

Hackers Build a Skype That’s Not Controlled by Microsoft - Libertatea
http://www.wired.com/2014/09/tox/

======
Dylan16807
Oh, they're talking about a Skype _network_ alternative. I was excited for a
moment to hear about a Skype _client_ alternative. Oh well.

~~~
lelandbatey
There are Tox clients and in many ways they are on part with Skype. You can
use it today.

Edit: oh wait, I see what you mean now. Sorry I read that on my phone at
first, missed what you where getting at.

Yes, it's a new IM client/network. However, it's much more secure, and
decentralized. It's pretty cool.

~~~
phpnode
if switching IM _networks_ was as easy as that, Skype would already be on the
way out. We use skype because everyone else uses skype.

------
tagrun
Sounds like either they're not aware of Retroshare (uses Qt for GUI), or they
think developing in C++ is too much of a hurdle.

It's peer-to-peer, uses web-of-trust, completely encrypted, already has
chat/mail/"www"/voice chat/file sharing/etc. Still missing the video chat
plug-in though, but it's on the to-do list.

~~~
dublinben
I'm more surprised there is no mention of Jitsi, a project that has been
around for years. Tox is barely usable across multiple platforms.

------
hobarrera
So how is this an improvement over things, like, for example, XMPP?

It's easy to stand out when comparing to the worst alternative out there.

~~~
etiam
Very little configuration required seems to be one main idea. The most
important reason I have been interested in Tox is that I got the impression
early on that they intend to make it resistant to traffic analysis as well
(and judging from this thread [http://4chanarchive.net/threads/g/Tox-
Thread/43340618](http://4chanarchive.net/threads/g/Tox-Thread/43340618) there
are still such plans) but that isn't emphasized in the page at tox.im any
more.

I'm guessing they're prioritizing getting something that the average Skype
user would be capable of installing and configuring, and saving the onion
routing feature for later.

~~~
tracker1
I do think that a directory service for search/lookup may be desired as
well... where people can upload their device key(s) and bind to say their
email address or other handle for search/discovery.

------
AlyssaRowan
I've seen Tox before and looked into it. Think I've commented on it before,
but maybe not, so here's my take: Nice sentiment. Doesn't yet quite live up to
what it wants to be. But if the project can listen and adapt to advice like
this, it has scope to improve and be a really important contender.

Firstly, it _needs_ metadata protection with onion (or, better, garlic)
routing. Without that, it still has a pretty big mass-analysis flaw. Please
look at I2P for an example of the kind of architecture that would work well:
two DHTs with decoupled garlic routing in between? You may, or may not,
leverage an existing network for that; there are some obvious cover-traffic
advantages if you do, but it's less synergistic.

Secondly, I don't see a full forward-secure messaging ratchet in there, it's
really per-session. Look into Axolotl, and in particular what TextSecure v2
aka Signal has done for group chats too. Tox - using libsodium - already has
every tool it needs to do that, it just doesn't do it fully yet.

Thirdly, more stability. The susceptibility of the DHTs to resource-starvation
attacks. (I don't think I2P ever actually implemented the hashcash it planned
for?) But there's been some further work on that. Scalability is tricky,
especially in the face of on-path attackers...

Skype is pretty awful. It's actually pretty much centralised now, using TLS,
but still runs much like the bad P2P network it used to be: closed-source
software with a bad reputation for eating 100% CPU and awful chat desync. Most
people who use it would rather be using something better, and I think there's
plenty of scope there - people _would_ switch if there _was_ something better.
Let's make sure an alternative is _much_ better?

Oh, maybe look into a distributed consensus protocol of some form for name
registration - _if_ it's possible to do a light one which can impose
ordering...

I've not performed a full security review. It's too young for that, and it's
too young to rely on. When the above are addressed, then it's time to give it
a more thorough look. /akr

------
Balgair
Ok, my grandmother can use Skype now. And yes, she has to use an instruction
guide I printed out for her. My question: Would my grandmother recognize this
as an alternative to Skype?

~~~
Moru
Will she recognize Skype next month? I find printed manuals have to be changed
every time Skype updates something...

~~~
drivingmenuts
Being on a Mac, I wasn't aware that Skype updated very often.

And to the OP, it doesn't sound like this product is grandmother-friendly yet.

~~~
Balgair
Thank you!

------
metachris
Here's a little more technical information:
[https://github.com/irungentoo/toxcore](https://github.com/irungentoo/toxcore)

------
pbhjpbhj
Isn't [https://appear.in/](https://appear.in/) and it's ilk "a skype not
controlled by Microsoft" to some extent? AFAICT it creates an SSL secured
peer-to-peer connection.

------
mcphage
So it's a Skype that's controlled by hackers?

~~~
sitkack
4chan'rs.

------
dharma1
seems like a good project. how is it different from say, mumble?
[http://wiki.mumble.info/wiki/Main_Page](http://wiki.mumble.info/wiki/Main_Page)

~~~
tapoxi
Mumble is a low latency chat server. You join a server, people join your
channel, you chat. Its designed for public group conversations, like in games.

Tox is more like Skype, but it has no central server. You add friends to a
buddy list and chat with them, you add more people to the chat and it becomes
a group chat.

------
ilaksh
What's wrong with WebRTC?

~~~
tsahil
Some context please?

~~~
ilaksh
WebRTC allows peer-to-peer video conferencing through a web browser without a
third party server. Which means there is no intermediary server to record the
data.

~~~
JoeAltmaier
Actually any peer-to-peer communication system has the property, regardless of
the existence of a 'rendezvous' server to get them connected.

~~~
ilaksh
OK so what's wrong with WebRTC? Why do we need this other client they just
invented?

~~~
JoeAltmaier
WebRTC is just a protocol. You can use it any way you like. Lots of folks use
it to talk to a switching server, probably because P2P IP connections can't
always be made, while a server connection is guaranteed to work.

------
sitkack
This is on the same level of security as OpenSSL and CryptoCat.

~~~
makomk
The crypto appears to be fairly standard - it uses NaCl's crypto_box to
encrypt and decrypt almost everything, with a per-session keypair
authenticated by the user's long-term key. Code quality is a bit OpenSSL-esque
though.

