Bitmessage + Tor

As impressed as you might be with the ability to send messages easily and securely, network monitoring can still show that you are connected to Bitmessage's P2P network. Although it wouldn't be possible to know the exact content of messages you send, traffic correlation could be used to identify you as the sender of a message. Your location is also glaringly obvious.

If you have already downloaded and installed Tor, make sure it's running and then head to Settings and click the Network Settings tab. Choose SOCKS5 from the Type drop-down menu. Leave Server hostname and Port at their default values (localhost and 9050).

Press OK and restart Bitmessage to connect via Tor. This will naturally take longer, but it will also make your Bitmessages as untraceable as when sending email via the Tor network. For the ultra-paranoid, Bitmessage can accept connections as a hidden Tor (.onion) service. Specific instructions are available on the Bitmessage website [8].

Email Integration

Bitmessage is posited as a secure alternative to email. Speaking from experience, however, it's often difficult for privacy-minded individuals to bring others around to their point of view. As such, you have two ways to interface email with Bitmessage.

The first is easiest, but it does require some small expense. Right-click on any of your addresses in the Messages tab and select Email gateway. In the pop-up window, you will see the first option to register an email address. This is currently offered by the good people at Mailchuck. Enter your desired email address and click OK.

Bitmessage will send an Email gateway registration request to link your Bitmessage address with the email address you just created. With luck, you will receive a message to your Bitmessage Inbox stating that your registration request has been accepted. Make a note of the address to unregister the account.

Mailchuck also provides a relay address, explaining that you need to send email to that address, placing your recipient's email address in the subject line. Fortunately more recent versions of PyBitmessage do away with this. To send a message to an email address, simply head over to the Send tab. The From address is simply the Bitmessage address you registered with Mailchuck. Enter your recipient's email address in the To tab.

Although you are able to receive email free of charge, Mailchuck requires a small subscription fee of around one dollar a month, payable in Bitcoin, to send a message (Figure 5).

Figure 5: The first time you attempt to send a message, you will receive a Bitcoin payment address. Shortly after paying your dollar for one month, you'll be able to send messages.

For those on a budget or who don't know how to get their hands on Bitcoins, the online Bitmessage Mail Gateway [9] offers a free webmail service for Bitmessage users. It allows you to create a human-friendly alias for your Bitmessage address and integrate with popular mail clients like Mozilla Thunderbird. More details are available on the site's FAQ.

Bitmessage Bummers

The moment any communications leave the Bitmessage network they are decrypted. This means sending email via the Mailchuck Gateway or receiving them via the Bitmessage Mail Gateway is no more or less secure than regular email. Try to encourage your contacts to join Bitmessage as well if you all want to communicate securely.

In terms of the PyBitmessage application itself, anyone in possession of the passphrase for your deterministic address or the contents of your keys.dat file can read your messages and impersonate you. Try to install the program to an encrypted volume. You can further increase PyBitmessage's security by heading to Settings, clicking User Interface, and ticking the Run in Portable Mode checkbox.

Portable mode ensures that messages and any configuration files are stored in the same directory where PyBitmessage is running. By default, this is the PyBitmessage folder in your home folder. Once portable mode has been enabled, you can then copy the entire folder to a separate device, such as a USB stick or an encrypted partition, and run it from there if you like.

Given how anyone running the PyBitmessage program can impersonate you and read your messages, one useful feature would be to protect the program and data files with a password. The developers have clearly focused on making sure that PyBitmessage is as functional as possible. As such, it may seem drab against more colorful messaging clients with downloadable skins. Head over to the Bitmessage Feature Request List if you have any suggestions [10].

Android users might want to install Christian Basler's Abit [11]. The app can recreate deterministic addresses from a passphrase or read the content of the keys.dat, but it must be set in Full node mode to work properly. The demands on data and system resources are quite extreme for a mobile phone, so do not expect this to run as well as on your computer.

Bitmessage is not and to some extent cannot be moderated. This means you may see links to harmful or even illegal content. Messages by default are shown in rich text, so links to other websites will work, but you will see a warning message. Other types of HTML, such as images, will only be shown if you click to enable it specifically.

Take time to work through Bitmessage and its features to see if it's right for you. If you run into any difficulties, in the first instance, read through the website's FAQ [12].