Hacker News new | past | comments | ask | show | jobs | submit login
Tox: Decentralized and Encrypted Instant Messaging (tox.chat)
134 points by thepangolino on Oct 5, 2021 | hide | past | favorite | 81 comments

It does the job, and it isn't centralized. It "just works". Resource usage is also pretty low.

I can't comprehend why this isn't widely used.

I wish this was a thing _before_ crap like WhatsApp, Skype or Discord got so popular.

>I can't comprehend why this isn't widely used.

Maintaining the DHT connection is "expensive", expensive meaning a few packets a minute. That means mobile clients can't enter sleep and stay connected, (without corp backed push notification services. Which we can't use/trust) So it'll kill expected battery life on mobile. Add to that, multidevice isn't supported, (I implemented the feature, but it didn't get merged before my will to work was killed by trolls) and Tox can be a bit frustrating to use. :(

> Maintaining the DHT connection is "expensive", expensive meaning a few packets a minute.

Could power be saved by batching messages?

For example, in Bluetooth Low Energy, much power is saved by the radio waking up infrequently, and only staying on for a brief duration. That's how one makes sensors that run for a year off of coin cells.

I wonder if it would improve the power situation on mobile if the DHT was maintained by far less frequent but larger bursts of network traffic.

Just curious, how does Matrix solve this problem?

Matrix is centralized, the server does all the heavy lifting.

But how does that solve getting notifications to a mobile device? Does the phone just poll the server all the time? Wouldn't that eat a lot of battery?

The phone polls only one server, in p2p it will need to poll a good chunk of whole network.

Matrix isn't centralized, though it's true servers do the heavy lifting for now (eventually you will be able to run the server on the clients)

It wasn't a thing before Skype, but it predates Discord, and might predate Whatsapp, or at least predates me hearing about Whatsapp in the US.

It was a hobby project originally started by a bunch of anons in 4chan, and every time it gets attention, people point out it hasn't been audited, and no one has their reputation at stake. And it doesn't have any desktop/mobile sync.

Not being audited is key here. Would you trust closed source software to live up to its security promises without audits? I sure wouldn't!

Well this is free software, but u less you're competent to audit it yourself, it's still unwise to rely on its security promises. But for people who don't need the guarantees, it would be nice if Tox were more convenient to use.

What are the benefits of Tox without the guarantees?

Not intended as snark. Genuinely interested.

Does it have some features there that are superior to other systems? (Outside of the obvious features that are not guaranteed via audit.)

Wait, there's a lot in the obvious features.

But security and privacy are not really guaranteed. (Unless you are a person capable of performing an audit yourself.) Presumably those who need security and privacy would need the guarantee. So I was wondering outside of those two, are there other compelling features Tox could be marketing?

I understood it that features that are not guaranteed via audit are features other than security and privacy. And features outside of features that are not guaranteed via audit are two features - security and privacy.

Even if the security is half as good as they claim, it's still much, much better than proprietary chat apps that do no encryption whatsoever and store all your messages on their servers in plaintext.

Also, there will only be real incentive to audit it if it becomes more popular.

Sure, but Tox has to beat Signal and self-hosted Matrix, not Telegram.

Afaik it has no support for receiving messages while offline, at least this was a blocker for me to consider it. Solutions with some mail box protocol on a DHT could work, but maybe it's not a hot research topic how to do this anonymously and reliable?

Offline messaging is important for a lot of people. Previously, my hope was with multidevice support, if you could have on device online, it could hold/route messages for the rest of your devices. Doesn't really solve all the problems, but it's an easy way to get closer. Anonymity and reliability isn't the problem. The issue we've always been blocked by was abuse. How do you prevent someone from DoS'ing the whole network. Evicting valid messages, or exhausting space for new ones.

I can't comprehend why this isn't widely used.

It doesn't have an iOS client.

It's hard to tell your employees to standardize on Tox when a good portion of them don't have a working client to install.

I'm no Apple fan but the world does not run on Android alone.

If my employer wants me to use a piece of software then they have to provide the hardware on which it will run. Then it isn't a problem for the employee what hardware it runs on.

Yeah, this is a big problem as well. There used to be an iOS client, but it's developer moved on to other projects. So it's woefully unmaintained at this point.

Because discord has a target market that does not care about encryption (gamers) the fact that others are using it as well isn't really their fault.

> crap like WhatsApp, Skype, or Discord

I agree up until you mention Discord. It works really well across all platforms (including the browser) and provides a very generous suite of features for free, some of which would be difficult to implement without centralization.

It also doesn't make money off selling user data; there is no actual evidence this has ever or will ever occur. Back when it was still floating on venture capital funds, it didn't need to make money. When it realized it needed to become profitable, instead of introducing invasive tracking and ads like other chat apps, it took a different approach: introducing the "Nitro" subscription which offers a slightly upgraded Discord experience (animated emoji, extra profile customization, etc) for $9.99/mo while keeping the core features free. It would be more comforting if they published the sales numbers so we could verify that Nitro is profitable, but I have no reason to doubt this approach is successful -- Nitro may not seem valuable to the average HN reader, but many users (including friends of mine) do find a lot of value in the features it offers.

By the way, I'm all for decentralized/encrypted chat apps and wish Tox success. It definitely irks me that all my Discord messages are stored on a corporate server outside my control, where Discord employees, the government, or any hacker who manages to break in to either my individual account or Discord's servers can freely read over them. However, I think the approach Discord is taking is different than the one taken by most chat apps and it's probably the best among the proprietary ones.

I think https://jami.net/ is a better solution and has a working mobile client.

Do either tox or jami expose the IP address by default?

I believe Tox does but you can run it through Tor.

Been using Jami because I thought the Tox project dead. Just loaded up six profiles from older version 1.16.3 (qtox 2019-05-08) on this new version (qtox 1.17.3) and they load OK but passwords don't work (except where they were embedded). Have good backups of them so they should.

Just wondered if it's just me for some reason (no big deal as I wasn't using the program). Will reinstall older .exe and see what happens, same with earlier Android version (it uses the same old passwords).

How does this compare with, say, Matrix with P2P support?

Right, I wish I knew. Trying to get a decent side-by-side comparison of Tox, Jami, etc., etc. is like trying to find hens' teeth.

Surely, there must be someone out there in user-land who's actually done the legwork.

The reason I want more input on this has to do with my past experience of Tox's poor connection reliability and I want to know what to do about it—or find out whether it's actually fixable or not, or whether I should settle on another P2P program such as Jami which works in a similar way, etc.

For me, connection reliability is more important than security and I'd like to settle on the program with the most reliable connection service (I'd prefer the NSA didn't listen to what I've to say but it's the Googles and Facebooks of this world that I'm really trying to avoid).

The last time I used Tox in a serious way was several years ago when I had relatives visiting from overseas and I refused to use Facebook, Google etc. When I really needed it, Tox didn't work or dropped out too often to the point where it was unusable much to others and my annoyance — and only to be told 'why the hell don't you use what everyone else uses, social media, Facebook etc. — then there'd be no problem?'

It's hard to argue with that when one has others breathing down one's neck to organize things locally.

It seems to me we need to sort this out with some decent real-world testing/runoffs. And for this we need the input of many users/many setups to get good comparative data.

As I said elsewhere, I thought the Tox project was dead as updates were so few and far between, so support and the user-base size is also important. If we can't get to the bottom of the P2P problem then it seems that I may have fall back to Jitsi (so far that always seems to work but I'd prefer not to use it for obvious reasons).

Still no audit, right? Just “trust us, it's secure”. And afaik the authors don't have particular expertise in security.

Edit: also, “it's secure, we use Nacl”: https://github.com/irungentoo/toxcore/issues/121

Nope, we still can't afford the price tag on an audit. Perhaps I'm jaded or biased because I'm a former Tox dev, but Tox is the only encrypted messenger I'd actually trust. I consider myself to be pretty good a security, but that's just me and you shouldn't take anyone's word for it themselves. That said if you have an actual cause reason to be concerned, I'd be interest in hearing it?

The Open Technology Fund provides free security audits for open source projects.

Apply here: https://apply.opentech.fund/red-team-lab/

This is not meant to be passive aggressive but it's going to sound like it is; how much would an audit actually cost? If someone set up a GoFundMe for a Tox audit, I would definitely contribute ten bucks to make that happen.

I don't think it's passive aggressive at all. I'm a bit embarrassed to say, but I honestly don't remember. My best guess from what I do remember the last time it was discussed, was in the 2k to 10k range. But it could expand rapidly depending on who, and what level we actually hired someone at. The primary reason we didn't set up crowdfunding ourselves was there was a few important changes we wanted to make a decision on and implement first. I still don't think they've been made, but I'm not following super close anymore.

Even if we go on the higher end of that, 10 grand doesn't seem that high for an audience of engineers (which I think is overrepresented on Hacker News). I know people have been complaining about a lack of a security audit since 2016; I think at this point it would be worth doing an audit now, and potentially another audit when new features are added.

If I were in any way involved in the project I would set up the campaign myself, but sadly I don't know enough C to be useful to a project like this (unless there was a plan to rewrite it in some esoteric functional language for some reason).

you might want to reach out to zugz (via our IRC, or github), He's also a fan of esoteric functional, so you might be able to convince him to start one. Iphy has a repo with the start of a Haskell implementation as proof of the completeness of the spec. No idea what the stat of that is, but again, might be worth reaching out :)

Most of the users of Tox don't want to be identified, so it's a bit difficult to crowd fund such a thing.

In regards to the linked issue; I wouldn't trust the security of a team that says shit like that.

I mean, it's open source, so you can audit it. https://github.com/qTox/qTox.

Then you can build the client yourself and check the sha sum against any downloaded distribution.

> it's open source, so you can audit it

Programming languages exist, so you can make your own decentralized encrypted instant messaging app.

There is democracy, so you can be the president.

Everyone in the family has legs, so we won't need a car.

Onelogin was audited, and they had a security breach a year later.

Intuit, also audited.

Twitch? They have had audits done.

So, you can continue to sit here on hacker news and bitch that it "hasn't been audited" and therefor you aren't "free", or some shit. But either way, you sound like jackass that knows nothing about technology or freedom.

Freedom is not synonymous with "free", as in not having a cost.

You are not going to program anything without working for it. You are not going to be president without working for it. You are not going to have a car, without working for it.

So, yes, you can audit it and then you will have an audited message platform.

There was also the time when an issue was created to ask for an independent audit, and the authors couldn't comprehend why an audit would be needed. (If I remember things right.)

Edit: here's the discussion, from seven years ago. The authors aren't particularly opposed to an audit, but keep saying “Tox is secure, we use Nacl”.

You're not remembering things correctly. The core dev team, and everyone helping with the project all agreed the whole project. Meaning the system, the protocol, and the code. Should all be audited by an independent security group. The issue we had, was the price tag of such a service.

Every dev wanted a full audit, we just simply couldn't afford it.

Separately, why do I get the impression you're trying to spread FUD about tox? All your comments seem to be negative and misstated :(

While a mildly interesting discussion, it does not appear to have any merit with regards to Tox itself.

It links to a bug report discussion where one of the developers states that they don't understand the security properties of tox very well[1].

I find that worrying.

[1] https://github.com/TokTok/c-toxcore/issues/426

Isn't it the reason why you do audits?

lol, I think you're probably talking about me. I remember that troll, he's what killed a lot of my motivation to work on Tox too. He likes stiring up shit on other foss projects too :/.

Saying I don't understand the security properties is an interesting take. My intended comments meant I misunderstood the issue. I was only half paying attention at the time; I assumed it was another troll reposting the same issue "if someone steals your private keys they can steal your identity". Which is true, but an annoying complaint, because that's how crypto has to work. To be sure, I didn't write base the protocol itself, nor the crypto primitives. So while I don't agree with the assertion, even if it was true. It wouldn't matter because I didn't design the original system :)

Does anyone know if this supports code snippets? We're currently using mattermost at work and it has great code and custom command support. But for that, we need to have domains, certificates and our own servers set up. I'm not the tech guy so I don't know if this kind of chat app would be better, but I think it would be great to have something that was P2P (no server requirements, certificates etc...) while being super secure.

None of the client do at this point, I'm working on adding markdown to uTox, and eventually syntax highlighting but I've been struggling with pretty severe apathy the past while so I can't offer a timeframe. Opening an issue requesting it on the github uTox repo, and then pestering me to actually finish it has been known to work in the past. :D

Shouldn't the first question be who is paying for all this (also who's done an audit)? Remember CryptoAG, Potonmail claiming they don't log IPs etc.?

It's open source and distributed. The only ongoing costs are the optional bootstrap DHT nodes, which are pretty cheap.

FWIW, website says "Powered by Digital Ocean".

Our webservers and build/dev servers are graciously donated by DO. They're really an awesome company to FOSS projects :D

If my site is powered by the Nginx server, it doesn't mean Nginx the company has anything to do with it.

Former Tox dev, no one is paying for it. It's home grown FOSS. I guess technically, if you're using Tox, you are paying for it. There's no servers, being exclusively P2P so your internet bandwidth and participation in the DHT is what allows it to function. Anyone who you directly connect to can know your IP, but not much else. So your friends could log your IP, and your ISP could see you're using Tox, (The traffic doesn't try to hide itself.) So there's no way we (the devs) could log your IP, we never actually see it. And, as someone else said, you can tunnel through Tor if you need to keep your IP secret.

Home grown by a gaggle of FBI agents like Anon?

That's our running joke, that there's at least one of the core dev team that's an NSA plant. The trick is, we used to demand at least 2 others review code, so in order to be a successful plant, you'd have to contribute good code. So if the FBI is playing the long con, they'd have to actually improve the code base too :D

Or have a minimum of three plants.

Does it mean that an attacker with the ability to monitor network connections can see who is talking to whom?

Yes an no. If you can't trust the network you're running on, you could get around this by tunneling via Tor. Tox itself makes direct connections to friends, to exchange encrypted messages, so while they can see when you send packets, and to what IP. They can't know what's in those messages. The trade off is, they'd need to be able to MITM your network. There's no servers they can capture, to learn this information no matter where you are.

Generally speaking to hide the social graph you will need to bury legit traffic in much bigger fake traffic, which isn't very efficient. Tor almost gets away from this problem by sending everything all the way around the globe.

Android client by "evilcorp.ltd"? Maybe not the most reassuring name.

Android users are not afraid of such things.

If Tox ever wishes to target normal people (like Signal), this is completely unacceptable.

robinli would be hurt that you don't trust his corp. :P They're totally not evil... Promise :D

Probably a reference to Mr. Robot

Who is Mr. Robot, Elliot?

Tox is already a very popular testing tool in python, to the name is a bit confusing.

Neither of them is particularly new; The testing tool seems to be around since 2010 while the chat protocol is around since 2013.

3 years is a lot, and tox the testing tool is much more used than tox the chat protocol.

Just like the git name collision. If it's not a guid, chances are it's not unique.

I believe Tox is meant to sound like Talks.

That was my assumption too - though if it was my project I'd probably have shied away from it since it also suggests "toxic"... (that could be a plus, too, depending on your tastes, I suppose).

I prefer the decentralized messaging protocols that are incentivized by tokens. eg. Status / VacP2P (ethereum), Session (oxen), Sylo, etc.

I know that a lot of people have opposite preference, but nothing is free, and tokens allow projects to create their own value, which I think is a very cool innovation.

Afterall, it seems lack of funding is a main issue with Tox (can’t afford audit etc). So how else do you avoid being beholden to investors while also having resources?

You're in luck https://github.com/irungentoo/toxcoin just don't pay attention to the date :P

> The Toxcoin dev team currently consists entirely of ideas guys, we need actual developpers to design and implement toxcoin properly. The development team will recieve 10% of toxcoin profits while 90% will go to the ideas guys who came up with the idea.


Amazing haha. If anything, I think this just shows the importance of people with real organization and management skills.

Institutions are important for sustainability

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact