Wednesday, May 13, 2015 - 19:16

Bleep. Just more useless closed source cryptography

Bleep is a secure Messenger for iOS,  Android and for Windows and OSX desktops. The company behind it are the same guys who are behind BitTorrent and Bleep is exploiting on this fact. Most notably with its decentralized approach. But ...

To grab a random quote from their website

Software Engineering at it's finest. If you haven't read the blog post on this app then you need too. Once you see how it works your gonna want it. Most secure messaging I've seen yet.

How does he know? Aside from the fact that software engineering is usually not at its finest the interesting part of that quote is Most secure messaging I've seen yet... How does he know that?

Unless he works for BitTorrent - which would be awkward - there's no way to even tell that. There's no way to check it and there's no credible expert who's looked into it. And there will be none unless BitTorrent pays for an audit.

Cryptography is a field where you cannot even assume that someone bothers with your shitty product even if it is open source. There's simply too much around and too much of that is utter crap. And no one likes to waste their time.

A closed source approach to a product implementing cryptography is mostly doomed from the start. It doesn't mean you cannot be successful in marketing it. You can. There are numerous examples of successful products which are among the worst spawns of Crypto-Crap the world has ever seen.

Just implementing cryptography is not enough. To be secure it needs to be implemented properly. And more often than not this is not the case. So while a product in fact does encrypt whatever it is supposed to encrypt it does it in a way that makes the encryption prone to attacks. And that more often than not is not an obvious problem. The two ways out of this are A open source and B paid audit. The problem with the latter is that any relevant updates also require an updated audit.

Unless you have one or the other saying the product is worth shit is a pretty bold claim. And being a US based entity makes that problem even worse.

Being BitTorrent'ish Bleep is a decentralized messenger and that's pretty much all it is. Is it implementing cryptography? It is. Does it work? Who knows? It might or it might not. It might is not a qualified parameter if you actually need it. Closed Source cryptography without an audit is nothing else than an optional feature.

To quote another guy from the website...

Great App.. Encrypted, Decentralized.. What more could you want?

How about knowing if that encryption works?