
Tox: A simple, distributed, free, secure Skype replacement. Now alpha with A/V - irungentoo
Tox is now usable and has reached alpha (in other words, it is mostly working, but lacking some features, bugs might be apparent).<p>uTox is a lightweight (minimal dependencies) Tox client for Windows, Linux and (experimentally) Android. It supports text chat, file transfers, audio and video calling, desktop sharing (both as video and as screenshots). It also supports text-only group chats (with audio&#x2F;video being worked on).<p>For more info about Tox and uTox, see the project links below.<p>Windows updater&#x2F;downloader:<p>https:&#x2F;&#x2F;jenkins.libtoxcore.so&#x2F;job&#x2F;utox_update_win32&#x2F;lastSuccessfulBuild&#x2F;artifact&#x2F;utox-updater.zip<p>Linux nightlies:<p>64-bit:<p>https:&#x2F;&#x2F;jenkins.libtoxcore.so&#x2F;job&#x2F;uTox_linux_amd64&#x2F;lastSuccessfulBuild&#x2F;artifact&#x2F;utox&#x2F;utox_linux_amd64.tar.xz<p>32-bit:<p>https:&#x2F;&#x2F;jenkins.libtoxcore.so&#x2F;job&#x2F;uTox_linux_i686&#x2F;lastSuccessfulBuild&#x2F;artifact&#x2F;utox&#x2F;utox_linux_i686.tar.xz<p>If you use an operating system other than windows or linux (OSX or android) or want to try other Tox clients, see this page:<p>https:&#x2F;&#x2F;wiki.tox.im&#x2F;Binaries<p>Project links:<p>Official Tox website:<p>https:&#x2F;&#x2F;tox.im<p>uTox Github:<p>https:&#x2F;&#x2F;github.com&#x2F;notsecure&#x2F;uTox<p>toxcore Github:<p>https:&#x2F;&#x2F;github.com&#x2F;irungentoo&#x2F;toxcore<p>Other links:<p>qTox Github:<p>https:&#x2F;&#x2F;github.com&#x2F;tux3&#x2F;qTox<p>Antox Github:<p>https:&#x2F;&#x2F;github.com&#x2F;Astonex&#x2F;Antox<p>Note about adding friends in Tox: in the settings area of uTox you can find your Tox ID, and you give that out to your friends so that they can add you. To solve the inconvenience of sharing long IDs, Tox also supports &quot;DNS names&quot;, for example &quot;groupbot@toxme.se&quot;. You can register your own @toxme.se name on toxme.se<p>Tox is alpha software, bugs are expected.<p>Feel free to post any questions or feedback or visit us on IRC: #tox on freenode.
======
bramd
I don't post often on HN, but today couldn't resist. Just tested Utox on
Windows as well as Toxy, also on Windows. Both programs are totally
inaccessible for people using a screenreader and I'm quite sure as well for
people using things like speech recognition.

Utox seems to be C++ and a GUI framework I didn't look into. Toxy is
.NET+WPF... two different stacks, but two inaccessible programs. I'm quite
sure the developers didn't write inaccessible software deliberately, but this
makes me wonder if we need either:

1\. Inform developers better about accessibility 2\. Fix tooling: warn/error
if you don't label your elements etc 3\. All of the above...

To give this post some more context, earlier this week I looked at Stellar...
their web client is inaccessible. Earlier this week Wunderlist released a
version 3... iOS app is nearly inaccessible. Earlier this week I finally
wanted to give Foursquare's new Swarm app a shot... inaccessible. Do you see
the pattern? I'm sorry for ranting about this, but imagine some random app
update did stop the app from working and only displayed a black screen, you
would be annoyed at least.

~~~
kohanz
Seems like these would be useful suggestions to add to the respective github
pages of those projects. Also, they are open-source, so there's an opportunity
there if you have expertise in making UI's accessible.

------
Plexion
In the spirit of supporting as many individuals as possible, Tox websites are
now accessible as a hidden service via Tor.

The hidden service mirror has been stripped of Piwik tracking, and forms of
Javascript, and soon we'll label outbound links.

i2p support will also follow soon.

Tox main site:
[http://kdzzxucnh4fyovxg.onion/](http://kdzzxucnh4fyovxg.onion/)

Tox developer documentation:
[http://kdzzxucnh4fyovxg.onion/docs/](http://kdzzxucnh4fyovxg.onion/docs/)

Tox wiki:
[http://kdzzxucnh4fyovxg.onion/wiki](http://kdzzxucnh4fyovxg.onion/wiki)

------
phobitor
What about its design makes it secure? Do you guys have a design document or a
description of how you've implemented security? Have any security experts
audited the code?

~~~
alex_duf
This is a good question. What makes it secure ? "encryption" is not enough. Do
you have central servers or is it protocol using P2P ? how do you connect one
client to another ? What kind of encryption ? How are the key generated, can
we change them etc...

~~~
kragniz
The whole protocol is decentralized and peer to peer. Each person in the
network has a public and private key. The NaCl library is used to do all of
the encryption.

~~~
alex_duf
Cool. Is this direct connection from peer to peer or does the communication
bounce from one node to another as a TOR communication would do ? (I'm
guessing direct for obvious latency reasons when using audio / video)

~~~
irungentoo
Direct connection when possible.

Connection routed over one TCP node when direct connections are impossible due
to NAT issues.

~~~
walterbell
Does only the one-time signalling handshake go to a TCP node (NAT hole
punching) or does all traffic? Are these TCP nodes similar to Skype "super-
peers" \- how are they selected?

Virtually all consumers are behind NAT devices.

~~~
irungentoo
The majority of NATs can be hole punched.

If you can't hole punch then you will connect to your friend through a couple
TCP nodes. They act like relays.

TCP nodes are pretty much randomly selected by peers and anyone can host them.

Everything is encrypted and TCP nodes are regarded as being possibly hostile
so there should not be any security issues.

------
donniezazen
Do you sync messages across various clients? So that I can start chatting on
one and move to second or third client.

~~~
notsecure
Not yet. This is a planned feature but the implementation has not been decided
yet because this feature is not exactly compatible with how Tox works and it
could cause a lot security issues.

------
notsobrightkid
can someone please explain in easy to understand how alice and bob find each
other with temporary public keys in the DHT? I read this
([https://github.com/irungentoo/toxcore/blob/master/docs/Preve...](https://github.com/irungentoo/toxcore/blob/master/docs/Prevent_Tracking.txt))
but I still can't picture it (the wording isn't the greatest either). Thanks!!

------
dredmorbius
NB: the tox project website is unusable w/o JS enabled. Please fix that.

[https://tox.im/](https://tox.im/)

While we're at it, the rest of the suggestions may be useful:
[http://www.reddit.com/r/dredmorbius/comments/27d5xr/please_f...](http://www.reddit.com/r/dredmorbius/comments/27d5xr/please_forward_to_marketing_how_to_present_your/)

From the FAQ, this I like:

"The goal of this project is to create a configuration-free P2P Skype
replacement. _Configuration-free means that the user will simply have to open
the program and without any account configuration will be capable of adding
people to his or her 's friends list and start conversing with them._ There
are many so-called Skype replacements and all of them are either hard to
configure for the normal user or suffer from being way too centralized."

A lot.

(Emphasis added).

~~~
notsecure
The website should be completely functional with JS disabled (and it is for
me), what issues do you get?

Note: I'm not in charge of the tox.im website, if it were up to me there would
be no javascript at all.

~~~
dredmorbius
Chromium w/ ScriptSafe installed: no text until I allow the primary domain's
JS:

[http://imgur.com/6xOfCr0](http://imgur.com/6xOfCr0)

[http://imgur.com/E8WK98R](http://imgur.com/E8WK98R)

~~~
dchest
You should probably submit a bug report to ScriptSafe.

------
mpnordland
So, This is pretty cool, however, one thing that I noticed: Addresses are per
device. Skype lets you have one name and messages and calls come to all your
devices, but as far as I see, Tox is one address per device.

~~~
biomechanica
I remember reading discussion how to address this problem. I can't for the
life of me find it, though.

~~~
x1798DE
This is where the original (fairly old) idea is on the wiki:
[https://wiki.tox.im/Multiple_Devices](https://wiki.tox.im/Multiple_Devices)

Here is a breakdown of the different ways they are considering on how to
implement it: [https://github.com/Quoturnix/ProjectTox-
Core/wiki/Multiple-d...](https://github.com/Quoturnix/ProjectTox-
Core/wiki/Multiple-devices)

------
gue5t
Can you compare this to Jabber+Jingle?

~~~
irungentoo
Tox is distributed meaning it doesn't rely on any central servers.

~~~
gue5t
This would be good to note in the post, since right now it's easy to decide
not to click anything because there are so many links and the salient feature
is never mentioned prior to visiting them!

~~~
irungentoo
Fixed.

Thank you.

------
Nux
So, what is the difference between utox_linux_amd64.tar.xz and Venom from
[https://repo.tox.im/rpm/](https://repo.tox.im/rpm/) ?

------
aalvarado
Is toxcore the name of the protocol? Would it be somewhat compatible with XMPP
or something like that? I like that it's between FB messenger, gchat/hangouts,
viber, what's app, Skype and hosted xmpp.

I think it will have a chicken and an egg problem unless there's some kind of
tool that let's you talk with other older apps and protocols like
gchat/hangouts, or maybe this is planned.

~~~
Epictek
It will most likely not be compatible with anything but Tox itself unless
someone makes a bot to bridge between the two. For example there is currently
a bot in the groupchat (Syncbot) which is a bridge between Tox and IRC.

Bot example here: [https://github.com/aitjcize/tox-irc-
sync](https://github.com/aitjcize/tox-irc-sync) More info on the protocol
here:
[https://github.com/irungentoo/toxcore/blob/master/docs/updat...](https://github.com/irungentoo/toxcore/blob/master/docs/updates/DHT.md)

------
spiritplumber
This is great! Is there an Android version, and if so, are you OK with me
writing a telepresence bot control API for it? (It's just a couple of hooks to
a control app, if you're not releaseing source, I can just give you them).

~~~
volitek
Antox, the android client:
[https://github.com/Astonex/Antox](https://github.com/Astonex/Antox)

Please do! It's all free and open source.

------
lwh
How does it differ from Retroshare?
[http://retroshare.sourceforge.net/](http://retroshare.sourceforge.net/)

------
sitkack
Can you explain why tox is written in C over languages?

~~~
veeti
Knowing the typical Arch/Gentoo tiling WM 8px console font anime wallpaper
mindset on /g/, "bloat".

~~~
sitkack
I just did an analysis of the people involved in this project. Tox even more
than cryptocat, is a very dangerous product to use. Even Tor has flaws while
having many very capable cryptographers behind it. Tox appears to be swiss
cheese both in code and protocol.

Rather than ricers with -Ofast kernels and overclocked CPUs it would be nice
if a mature team focused on security and correctness first.

~~~
soyiuz
What was your "analysis" and how is it "very dangerous"?

~~~
sitkack
This is a start, [http://www.tox-chat.com/](http://www.tox-chat.com/)

Like cryptocat, tox claims things that are not proven to be true by developers
that aren't qualified to be writing or designing the protocols for a secure
encrypted chat.

Having the intent to do something isn't the same thing as actually being
_able_ to do it. People will use tox and get p3wnd with very dire
consequences.

------
ledo
i've been keeping an eye on this project for a while, it looks really
promising. I'm spreading the word about it where i can.

~~~
hobarrera
How is it superior to existing IM protocols (eg: XMPP)?

The article comapres it to skype, which is popular, but, techonologically, one
of the worst protocols around.

~~~
irungentoo
Tox is distributed meaning there are no central servers.

Also, encryption is mandatory.

------
JellyYelly
Any chance of an iOS client any time soon?

~~~
notsecure
Not any time soon, as iOS isn't very FLOSS friendly (in fact, the GPL is not
compatible with the Apple app store). There have been talks of making a
licensing exception, but the iOS client with the most progress
([https://github.com/Jman012/Toxicity](https://github.com/Jman012/Toxicity))
isn't functional at the moment.

~~~
JellyYelly
Oh, that's a shame. Hopefully in the future there will be an iOS client.

~~~
davexunit
Ask Apple to change their policy to allow copyleft software.

~~~
duskwuff
It has nothing to do with Apple's policy. The GPL is what's getting in the
way: it says you can't impose restrictions on the redistribution of a GPLed
application, and the App Store doesn't have any means to even _permit_
redistribution of apps once they're installed.

~~~
ginko
Seems like the App Store's problem.

------
wesley
Are group chats also encrypted? (The problem with jabber right now)

~~~
Ridley
Yes, everything is encrypted from what I can tell.

------
nickysielicki
why is it distributed in binary format?

~~~
JellyYelly
they have links to their git hub repos, so it's also distributed in source
format. Unless I don't understand what you're saying.

------
nmflkjfelkrnfl
For those that don't already know, this project comes from 4chan's technology
board. While there's a lot of inane trash, there are also some real gems if
you're patient enough. I find lots of really cool stuff there that doesn't
seem to be anywhere else.

More technically-capable people are always welcome to help drown out the
inanity. :)

[http://boards.4chan.org/g/catalog](http://boards.4chan.org/g/catalog)

~~~
shitlord
Interesting development: [http://boards.4chan.org/g/thread/43340418/its-
official-bitto...](http://boards.4chan.org/g/thread/43340418/its-official-
bittorrent-bleep-is-a-tox-clone-done)

~~~
nmflkjfelkrnfl
Ignore all bait threads. Sage all bait threads. Report all bait threads. Hide
all bait threads.

Don't take the troll bait. ;)

~~~
gcb0
those "trolls" have a very sane point about having to be an idiot to trust
bittorrent, the company.

~~~
nkjfnbewkjfew
Yes they sure do.

I was referring to the OP's "deprecated" meme.

------
dang
Posts without URLs are penalized. You might want to repost this using the most
appropriate URL, then add your text as a comment to the post. If you like,
email us at hn@ycombinator.com with a link to the new post and we'll look it
over for you.

Edit: this one seems to be doing fine.

~~~
TheSisb2
Reading HN full time as a job must be extremely enjoyable. :)

~~~
dang
It's like being paid to eat cheesecake.

~~~
massappeal
Livin the dream, Dang

------
Aqueous
I guess you've settled on a name, pretty completely, but tox evokes all sorts
of bad feelings like "Toxin", "Detox" \- generally feelings associated with
the idea of poison or of poisoning yourself. From a marketing perspective this
might not be the least sinister name you could have chosen. I realize this
comes out of 4chan and we make a point of not giving a shit about marketing
but...

~~~
imaginenore
I disagree, it sounds like "talks" to me.

Pretty cool name actually.

~~~
threedaymonk
Whether "tox" sounds like "talks" will depend on whether or not your dialect
exhibits the cot/caught merger. To those of us without, it sounds very
different!

------
throwaway-27677
This project has largely disappointed me in many ways. I know HN doesn't care
much about software licensing and that kind of stuff, but there are many legal
issues behind the project that remain unsolved and have remained unsolved for
majority of the project's lifetime.

1\. The people behind Tox don't seem to be the copyright holders of their logo
as admitted by one of the main developers[1]. The logo is the one also used on
their website.

2\. Tox project is now attempting to (falsely) claim to be the copyright
holders of the logo.[2] Wikimedia Commons deleted the project logo for legal
concerns, and to date it remains deleted.[3] There is no concrete proof for
Tox's copyright claims on the logos, while there's pretty concrete proof that
the project indeed does not hold the copyright on the logos. For those unaware
of how our legal system works, "works without license" are considered
copyrighted work of the author (e.g. anonymous user on linked /gd/ board).

3\. Creative Commons licenses are also incompatible with their choice of
software licensing, GPLv3+,[4] which means they cannot legally redistribute
current logos under the current licenses with Tox software even if they were
copyright holders to those logos.[5] As far as I know, the logos are already
being redistributed with the software.

4\. The documentation also cannot be legally redistributed with the software,
and in theory nobody outside the project has practical freedoms to modify the
documentation.[6] "I'm le troll! :-)" was most likely added by the developers.

5\. Because of the above mentioned issues, Tox cannot be accepted to Debian
GNU/Linux repositories because of DSFG guidelines.

6\. The above mentioned issues also create false advertising; "Tox is both
free for you to use, and free for you to change. You are completely free to
both use and modify Tox."[7]

7\. A developer quit the project because of other serious issues in the
project.[8][9] The developer criticized the design of DHT (distributed hash
table) used to find users, which leaked a lot of data about users. There's a
large reddit thread about these DHT issues somewhere too, but I seem to be
unable to find it myself right now. Fortunately, the leak was patched a long
time ago. Unfortunately, the patch was a large hack which the Tox developers
solved by reinventing the wheel and reimplementing Tor onion routing.

8\. I haven't verified this (so don't count on me), but the Tox core (or core
+ clients?) is now ~100k lines of code. It's not entirely lightweight per se,
which was one of the initial goals as far as I remember.

9\. Another minor thing that upset me was that during Tox's conference talk
(forgot which conference, but it was related to YouBrokeTheInternet), the
speaker forgot to introduce himself and what he was doing. This probably led
to some confusion.

10\. Possibly controversial too, but the first radio talk show Tox was
introduced in was... could I say, maybe slightly cringeworthy. Or something.
See it for yourself.[10]

Sorry if I went a little bit too political, knowing the rules. I wanted to
point out these issues to let you know how everyone involved in the project
can be a help.

[1]:
[https://rbt.asia/g/thread/40445107#p40449131](https://rbt.asia/g/thread/40445107#p40449131)
\- you can scroll down and read the replies too [2]:
[https://commons.wikimedia.org/wiki/Commons:Deletion_requests...](https://commons.wikimedia.org/wiki/Commons:Deletion_requests/File:Tox_logo.svg)
[3]:
[https://commons.wikimedia.org/wiki/Commons:Undeletion_reques...](https://commons.wikimedia.org/wiki/Commons:Undeletion_requests/Archive/2014-03#File:Tox_logo.svg)
[4]:
[https://github.com/irungentoo/toxcore/blob/master/COPYING](https://github.com/irungentoo/toxcore/blob/master/COPYING)
[5]: [https://www.gnu.org/licenses/license-
list.html#ccbysa](https://www.gnu.org/licenses/license-list.html#ccbysa) [6]:
[https://github.com/Tox/Docs/issues/7](https://github.com/Tox/Docs/issues/7)
[7]: [https://tox.im/](https://tox.im/) [8]: [http://www.tox-
chat.com/2013/08/tox-developer-fed-up-quits.h...](http://www.tox-
chat.com/2013/08/tox-developer-fed-up-quits.html) [9]:
[https://github.com/irungentoo/toxcore/issues/493](https://github.com/irungentoo/toxcore/issues/493)
[10]:
[https://www.youtube.com/watch?v=IdR3SVcBbq0](https://www.youtube.com/watch?v=IdR3SVcBbq0)

Disclaimer: I'm _not_ the author of any of the links above. It's what I have
gathered from numerous discussion threads Tox has had on 4chan.

~~~
srslack
First, I suspect this is a concern troll named WubTheCaptain
([http://wubthecaptain.eu/](http://wubthecaptain.eu/)), or a copycat of the
concern trolling he originally did, that has hung around the tox threads
because he craves attention and replies. But I'll reply to some of these even
though I'm not a tox dev.

1\. The logo was made, over many threads, by members of 4chan's /gd/ board for
Project Tox to Do Whatever The Fuck You Want(tm)

7\. A developer quit the project because she was harassed into quitting by
another notorious troll, SaveTheInternet (the creator of an australian
imageboard 4chon) and friends in the 4chon IRC. Basically, the arranagement at
the time seemed to be quit and I take your dox down.

As you can see, we have many problems with trolls, they're quite interesting
creatures to harass a FOSS project like this for months on end but I suppose
they redeem themselves in the entertainment value of how they bend over
backwards for replies.

~~~
irremediable
> 7\. A developer quit the project because she was harassed into quitting by
> another notorious troll, SaveTheInternet (the creator of an australian
> imageboard 4chon) and friends in the 4chon IRC. Basically, the arranagement
> at the time seemed to be quit and I take your dox down.

Although there was doxing, the issues slvr highlighted were entirely valid.
IIRC, slvr had raised these in a private mailing list and they were then
leaked to the public, at which point doxing occurred.

~~~
srslack
The concerns were public in IRC, github discussions and on the wiki, with a
proposal to fix it:
[https://wiki.tox.im/Proposal:Slvr_Protocol_Rewrite](https://wiki.tox.im/Proposal:Slvr_Protocol_Rewrite)

I did not imply that the issue raised was not valid, only that the pressure to
quit was with troll(s) wielding dox and wub is being disingenuous like always
with his concern trolling.

~~~
irremediable
Yeah, the proposed rewrite was public. A lot of slvr's more vocal criticism
wasn't, though -- some private emails were leaked. But yeah, it was the doxing
that made him quit. And that sucks.

------
aagha
So why this when there's Hangouts?

~~~
kazagistar
Cause it binds you to a particular company, protocol, etc. This is open
source, and does not create a single point of monitoring.

------
Byzantine
What makes the main developer, irungentoo, qualified to write the Tox core?

~~~
sitkack
Starting a new, blue water distributed encryption system in a non-safe
language is _odd_ at this point. The protocol is being _noodled_ through and
the code is in C.

This is the coding style

[https://github.com/irungentoo/toxcore/commit/84c28337d248bad...](https://github.com/irungentoo/toxcore/commit/84c28337d248bad2319b5c001108b198dbd6bc5c)

this is openssl all over again

[https://github.com/irungentoo/toxcore/commit/1d6c3934736c369...](https://github.com/irungentoo/toxcore/commit/1d6c3934736c3694a7c9f694d818252e4159cde3)

~~~
ge0rg
From a short look, I tend to agree with you.

> memcpy(packet + 1, &con->ping_request_id, sizeof(uint64_t));

Copying multi-byte values into a network packet is a typical error made by
novice developers - this will bite you hard as soon as somebody compiles the
code on a Big Endian machine. Even if you might get away with this on opaque
elements like a ping ID, the general approach should not be followed.

~~~
irungentoo
endianess doesn't matter when you all you do with it is store it and check if
it's equal to another.

In all cases where it does matter, the values are converted.

Tox has been confirmed working on big endian machines by many people.

------
Quequau
Does Tox have plans to offer telephone numbers so that POTS subscribers can
call Tox users?

If not, I don't see how it can be a replacement for Skype.

~~~
richardwhiuk
PSTN connectivity requires centralization

------
JoeAltmaier
Warning: shameless plug. Sococo has a free replacement for Skype, including
doc sharing, chat etc. Been around for years now.

~~~
dethstar
Sococo doesn't seem to be open source

~~~
JoeAltmaier
Free though. And lots of features.

