
uTox – Free, Secure Instant Messaging - irungentoo
http://utox.org/
======
astonex
I would use Tox and any of its clients with caution. At one point in time,
your friends would be able to execute arbitrary shell commands on your PC if
you were running utox and accepted a file download. Even with large security
concerns like this, the lead developer believes Tox and uTox is secure because
he reads the code he wrote himself (none the less git history is filled with
bug fixes he clearly missed in his reading). This isn't exactly reassuring,
especially coming from someone who doesn't have provable past experience in
security software.

Edit: I just got banned from their IRC for stating this opinion here.

~~~
nickpsecurity
That last part is enough to ditch them unless you were fighting with them in
IRC. Were you?

Your claims ring true for vast majority of new, COMSEC schemes. Far as Tox,
this is what I found on their GitHub page: "Current build status: build
failing." I'll add that NSA and malware authors have 0-days on the platforms
the tool will likely run on. It will be bypassed like all others on such
platforms.

~~~
astonex
I was just idling on their channel when irungentoo got me banned for my post
here.

~~~
nickpsecurity
Yeah, that's quite questionable. They need to be able to handle and defend
criticism better if they want to make it in INFOSEC. Especially if they ever
get press like Cryptocat or Diaspora did.

------
blucoat
Something to keep in mind:

Of all Tox clients, uTox is written in C, using its own UI framework that
directly interfaces with X11 and WinAPI. This makes the code itself a mess.
The reasoning behind this is that it's somewhat of a meme on /g/ that anything
but pure C code is "bloat". I tried contributing a bit last year, did some
work on copy/pasting inline images, and found a remote code execution vuln.
Then I got fed up with how terribly confusing the codebase was for something
so simple. I'm not a professional programmer or anything, just a student, but
it seems like it's the same for everyone else in the project.

------
tetrep
I wonder if we'll ever get to the point where projects start advertising what
methods they use to weed out memory management bugs (i.e. static analysis,
fuzzing, etc) because an adversary that can execute arbitrary code on my
machine is far more intimidating than one that can eavesdrop (imo).

~~~
bobdole1971
Speaking of that, I wonder why uTox & Tox weren't made in memory safe
languages in the first place. There could be many possible reasons, so I won't
bother speculating.

~~~
irungentoo
Just build it with asan and you will get all the safety, memory usage and
slowness of a memory safe language.

~~~
bobdole1971
You'd need UBsan as well, and even that doesn't catch everything. Regarding
memory usage/slowness: why not OCaml, D, or Rust?

~~~
chc
Rust only recently hit 1.0, so it's pretty obvious why somebody would not have
built their software using that.

~~~
Jfreegman
Also, current benchmarks show Rust to be about ~3x slower than C, making it
more comparable to Go or Java.

~~~
chc
Interesting. Do you know of any good, recent benchmarks of Rust? I haven't
seen a whole lot. The Benchmarks Game mostly appears to show Rust being closer
than that in general, though the Rust benchmarks seem to be kind of crap.

------
lawl
If you're worried about how good the encryption is, you can actually use Tox
with Pidgin and then layer OTR on top of it.

That way you get decentralized messaging and don't need to trust their crypto.

[https://wiki.tox.im/Tox_Pidgin_Protocol_Plugin](https://wiki.tox.im/Tox_Pidgin_Protocol_Plugin)

------
adwf
I've been using this for the last 6 months or so. Seems pretty good as a
client. Stable on the comms side, although short of an audit, I'm just having
faith in the security side of things.

What it really needs is some way of having a roaming profile though. Currently
you have to have multiple accounts, one for each device. So my friends list
has a lot of duplicates depending on whether they're on their work computer,
at home, on their phone, etc...

I'm not actually that fussed about the encryption side of things. I'm far more
happy with the lack of reliance on centralised servers. You don't need an
account somewhere to get it up and running, you just send a message to a
friend and compare secrets to authenticate.

~~~
detaro
Yeah, way to many messengers seem to assume "Well, everyone has just 1 phone
anyways, and where else would you want to use a messenger". I get that desktop
clients etc are not the first thing on the priority list, but still it is very
annoying (and the first one which gets that right I'm pushing everybody to.)

(Threema actually recommends a workaround: "Just create a groupchat for each
of your contacts with all your devices in it and always use that")

~~~
adwf
Thanks, that's a good workaround, I'll try it tomorrow. It should still be a
default thing if they want mainstream adoption though.

------
fastball

      "Future of Instant Messaging"
    

Not with that UI.

------
vezzy-fnord
uTox is one client of several. For a full list, see:
[https://wiki.tox.im/Client](https://wiki.tox.im/Client)

------
counterculture
you know its good cause it offers "ROCKSOLID encryption"

------
jzelinskie
Isn't this a project that was developed by users of the /g/ board on 4chan?
I've only ever seen it berated on that board (everything is berated on that
board) and don't really know how solid the actual software is.

~~~
subjectsigma
As far as I know, the project really only gained any traction once it
distanced itself from /g/'s bikeshedding. I think in light of this the uTox
team has made an effort to distance themselves from 4chan entirely.

It's been a while since I read anything about them but last I heard, the
crypto was fairly solid and the only problems were one of reliability and user
experience; that being said, I'm no expert and we won't know until it gets
popular enough to deserve an audit from someone important.

------
kolev
Gee, yet another identity nomenclature - <username>@utox.org! When will this
trend end?! Aren't you tired of the ever-growing lists of identities you need
to share with people?

------
Veratyr
I like the idea of Tox but there are a couple issues that make it unusable for
most users (at least me and a few I've talked to about it):

\- No push notifications of any kind, meaning mobile devices have to keep a
connection open (kill their batteries) or poll for updates (and get the
message later).

\- No multiple device support, so I can't use my phone _and_ my desktop. I
have to pick.

It'll be great when it's been polished up and completed a bit more but it's
not there yet.

------
dbbolton
Why aren't the name/Tox ID requirements listed on the site? I tried
registering a few times and got an "invalid" error each time.

------
listic
Wow, Skype must have really cemented its place in public conscience as an
instant messaging service.

I would think a new service should support video chat before comparing itself
to Skype, but no. (I am actually seeking an open-source alternative to Skype
that supports video conferencing: I know of audio clients/services, but not
about video)

------
bluesmoon
Back in 2001, the ayttm project supported free, secure instant messaging by
using gpg to encrypt all messages and by allowing you to split a conversation
across multiple networks (Yahoo, MSN, AOL, XMPP).

~~~
nickpsecurity
Appreciate the tip. The Snowden leaks appear to support that GPG is so robust
that even NSA analysts use it. So, a project using IM over it is playing it
extra smart (albeit clunky). Turns out it's still active:

[http://ayttm.sourceforge.net/features.php](http://ayttm.sourceforge.net/features.php)

------
chrismartin
Why would I use this instead of XMPP and OTR?

~~~
adwf
The main thing for me is the lack of a central account server. Even with XMPP,
you still need to have an account and login somewhere to authenticate. With
this, you have to authenticate each friend manually, but only the once. After
that, there is no account but the profile stored on your hard drive.

~~~
nickpsecurity
That's certainly a selling point. The problem: newer and hand-rolled stuff
_always_ has serious problems. Many continue to have serious problems over
time. I'd be interested in seeing software that solved those problems while
leveraging proven protocols, clients, etc. Might just be a plugin to several
popular IM clients.

------
hobarrera
So how does this improve on existing IM, say: XMPP?

------
nvk
Seems really cool, anyone audited this project yet?

------
thomasfl
Would be cool ta have FOSS iOS apps made with this.

~~~
cbsmith
We basically have this stuff with Signal:
[https://whispersystems.org/](https://whispersystems.org/)

~~~
mrmondo
Signal I trust over anything else, but the iOS application is pretty awful to
use to be honest.

~~~
cbsmith
I've heard these open source projects have ways you can help fix that...

------
JackH2
i prefer software that do not need runtimes and can run without dependencies
on major distros.

------
JackH2
qTox please consider making static builds

