I believe this started as an off-shoot of some discussion on 4chan's /g/ board numerous years ago. I mention this because while it is a really cool project, it's definitely hobbyists working on it, and hobbyists working on security software should definitely give some pause.
Personally, I hope it succeeds in the longer term. We need good, decentralized protocols and software. Decentralization comes with its own costs, and it may never overtake the centralized web. But, protocols like Bittorrent have proven to be super powerful even with their flaws and limitations. To me, it is a no brainer that we need end-to-end encrypted chat, and it would be ideal if it could be peer-to-peer.
It's amazing the project has gotten this far. I honestly thought this post was going to be announcing the end of Tox.
The project started with a ton of momentum but never really got picked up in the mainstream. Iirc the founder and most of the core code came from one guy.
Not to mention there has been a ton of internal drama: iirc one of the devs stole a bunch of tox donation money to pay off part of his tuition. Then there was a split in the devs and one of the devs stole all the credentials for the website and they switched? Then there was the accusations that some of the devs where child molesters and where doxed.
They also his a brick wall at one point on mobile due to the protocol being very heavy on battery usage so for a while it was only realistic to use on the desktop.
I wish the project nothing but the best and hope they succeed, but I feel like they have reached a point where they have lost interest. I hope I'm wrong.
The last couple years have been spent making things right. Documenting the protocol, fixing ugliness in toktok (fork of libtox that's effectively replaced it) and such menial but important work.
Now it isn't a hacked together piece of shit anymore, but proper. As a result, it works reliably. The user experience is very good.
Sorry that was my fault, while I was making the website and asked some people with working phones to take screenshots I got bullied out of the devs channel and wasn't around to tell them not to screw it up
I really think tox is a cool idea, and I've used it quite a bit, but I think it's important to temper security expectations. I can't find a link, but I remember the results of the security audit done in the project to be frankly disastrous.
And they somehow actively push adoption in narrow circles. I often see “why xyz if you have tox” in local forums, from people who are otherwise professional in their areas, but believe in tox almost blindly. It also doesn’t implement any sort of push notifications for phones, rendered useless for battery-saving modes and vaguely competitioning xmpp-otr.
From the TokTok site (which is linked to from Tox):
"Neither the Tox protocol nor the implementation have undergone peer review, and its exact security properties and network behaviour are not well-understood, yet. We are actively working on improving that situation. Until said peer review, Tox is not recommended for use cases that require proven, high-assurance security."
They use good primitives, but are under some kind of assumption that this makes them invincible. I remember reading a rather serious bug report that was more or less closed with a link to libsodium/nacl.
Tox might be one of the most underrated projects out there.
Launch a client (qtox suggested), add a few friends by copying their tox address (=pubkey) and start talking. It just works, is completely decentralised, and the only way to talk is end-to-end encryption with forward secrecy.
It literally solved the IM problem for most use cases.
it's not great for mobile, which is by far the main use case these days. a huge battery drain unless something major has changed since the last time i checked in on it.
The decentralization aspect is not the problem. XMPP for example is also decentralized but has quite good mobile support. The problem with tox seems to be that it is peer-to-peer. So the servers are missing which could buffer all those events for the clients.
Is that not more a difference between distributed and decentralized then, such as git is a distributed system even though it needs a central server in most use cases.
Here is my shot at defining various terms in this context:
- Centralized: Centralized networks have one central point which controls the network. That doesn't have to be a single server sometimes it is just that there is just one company controlling the network (e.g. WhatsApp).
- Decentralized: Is the opposite of 'centralized' meaning there is more than one central point. So all following types are 'decentralized'.
- Distributed: In general terms, it means that the network is (more or less evenly) distributed upon all participants. All participants have the same role and responsibility. There are various kinds of distributed networks. Git for example stores a full copy of all information in every node. Distributed Hash Tables use a different approach where every node is responsible for one explicit part of the information to store.
- Peer-to-peer (p2p): Is one form of a distributed network, which works (in general) without servers. So all the participants connect directly to each another (Tox).
- Federated: Is sometimes called a 'distributed network of centralized networks'. Two popular examples are e-mail and XMPP. All participant use their own centralized server, but that server cooperates with other servers to transfer messages across the network. Sometimes their implementations make a distinction between client-to-server and server-to-server protocols.
In general, the more centralized a network is, the easier it is to control. This can be good when it comes to spam, but also bad when it comes to censorship.
Federated is like email. There's foo.com and a bar.org email servers, users at foo.com can talk with users at bar.org just fine. XMPP works that way.
Distributed means there seriously aren't any servers. Addresses in tox are just public keys, and they're in a global namespace. The network is a distributed hash table formed by peers (the "clients"). There's no central point of failure.
There is nothing against you taking toxcore and adding a push wrapper+app UI to it. Seems like you could make at least the app side of it non-free, if you'd wish to do so.
Tox has received a lot of criticism for originally implementing non-standard encryption and being difficult to use. Although claimed by developers to be easy to use for anyone, Tox suffers from overengineering. Clients have many layers of abstraction copied from Skype which makes it difficult to audit and to submit pull requests. Overall, however, clients have a very good ease of use and look aesthetically pleasing.
matrix.org is federated rather than p2p, but it's e2e implementation has some very nice features (group chat, multiple devices, forward secrecy, etc.).
Two very cool projects coming up are Briar and Cwtch. Both are P2P, E2E, and metadata-resistant over tor
Briar already has a stable release but I consider it not very viable for most communications because it doesn't yet have the ability to remotely add contacts (you need to scan the peer's QR code from their phone). But they're working on implementing that.
Cwtch isn't out yet, but it is going to implement many of the same features as Briar, with the added perks of having desktop and mobile clients with syncing between the two. It accomplishes this through an untrusted federation of Cwtch servers running over tor to store offline content (when a peer is down) and group chats.
As someone else mentioned Matrix is also a thing. It's not P2P and E2E is still in beta, but it also accomplishes different things compared to Tox et. al. like federating different chat protocols like IRC.
There are a large number of them, but most are sadly either abandonware or vaporware. The closest thing I feel we have right now is really matrix.org. User identities are federated unfortunately, but this makes things that are going to be a problem on any fully decentralized system, like mobile push notifications, simpler.
If you don't mind proprietary solutions, Firechat [1] is one of them. It allows chatting over a mesh network using WiFi or Bluetooth even with no Internet connection.
I would call that a work around, not a solution. For a project that cries about privacy, the fact that all the implementations are so .. anti privacy like that is pretty bad.
I'm pretty sure the Android client is 3rd party.
I suggest toxic on a bouncer, accessed via mosh for better usage. If you handle it right, you can get push via the terminal receiving the bell character and reacting accordingly.
A lot of projects’ names conflict. That’s not an issue if they’re not in the same space, which is the case here: a CLI tests tool vs. a messaging application.
Python tox first released was in 2010. Tox project started in 2013. I hope in the future authors of open source projects would do some Googling before deciding on name. The reason is people really get confused which one.
Imagine this situation. Instead of tox, someone decided to named the tox project "Python". Tox is very famous in the Python community. This shows how unfortunate people doesn't care about naming.
True, being not in the same namespace resolves the confusion. But a decent chunk of people on this forum might end up using both (assuming the chat application takes off). If it's humanly possible, avoid name collision.
Does uTox use the core library or reimplement the protocols? Because the core is GPL and uTox is supposedly MIT, but that can't be if they used the core library.
How did they manage to do video chat? What is the underlying library or algorithm or did they somehow come up with a novel video chat system that performs? Did they use WebRTC or something?
Personally, I hope it succeeds in the longer term. We need good, decentralized protocols and software. Decentralization comes with its own costs, and it may never overtake the centralized web. But, protocols like Bittorrent have proven to be super powerful even with their flaws and limitations. To me, it is a no brainer that we need end-to-end encrypted chat, and it would be ideal if it could be peer-to-peer.