
The Tox project - aoxomoxoa
https://tox.chat/about.html
======
jchw
I believe this started as an off-shoot of some discussion on 4chan's /g/ board
numerous years ago. I mention this because while it is a really cool project,
it's definitely hobbyists working on it, and hobbyists working on security
software should definitely give some pause.

Personally, I hope it succeeds in the longer term. We need good, decentralized
protocols and software. Decentralization comes with its own costs, and it may
never overtake the centralized web. But, protocols like Bittorrent have proven
to be super powerful even with their flaws and limitations. To me, it is a no
brainer that we need end-to-end encrypted chat, and it would be ideal if it
could be peer-to-peer.

~~~
SpaceGorilla
It's amazing the project has gotten this far. I honestly thought this post was
going to be announcing the end of Tox.

The project started with a ton of momentum but never really got picked up in
the mainstream. Iirc the founder and most of the core code came from one guy.

Not to mention there has been a ton of internal drama: iirc one of the devs
stole a bunch of tox donation money to pay off part of his tuition. Then there
was a split in the devs and one of the devs stole all the credentials for the
website and they switched? Then there was the accusations that some of the
devs where child molesters and where doxed.

They also his a brick wall at one point on mobile due to the protocol being
very heavy on battery usage so for a while it was only realistic to use on the
desktop.

I wish the project nothing but the best and hope they succeed, but I feel like
they have reached a point where they have lost interest. I hope I'm wrong.

~~~
snvzz
The last couple years have been spent making things right. Documenting the
protocol, fixing ugliness in toktok (fork of libtox that's effectively
replaced it) and such menial but important work.

Now it isn't a hacked together piece of shit anymore, but proper. As a result,
it works reliably. The user experience is very good.

------
SauciestGNU
I really think tox is a cool idea, and I've used it quite a bit, but I think
it's important to temper security expectations. I can't find a link, but I
remember the results of the security audit done in the project to be frankly
disastrous.

~~~
cjcole
You may be thinking of this thread:

[https://github.com/irungentoo/toxcore/issues/121](https://github.com/irungentoo/toxcore/issues/121)

I couldn't find any evidence of an audit.

There is an actively developed Rust implementation of the core library here:

[https://github.com/tox-rs/tox](https://github.com/tox-rs/tox)

Of course, any flaw in the specification (for example with respect to key
exchange) will still apply if they've faithfully implemented it.

------
snvzz
Tox might be one of the most underrated projects out there.

Launch a client (qtox suggested), add a few friends by copying their tox
address (=pubkey) and start talking. It just works, is completely
decentralised, and the only way to talk is end-to-end encryption with forward
secrecy.

It literally solved the IM problem for most use cases.

~~~
nyolfen
it's not great for mobile, which is by far the main use case these days. a
huge battery drain unless something major has changed since the last time i
checked in on it.

~~~
snvzz
Well, decentralized makes the whole push thing nontrivial.

Not that I understand IM on mobile. I'd rather use email.

~~~
arendtio
The decentralization aspect is not the problem. XMPP for example is also
decentralized but has quite good mobile support. The problem with tox seems to
be that it is peer-to-peer. So the servers are missing which could buffer all
those events for the clients.

~~~
snvzz
>The decentralization aspect is not the problem. XMPP for example is also
decentralized but has quite good mobile support.

XMPP is federated. Having servers make things easier.

Tox is full p2p, there's no servers.

~~~
erk__
Is that not more a difference between distributed and decentralized then, such
as git is a distributed system even though it needs a central server in most
use cases.

~~~
arendtio
Here is my shot at defining various terms in this context:

\- _Centralized_ : Centralized networks have one central point which controls
the network. That doesn't have to be a single server sometimes it is just that
there is just one company controlling the network (e.g. WhatsApp).

\- _Decentralized_ : Is the opposite of 'centralized' meaning there is more
than one central point. So all following types are 'decentralized'.

\- _Distributed_ : In general terms, it means that the network is (more or
less evenly) distributed upon all participants. All participants have the same
role and responsibility. There are various kinds of distributed networks. Git
for example stores a full copy of all information in every node. Distributed
Hash Tables use a different approach where every node is responsible for one
explicit part of the information to store.

\- _Peer-to-peer_ (p2p): Is one form of a distributed network, which works (in
general) without servers. So all the participants connect directly to each
another (Tox).

\- _Federated_ : Is sometimes called a 'distributed network of centralized
networks'. Two popular examples are e-mail and XMPP. All participant use their
own centralized server, but that server cooperates with other servers to
transfer messages across the network. Sometimes their implementations make a
distinction between client-to-server and server-to-server protocols.

In general, the more centralized a network is, the easier it is to control.
This can be good when it comes to spam, but also bad when it comes to
censorship.

------
nimbius
Tox has received a lot of criticism for originally implementing non-standard
encryption and being difficult to use. Although claimed by developers to be
easy to use for anyone, Tox suffers from overengineering. Clients have many
layers of abstraction copied from Skype which makes it difficult to audit and
to submit pull requests. Overall, however, clients have a very good ease of
use and look aesthetically pleasing.

------
nine_k
What are other viable peer-to-peer encrypted communication tools? Is Tox the
only alive project in this space?

~~~
digianarchist
[https://ricochet.im/](https://ricochet.im/) \- uses Tor hidden services for
extra security.

~~~
nine_k
Seems not especially maintained: "The latest version is 1.1.4 (November 5,
2016)."

May still be functioning well; did not try it.

~~~
digianarchist
Right it still functions correctly.

There are more recent commits on master they just haven't release in a while.

I think they are waiting for the Tor team to provide an API for v3 hidden
services before resuming work on the project.

~~~
tribby
there's also work being done on a golang implementation, as well as
integration with tails (tor-over-tor is unideal so this requires some effort)

------
jasonkostempski
Wanted to try it as a text only chat client before granting any media
permissions, but it refuses to run that way.

~~~
namibj
The android versions are notoriously badly implemented/written.

The command line client toxic seems to work even when unable to write to the
filesystem at all.

Solution: comment the part out where it got stuck, and sideload.

~~~
Operyl
I would call that a work around, not a solution. For a project that cries
about privacy, the fact that all the implementations are so .. anti privacy
like that is pretty bad.

------
crgwbr
Project’s name conflicts with [https://github.com/tox-
dev/tox](https://github.com/tox-dev/tox)

~~~
hk__2
A lot of projects’ names conflict. That’s not an issue if they’re not in the
same space, which is the case here: a CLI tests tool vs. a messaging
application.

~~~
yeukhon
Python tox first released was in 2010. Tox project started in 2013. I hope in
the future authors of open source projects would do some Googling before
deciding on name. The reason is people really get confused which one.

Imagine this situation. Instead of tox, someone decided to named the tox
project "Python". Tox is very famous in the Python community. This shows how
unfortunate people doesn't care about naming.

~~~
8note
I only need a couple tests to check if my python is still alive. no need for
any fancy tooling

~~~
robohamburger
Have you ever shipped a python? It is best to isolate it and its dependencies
otherwise unexpected things happen.

------
evilaubergine
side note, I was involved with development of tox for quite some time, and
made the website that is being linked to here

avoid tox its full of bugs

------
ilaksh
Does uTox use the core library or reimplement the protocols? Because the core
is GPL and uTox is supposedly MIT, but that can't be if they used the core
library.

How did they manage to do video chat? What is the underlying library or
algorithm or did they somehow come up with a novel video chat system that
performs? Did they use WebRTC or something?

~~~
namibj
Err, it can, but the binary will no longer be MIT. The video and voice chat is
kinda like webRTC, but over the custom data channel.

------
rijoja
Why not run say XMPP over tor?

------
nathias
try toxic

