BitTorrent makes offline messages on Bleep more secure

The biggest thing BitTorrent's Bleep messaging app can offer users is privacy, so it's rightly beefing up that feature even more. In BT's latest engineering blog post, senior software engineer Steven Siloti explains how his team has improved the security of asynchronous offline messages. The feature, which made its way to the app in December 2014, allows a recipient to receive offline messages even if the sender hasn't connected to the internet yet. Previously, both users had to be online for messages to be exchanged -- remember that Bleep doesn't have servers, so that update was a big deal. Anyway, BT's engineers were apparently not content with the security level of offline messages, because if someone manages to steal a user's "offline key," he could unlock every offline message he intercepted from the same user in the past.

Note that this isn't a problem for online messages, because Bleep uses an encrypted tunnel protocol to protect those. In order to solve that issue with offline messages, they tweaked the system to generate new ephemeral keys for user pairs (first produced when two users add each other) each time the older one is used. Here's how BT explains it (we highlighted the important bits):

...the same DHT facility we use to exchange offline messages can also be used to exchange ephemeral keys. When Alice and Bob first add each other as contacts they generate ephemeral keypairs and publish the keys' public components in the DHT, just as they would an offline message. Alice and Bob save each other's offline ephemeral keys for future use. When Alice wants to send an offline message to Bob she uses their saved ephemeral keys to encrypt the message. When Bob receives the message he uses his copy of the ephemeral keys to decrypt it. After decrypting the message, Bob discards his ephemeral key and publishes a new one in the DHT. Once Alice sees Bob's new ephemeral key she replaces the one she has stored for him.

Simply put, BT promises that nobody without the appropriate key can access offline PMs. Plus, it'll be very hard to steal those keys, because Bleep will now replace them with new ones after they're used. If you'd like to give the privacy-focused messaging app a shot, check out its website with links to its iTunes, Google Play, Windows and Mac downloads.