
TOX – A New Kind of Instant Messaging - nvk
https://tox.chat/
======
mxuribe
So, what happens if I download the client on one of laptops/PCs (for example
my work computer) use it to communicate with peers...And then i wish to setup
the client on another laptop/PC (for example my home computer) to contact my
same peer/friends...How does the overall network (I guess DHT?) know that "its
me!" (the same "me"), and not a different/new peer? With a centralized system
there was the concept of identity...but I just don't get how this would work
here.

I'll admit I'm not a networking guru here, and I'm absolutely in favor of
decentralized communications ...so my question above is not at all to knock on
Tox; its me really wanting to know how the above scenario would play
out...because I often need to bounce between a few different computers. Anyone
know how this would work?

Side note: I am currently using matrix protocol via a synapse/matrix.org home
server (using the chat client from [https://riot.im/](https://riot.im/)), so
for any computer that I use/jump to, I'm represented by my home server (up in
the cloud)...so that makes sense to me. I just don't get how jumping computers
would work on Tox. Anyone know?

~~~
bisby
This has been the #1 reason that I havent convinced people to use tox yet.

I sometimes get up and walk away from a computer mid conversation, expecting
to continue the conversation on my phone. It's the same reason I won't be
using google allo. I need conversations to "sync" across mobile and PC.

I'm not going to sit at a desk all day chatting on my phone, and I'm not going
to miss messages just because I went mobile.

I saw somewhere in a previous tox chat, that a possible solution would be a
way to pin identities together (i say from desktop "this mobile is me" and
from mobile "this desktop is me" and when they match, allow them to pair). And
then send every message encrypted to both peers. If you have 5 devices linked,
tox would behind the scenes send the message to 5 different destinations.

They havent done anything like this yet as far as I know.

~~~
languagewars
> If you have 5 devices linked, tox would behind the scenes send the message
> to 5 different destinations.

I dislike existing systems that implement this kind of model since it is too
easy for a ghost device to be getting copies of everything. My phone
transitioning to different UX clients with notifications/verifications of
transitions on its own UX is better.

~~~
bisby
I agree that I dont like that system (and may be the reason that it hasnt been
done), but I'm not fully sure of alternatives either.

But, I dont think a client should transition from one to the other either. I
often just get up and walk away from my computer with chats in the background.
I wouldnt want to have to tell it to transition.

~~~
languagewars
If you always have one device with you that you trust (your phone) then it can
seemlessly transition to duplicating and accepting (some) content to other
devices you trust less as you encouter them, in a temporary/renewing fashion.
There can be lots of levels of convenience verse paranoia in that kind of
system.

If you treat multiple devices equally (even when you routinely leave them
unatended) then things quickly fall apart and no paranoia helps.

You could look at kerberos for an example of this style of loaning limited
tickets for credentials.

------
eeZah7Ux
Be warned, Tox claims to protect users from "governments", which is a huge
claim.

Yet, it's written in C, it hasn't had a security audit, it does not publish a
list of security risks and mitigations, and, regarding its roots in 4chan, see
for yourself:
[https://github.com/irungentoo/toxcore/issues/1186](https://github.com/irungentoo/toxcore/issues/1186)

~~~
iphy
We're in the process of writing a specification
([https://github.com/TokTok/spec](https://github.com/TokTok/spec)) and new
implementation in Haskell ([https://github.com/TokTok/hs-
toxcore](https://github.com/TokTok/hs-toxcore)). There is also a Rust
implementation in the works
([https://github.com/zetok/tox](https://github.com/zetok/tox)).

As for security risks and mitigations, I'd like to do that when we have a web
presence with space for it. Right now, the web presence is fairly poor
([http://toktok.github.io/](http://toktok.github.io/)). The specification
contains some security risks and mitigations.

~~~
EvgeniyZh
Rust seems reasonable, but why Haskell? Also why not improve current core
while writing new implementation?

~~~
iphy
We are doing exactly that: we are improving the current core and at the same
time modelling the behaviour in Haskell. The Haskell version does not do
networking and only represents an executable model of the environment. We use
that to test core functionality. See
[http://toktok.github.io/design/testing](http://toktok.github.io/design/testing).

~~~
EvgeniyZh
When I was thinking about contributing to Tox it was way too hard to find out
its development is alive at all:
[https://www.reddit.com/r/projecttox/comments/4vmfhn/is_tox_d...](https://www.reddit.com/r/projecttox/comments/4vmfhn/is_tox_development_dead/)

P.S. Now I see activity in new core repo,that's cool

------
gregn610
from the FAQ: "How do I add someone to my contacts list?

Look in the profile or settings panel of your client to get your Tox ID which
should look something like:

56A1ADE4B65B86BCD51CC73E2CD4E542179F47959FE3E0E21B4B0ACDADE51855D34D34D37CB5"

Yuk! I see this flaw so many products like this, just about anything p2p,
blockchain addresses, commit ids, etc. I think there is zero chance of getting
anyone who is not technology elite to adopt a product with UX that rotates
around these untypeable/unpronounceable/immemorable identifiers. Why aren't
Identicons([https://en.wikipedia.org/wiki/Identicon](https://en.wikipedia.org/wiki/Identicon))
or QR codes used more?

~~~
ghgr
Choose two:

    
    
        Human-meaningful: Meaningful and memorable (low-entropy) names are provided to the users.
    
        Secure: Any entity in the system can act maliciously, including the majority of the entities or the available computational power.
    
        Decentralized: There is still only one, unique and specific entity to which a name resolves.
    

[https://en.wikipedia.org/wiki/Zooko%27s_triangle](https://en.wikipedia.org/wiki/Zooko%27s_triangle)

~~~
salted-fry
Zooko's Triangle is conjecture, and Namecoin has shown it to be defeatable,
no?

Edit: Ah, I see; "including the majority of the entities" would exclude
Namecoin from being a proper solution to Zooko's Triangle.

------
lucaspiller
Right now I'm not really bothered about end-to-end encryption. If a government
wants to track me, they will find a way. I'm more concerned about
Facebook/Google/Microsoft/Apple tracking me, reading my private conversations,
and selling my data to the highest bidder. I'd like an open source,
decentralised messaging platform, that has good mobile apps.

Are suggestions?

~~~
mrbiber
riot.im [1] (which is based on matrix.org) seems a good, decentralized, open
messaging app. They have relatively nice mobile apps and they promise to soon
release end-to-end encryption based on the OLM [2] ratchet which is similar to
the Signal encryption. In contrast to Tox, Matrix relies on federated servers.
Tox is pure P2P which, in my experience, never works very well on mobile
devices.

[1] [https://riot.im/](https://riot.im/) [2]
[https://matrix.org/docs/spec/olm.html](https://matrix.org/docs/spec/olm.html)

~~~
fizzbatter
> Tox is pure P2P which, in my experience, never works very well on mobile
> devices.

That's (UX) my biggest concern, honestly. UX is just too important, and it's
becoming an increasingly fast moving bar. Simple things like hitting up arrow
to edit your message, to more complex things like stickers and gifs, these are
(unfortunately) requirements for me in my peer circles.

They sound silly, i know, but Telegram has (mostly) a great UX, and for such
an important tool i can't currently give up features.. let alone convince my
friends to likewise give up features.

(Fwiw, i _love_ Matrix in design)

~~~
mrbiber
I totally agree. My hope is that because Matrix has an open protocol, there
will be more competition in the client space which will lead (eventually) to
good UX.

------
zaggynl
Does it still use 1GB of network traffic per day when idle?

~~~
akerro
That's by design to keep connections with other peers.

~~~
veeti
That is a fundamentally broken design. There is literally no excuse for a
simple messenger app to suck up a gigabyte daily. How do you expect people to
adopt this when they have broadband and wireless plans with data caps?

~~~
taneliv
I know nothing about TOX design, but it makes (to me, at least) some privacy
sense to saturate the network with noise that is in message length, their
interarrival time and recipient characteristics similar to the actual
communication. No idea if TOX does that.

------
Jaruzel
Please forgive my ignorance, but it talks a lot about peer-to-peer
conversations - how would that work if the peers are behind NATs or Proxies?

~~~
iphy
That works with UDP hole punching
([https://en.wikipedia.org/wiki/UDP_hole_punching](https://en.wikipedia.org/wiki/UDP_hole_punching)),
and there is a branch with uPNP
([https://en.wikipedia.org/wiki/Universal_Plug_and_Play](https://en.wikipedia.org/wiki/Universal_Plug_and_Play))
support. We still need to review that code carefully before accepting it into
master.

------
okket
FYI:
[https://en.wikipedia.org/wiki/Tox_(protocol)](https://en.wikipedia.org/wiki/Tox_\(protocol\))

~~~
zerognowl
It seems robust, but I do worry about the client. Has the client been audited
properly? I hope the track record's not like Pidgin's
[https://pidgin.im/news/security/](https://pidgin.im/news/security/)

~~~
ivcha
That's too bad, pidgin is the only client I want to use, regardless of the
protocol...

------
nvk
The new version is out, seems to be getting much better.

[https://github.com/uTox/uTox/releases](https://github.com/uTox/uTox/releases)

------
Dowwie
I tried an earlier version of a tox client. At that time, there were at least
two competing clients that looked the same and did the same things. Is the tox
civil war over yet?

~~~
dysfunctor
But you realize that's like saying "Well, I tried IRC but there are dozens of
competing clients that all do the same thing."

The Tox protocol is really the core tool. As long as the protocol is well-
defined and maintained, I think developers should be free to make whichever
clients that they want.

I used tox ages ago, and I used the Blight client or whatever it was called,
and I liked it pretty well.

I think a bigger issue is convincing people to use it in small groups. My
whole team is just fine using Mattermost/Hipchat/IRC and the majority of them
don't see the need for something like this.

~~~
Dowwie
In this case, it's not like saying anything about IRC chat clients or Hipchat
or whatever your team uses or develops. The clients really did look and behave
the same. There was so much overlap between them. Not exaggerating this point.

~~~
cakes
I had a similar experience and it seemed like they were both being developed
by the same core group(s) dividing their time between both (again, my
perception) which was confusing as they were very similar.

------
msh
Strange choice of screenshot.

~~~
eps
Woah, indeed.

[http://i.imgur.com/3MdrSQi.png](http://i.imgur.com/3MdrSQi.png)

------
mrmondo
I've been a private beta tester for an iOS client for Tox called 'Antidote',
and I can speak for its quality. I will not pretend to be an encryption or
security specialist of any form however.

------
huhtenberg
Previously -
[https://news.ycombinator.com/item?id=6121225](https://news.ycombinator.com/item?id=6121225)

------
sgreen
What makes this better than Signal for texting?

~~~
snowpanda
Signal still relies on Google Play Services, which is an issue for many people
(see GitHub issue #127, #1000, #1106, #5450 etc....)

~~~
Sir_Substance
I was mad disappointed by signal. Not only does it require google play
services, it also asks for about two dozen privileges on your phone. Not a
great look for a privacy oriented app.

~~~
kuschku
Moxie doesn’t consider that kind of privacy important. Governments listening
to you is irrelevant, and third party clients are something he actively tries
to prohibit.

His position is that it’s better if everyone gets a little safety, than if a
few people get full safety.

~~~
Insanity
"that kind of privacy". So which 'kind' of privacy does it try to improve on?
I've been thinking of switching to a different application for messaging and
Signal came by a few times but I don't know a lot about it. Would you care to
elaborate?

~~~
kuschku
Moxie tries to provide privacy that protects everyone against the normal
police, or hackers, or other adversaries – but it does and can not provide any
protection against the NSA, or the FBI, and is not intended to do so.

~~~
Insanity
Ah I see, thanks for clarifying that to me :-)

------
setra
It may surprise some to know that this started as a project of 4chan's /g/
board

~~~
hd4
It may surprise less of us than you think ;)

------
realworldview
A new kind of more of the same oh no not another bloody chat client wait i'm
going to write a wordpress clone.

------
nikolay
New? It's anything, but new!

------
ninesigns
Could someone please write a summary on what has changed in Tox project over
last year?

------
poi519
Seems like XMPP is still a viable option.

~~~
ninesigns
Not so much on mobile phones.

~~~
astro1138
Conversations.im

------
zhovner
Still no contacts sync?

~~~
nvk
It's open source, they take pull requests and donations.

~~~
commentzorro
What makes you think that parent has the knowledge, ability, and time to do
this task?

I see this "it's open source, make pull request" type of comment quite a lot
but don't understand how you'd know if the person you're saying it to could do
it. If not, it's kind of a dick move, isn't it?

~~~
nvk
The way the feature was requested, come across as a dick move and very self
entitled. The least the parent could have done is added some niceties or some
reasoning in more than 4 words when asking something for free.

~~~
commentzorro
I know, people make the "I'd use it but for this feature" comment all the
time. But I believe they do it without thinking rather than with the intent of
being unkind. The "... pull request" is almost certainly knowingly mean
spirited. (Even if true.)

Edit: here's a possibly better response than the "do it yourself" response:

XXX is a free and open source project. That means the developers put in the
majority of their time on the issues that they want and enjoy coding the most,
even if other good features are left out. If you're unable to help out with
coding yourself, you could look through the open and closed issues and see of
others have thought about your feature request too. If an open issue exists, a
short "while I don't have the ability to code this, I'd like this feature
too," added to the list would let the developers gauge interest and may sway
someone into giving it a try. Thanks.

Edit 2: It's a bit long. This sentiment but shorter.

