc) with your friends who are not technical or just don't want to spend that much time on sending a message. Honestly, I have rarely used it myself because it's just too difficult to get right both on the sending end and the receiving end. A messaging app that intends to be private is not doing a good job if everyone doesn't like it (or don't know how to use it). Privacy should be accessible otherwise people who need it the most, cannot use it.
We are trying to create an app that is not only private but is in fact easier to use than other messaging apps. It has cool features (for technical users as well as non-techies) that everyone understands and can use. People should not have a "private messaging app" that they use for their "private" conversation and one that they use with their "normal conversations". Basically if you cannot say it on Twitter, it's private [to some extent]. Technical people should love it and use it with their non-technical friends and non-technical people should love it because it's just easier to use than other apps (and provides cool features that no other app is).
I think that given the relatively large existing userbase of the company and familiarity with end users it's notable. I think that end-users aren't quite ready to encrypt their gtalk chat, but could be willing to give something with an appealing UI a try (if it ends up having that).
[+] [-] chewxy|11 years ago|reply
It doesn't use the BitTorrent kademlia though. If anyone thinks that should be the case, feel free to send a pull request
[+] [-] vxNsr|11 years ago|reply
I would offer to help but I don't know go at all.
[+] [-] zimbatm|11 years ago|reply
[+] [-] x1798DE|11 years ago|reply
Either way, even if it were open source, it's new software, not stable software. Chances are almost any new software is going to be fairly leaky and buggy for some time. At the moment, I would personally trust BitTorrent chat somewhat more than Google, Microsoft, etc. to not deliberately put back-doors in their clients (not to mention it's not like those companies are claiming their stuff is end-to-end encrypted anyway, as far as I know), and I'd trust them to write higher-quality software with fewer severe exploits than many of the nascent open-source alternatives out there at the moment. That said, in a few years, I fully expect to be using something open-source for this sort of thing, whether it's Tox or TorChat or an alternative BT Chat client, and for the moment I don't plan on using any of the current "private chat" programs for anything important.
[+] [-] jamesgeck0|11 years ago|reply
1. Not that there wasn't open source sync software before, but a lot of it didn't have a gui, or was based on git, or something like that.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] navyrain|11 years ago|reply
[+] [-] shmerl|11 years ago|reply
[+] [-] vxNsr|11 years ago|reply
[+] [-] nvk|11 years ago|reply
[+] [-] unicornporn|11 years ago|reply
[+] [-] synchronise|11 years ago|reply
[+] [-] ProfOak_|11 years ago|reply
http://tox.im/
[+] [-] drdaeman|11 years ago|reply
The interesting part is their claim they somehow made DHT public key to IP discovery (mapping) "encrypted" and "secure". Sadly, I hadn't found any further details.
[+] [-] AnthonyMouse|11 years ago|reply
Making it private is the interesting bit. Obviously you can't have privacy in the sense that someone who knows your public key can't use it to discover your IP address, because doing that is the DHT's purpose. So what they're probably talking about is that somebody observing the DHT can't use it to learn public keys, IP addresses or both. But it would be nontrivial to do that in a way that isn't useless (e.g. storing under public key fingerprint instead of public key: now you don't have my public key, and having fingerprint is totally different, right?)
[+] [-] Mandatum|11 years ago|reply
[+] [-] stasiek|11 years ago|reply
[+] [-] doctorKrieger|11 years ago|reply
[+] [-] ffadaie|11 years ago|reply
There are a few issues with using GPG over gtalk, gmail, mail, etc:
1- The metadata still exists. If you use gpg with any email server, the provider of that service knows that YOU contacted someone (and they know who that someone is). They also know "when" this happened. In fact, if metadata is not a concern, there are other much simpler solutions than using GPG. Technically speaking iMessage (or many other messaging apps) should give you the same result (well, if you trust Apple to be doing what they claim to be doing). With Bittorrent Chat, there is none of that. Bittorrent Inc. does not know who is talking to whom at what time.
2- It's difficult to use GPG (or OTR, etc) with your friends who are not technical or just don't want to spend that much time on sending a message. Honestly, I have rarely used it myself because it's just too difficult to get right both on the sending end and the receiving end. A messaging app that intends to be private is not doing a good job if everyone doesn't like it (or don't know how to use it). Privacy should be accessible otherwise people who need it the most, cannot use it.
We are trying to create an app that is not only private but is in fact easier to use than other messaging apps. It has cool features (for technical users as well as non-techies) that everyone understands and can use. People should not have a "private messaging app" that they use for their "private" conversation and one that they use with their "normal conversations". Basically if you cannot say it on Twitter, it's private [to some extent]. Technical people should love it and use it with their non-technical friends and non-technical people should love it because it's just easier to use than other apps (and provides cool features that no other app is).
[+] [-] indlebe|11 years ago|reply
[+] [-] doctorKrieger|11 years ago|reply
[deleted]