Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

🆕 Software Suggestion | Tox Chat #736

Closed
Nurmagoz opened this issue Jan 23, 2019 · 9 comments
Closed

🆕 Software Suggestion | Tox Chat #736

Nurmagoz opened this issue Jan 23, 2019 · 9 comments
Labels
🆕 software suggestion Tor Anything covering the Tor network

Comments

@Nurmagoz
Copy link

Nurmagoz commented Jan 23, 2019

Basic Information

Name:

Tox Chat

Category:

Encrypted Instant Messenger

URL:

https://tox.chat/

Description

Tox Chat is the real meaning of decentralization chat , There are no servers between users at all , End2End encryption, VOIP , Works with Torification, Doesnt require Email or Mobile Number for registration , only Username and Password.

  • Better than Singal because it requires Mobile number for registration , No server control available only client.

  • Better than Matrix because its federated decentralization meaning it needs servers + clients.

  • Better than Wire because it doesnt need servers to operate. also doesnt require email for verified registration.

@ghost
Copy link

ghost commented Jan 23, 2019

You might find the other Tox threads interesting.

@ghost
Copy link

ghost commented Jan 23, 2019

Tox Chat is the real meaning of decentralization chat

Yes but that does come at the cost of certain features, such as offline messages, push notifications, (which impacts on mobile battery life).

Better than Singal

Signal has been audited and is easy to use, as well as secure. It does not claim to provide anonymity.

Works with Torification

Data still leaves the Tor network and is exposed to the exit nodes which increases surface area. Tox is still very experimental, and it will be interesting to see how it progresses with the new core and documentation - https://toktok.ltd.

Better than Matrix because its federated decentralization meaning it needs servers + clients.

Matrix is audited, and can do things Tox cannot, bridges etc. Matrix continues each year to so show significant progress. Matrix, the current status and year to date 2018-12-29.

A part from the fact that Tox is already mentioned. https://www.privacytools.io/#voip @Shifterovich might as well close this ticket as OP didn't use the search feature or look very closely at the privacytools.io website.

Each messenger has it's strengths and it's about choosing what is right for you.

@Nurmagoz
Copy link
Author

Yes but that does come at the cost of certain features, such as offline messages, push notifications, (which impacts on mobile battery life).

For offline messages this is optional to user and he can fix that if the user wants so:

https://wiki.tox.chat/users/offline_messaging

Push notification? whats wrong with it?

Data still leaves the Tor network and is exposed to the exit nodes which increases surface area.

im sorry what? also read:

https://wiki.tox.chat/users/tox_over_tor_tot

Tox is still very experimental, and it will be interesting to see how it progresses with the new core and documentation - https://toktok.ltd.

qTox now added to debian buster repos , so lets say experimental but its reliable.

Matrix is audited, and can do things Tox cannot, bridges etc. Matrix continues each year to so show significant progress. Matrix, the current status and year to date 2018-12-29.

Matrix its horrible design because its not really decentralized , its federated (means requires servers to operate). and guess what is the main client of matrix ? Riot which full of JS garbage and insecurity.

so comparing the designs + the main clients = Tox way more secure to use than Matrix.

only some features which matrix add but it has no relation to make it more secure or reliable to privacy like talk to irc,xmpp..etc. which is rubbish in security comparison.

@Nurmagoz
Copy link
Author

Nurmagoz commented Jan 23, 2019

You might find the other Tox threads interesting.

yes i know but i hope to be added to instant messages. because its worth more than matrix/riot or open whisper/signal. and its active not dead as ricochet.

@ghost
Copy link

ghost commented Jan 24, 2019

For offline messages this is optional to user and he can fix that if the user wants so:

https://wiki.tox.chat/users/offline_messaging

Not a part of the official client. Queuing messages until the contact comes online isn't true offline messaging. Imagine if email worked like that? What you'd keep your computer on until your contact came back online? lol. As for the other options:

  • Message Relay for Tox
    Hack job, not a part of the client

  • ToxMail
    Says "HIGHLY EXPERIMENTAL - DON'T USE IT" on the page and uses words like "prototype". Also no commits since Aug 15, 2014.

  • Ratox AutoAnswer Nugget
    Not found 404.

Data still leaves the Tor network and is exposed to the exit nodes which increases surface area.

im sorry what? also read:
https://wiki.tox.chat/users/tox_over_tor_tot

Using Tox over Tor, puts all of the trust in Tox's crypto. Considering it isn't well documented (purpose of toktok) and hasn't been audited by someone like NCC that's not something I would do outside of experimental situations.

Matrix its horrible design because its not really decentralized , its federated (means requires servers to operate). and guess what is the main client of matrix ?

It is decentralized and federated by definition. A user can connect to any home server which can connect to any other home server. If you really wanted you could connect to your own home server there are multiple implementations (synapse, dendrite) which have made huge progress.

Riot which full of JS garbage and insecurity.

I'm not sure what that's supposed to mean. C/C++ can also be an insecure language. I think at this point it's rather obvious you do not know what you're talking about.

so comparing the designs + the main clients = Tox way more secure to use than Matrix.

Link to audit please, that is the only way you can make that claim.

only some features which matrix add but it has no relation to make it more secure or reliable to privacy like talk to irc,xmpp..etc. which is rubbish in security comparison.

Opinion.

@Nurmagoz
Copy link
Author

Not a part of the official client. Queuing messages until the contact comes online isn't true offline messaging. Imagine if email worked like that? What you'd keep your computer on until your contact came back online? lol.

Thats the only TRUE way to handle really your data and connection = privacy. and no one said Emails are encrypted or safe unless use some extra extensions like enigmail,gpg..etc , so i dont consider the convenient behind unsafely measurements to look at over less convenient but higher security.

As for the other options:

Message Relay for Tox
Hack job, not a part of the client

ToxMail
Says "HIGHLY EXPERIMENTAL - DON'T USE IT" on the page and uses words like "prototype". Also no commits since Aug 15, 2014.

Ratox AutoAnswer Nugget
Not found 404.

everything mentioned in tox website. and for ratox check here:

https://git.2f30.org/ratox-nuggets/

Using Tox over Tor, puts all of the trust in Tox's crypto. Considering it isn't well documented (purpose of toktok) and hasn't been audited by someone like NCC that's not something I would do outside of experimental situations.

Whats the problem with Tox crypto? audited or not , vulnerabilities doesnt know audited software or no , audited software doesnt become automagicallly bugproof. Thats only safe design from ground zero worth taking it.

It is decentralized and federated by definition. A user can connect to any home server which can connect to any other home server. If you really wanted you could connect to your own home server there are multiple implementations (synapse, dendrite) which have made huge progress.

you are missing the point, Peer <-> Peer decentralization differ from federated decentralization Peer<-Server->Peer or Peer<-Server<->Server->Peer.

Also Matrix doesnt encrypt anything by default. makes it even worse.

I'm not sure what that's supposed to mean. C/C++ can also be an insecure language. I think at this point it's rather obvious you do not know what you're talking about.

ah so you dont know what is electron based app and how they are security fucked? i ask you to search more before you propose things.

Link to audit please, that is the only way you can make that claim.

We dont disagree its a good thing to have , but i disagree considering it as a holy action that the software have or not using it.

Opinion.

?? porting IRC , XMPP ... to matrix doesnt automagically makes it/them secure.

@ghost
Copy link

ghost commented Jan 25, 2019

Not a part of the official client. Queuing messages until the contact comes online isn't true offline messaging. Imagine if email worked like that? What you'd keep your computer on until your contact came back online? lol.

Thats the only TRUE way to handle really your data and connection = privacy. and no one said Emails are encrypted or safe unless use some extra extensions like enigmail,gpg..etc

Yes and emails aren't real-time and don't have PFS. GPG and S/MIME also do not protect the metadata in the email's header, so that is a sacrifice you have to make.

, so i dont consider the convenient behind unsafely measurements to look at over less convenient but higher security.

If we suggested unusable and difficult products people would just use centralized and proprietary products. So it is something that we must consider.

everything mentioned in tox website. and for ratox check here:

https://git.2f30.org/ratox-nuggets/

I see a commit log, no documentation though and it's unmaintained (2014). Looks very experimental to me.

Using Tox over Tor, puts all of the trust in Tox's crypto. Considering it isn't well documented (purpose of toktok) and hasn't been audited by someone like NCC that's not something I would do outside of experimental situations.

Whats the problem with Tox crypto? audited or not

That is the library they are using for their cryptographic primitives. Tox's protocol however is completely custom (not something established like TLS). Their protocol has not been formally audited or vetted to check acts as intended. That specification is for the next-generation implementation of toxcore and not what is currently in the Tox clients.

, vulnerabilities doesnt know audited software or no , audited software doesnt become automagicallly bugproof. Thats only safe design from ground zero worth taking it.

Yes and you clearly suggest we should blindly accept everything we read on the internet. You're trying to argue with me about things which you clearly do not posess the necessary background to argue about (evident by your replies).

A code audit would increase the trustworthyness of the code as it means it has undergone a formal verification process. Bugs will still exist, but hopefully not any particularly serious ones.

The implementation in current Tox clients is unlikely to get any research (or funded auditing) considering the change to c-toxcore.

As @Shifterovich says, have a look at the other Tox threads and associated discussions.

you are missing the point, Peer <-> Peer decentralization differ from federated decentralization Peer<-Server->Peer or Peer<-Server<->Server->Peer.

At this point in time peer decentralization is unlikely to ever take off, particularly with it's current implementations. Tox uses a lot of battery power running the DHT bootstrapping process and lacks multi device support as well as push notification.

It's not going to be popular until those things are solved.

Also Matrix doesnt encrypt anything by default. makes it even worse.

That is about to change in the riot redesign which includes the E2E UX redesign (used for keysigning).

I'm not sure what that's supposed to mean. C/C++ can also be an insecure language. I think at this point it's rather obvious you do not know what you're talking about.

ah so you dont know what is electron based app and how they are security fucked? i ask you to search more before you propose things.

There's nothing inherently insecure about Electron. The only criticism I have seen of it is related to performance. As you're clearly not a programmer nor do you understand anything about the framework you're criticizing I am just going to treat your remarks as ignorance. You've provided me with no evidence of the contrary.

so comparing the designs + the main clients = Tox way more secure to use than Matrix.

Link to audit please, that is the only way you can make that claim.

We dont disagree its a good thing to have , but i disagree considering it as a holy action that the software have or not using it.

We don't consider recommending software that has not been formally audited as top-pick software. In any case Tox is still mentioned on the website.

only some features which matrix add but it has no relation to make it more secure or reliable to privacy like talk to irc,xmpp..etc. which is rubbish in security comparison.

Opinion.

?? porting IRC , XMPP ... to matrix doesnt automagically makes it/them secure.

More evidence you don't know what you're talking about. If you're talking about bridges then I think that's rather obvious.

Anyway as I told you in the other issue https://github.com/privacytoolsIO/privacytools.io/issues/474#issuecomment-457252313 I am not wasting any more time on you.

@ghost
Copy link

ghost commented Jan 28, 2019

Clearly as there's been a lack of understanding here, I suggest https://github.com/privacytoolsIO/privacytools.io/issues/746

@blacklight447 blacklight447 added the Tor Anything covering the Tor network label May 21, 2019
@blacklight447
Copy link
Collaborator

I see no compelling arguments to add tox to privacytools.io here. As we try to stay conservative about how many things we recommend to prevent the site for getting cluttered, I dont see why tox would be worth adding next to the messengers in its current state, so i will be closing this issue, if anyone disagrees, then they can comment to reopen the issue, and make a case for tox inclusion into privacytools.io

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
🆕 software suggestion Tor Anything covering the Tor network
Projects
None yet
Development

No branches or pull requests

2 participants