61 comments

[ 3.1 ms ] story [ 120 ms ] thread
I'll be the downer here and point out that Tox (both the specification and the c-toxcore implementation) have never undergone a security evaluation, and there are well-understood weaknesses in its security model right now[1].

If you feel inclined to use Tox at all, you should do so as a curiosity only.

[1]: https://github.com/TokTok/c-toxcore/issues/426

What do you recommend instead?
I don't know if I have any strong recommendations. In terms of what I use: Keybase and iMessage, depending on who I'm talking to.
Matrix/Riot.im is federated and has E2EE. It also has brigdes for IRC, Telegram etc. Here's a native client for macOS: https://neilalexander.eu/seaglass

Web client: https://riot.im/experimental/

Matrix is also experimental. About a year ago it kept losing my key meaning I couldn't decrypt old messages. I still use matrix, but I don't have any illusions that it's more secure than tox.
We're not aware of any bugs where Matrix clients lose your e2e keys (other than one where changing your password may cause clients to log out and remove keys for safety). If you saw it keep losing keys, i'm going to guess you configured your browser to delete local storage when you close the tab... in which case, unless you export the keys, we have nowhere else to store them.

That said, we've also just implemented the optional ability to encrypt and backup your keys on the server, but obviously comes with other tradeoffs.

In terms of security, the core crypto has been audited, as per https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-en...

It hasn't happened in a year (I still use it) so whatever the issue was I don't see it anymore :)
I tested riot.im in a private Firefox window recently, obvious with hindsight but it didn't occur to me I should export keys and I didn't spot anything in the interface to make me aware or prompt me to action.

Great to hear you've added the option for server stored keys now.

yeah, it's a tricky one because by the time you've closed the window, it's too late to export keys.

The new online key backup stuff landed a few weeks ago on the develop branch, and will be making it onto the main release over the coming weeks :)

> I don't have any illusions that it's more secure than tox.

That conclusion doesn't follow. How does the client loosing your key cause you to consider matrix itself as less secure?

Matrix has also had a proper security evaluation
https://ricochet.im/ is a great protocol, but the UI could use work.
Yes. Each client runs a Tor .onion service, and there's end-to-end encryption. So arguably, users are mutually anonymous (except for their .onion addresses).

But it's only available for Windows, macOS and Linux. On Android, there's Briar, which is similar.[0] But Briar can also connect via Bluetooth and WiFi. That's useful when the Internet is unavailable. But it's bad because user anonymity could be blown.

0) https://briarproject.org/

I was working on a self-hostable web interface for a while. There's a public instance at https://ricochet-web.org/ but unlike the official client it hasn't been professionally (or otherwise, for that matter) security-tested and is vulnerable in various ways the official client isn't. It also has quite a few known and unknown bugs.
I used tox for a while until I realized just how sketchy the devs and community is.

Now, I recommend using xmpp(Open fire) over Tor. That allows things like

Crankylinuxuser@onion-v3-verylongkey.onion

To send messages. And my server can also send messages out via tor gateways or to other torified messaging servers.

Tl;Dr. Use secure protocols and combine with Hidden Services.

I read about 20 replies of that and it does sound a bit overblown. Yes - the protocol is not perfect, but the flaw is a minor one. It could even be considered a feature request - preserve semblance of security after key compromise. If it can be done sure, by all means! But does not necessitate panic or rushing things - that would be more dangerous.
> But does not necessitate panic or rushing things

I don't think I suggested either. If anything, Tox was rushed (by a group of 4channers, no less) and many of the flaws in its design are a consequence of that. I don't think enough people are actually using it to warrant panic.

Is using 4chan known to compromise one's programming skills?
4chan is known to the State of California to cause certain types of cancer.
I fail to see how its developers being part of [competing tech community] has any relevance to the quality of the program.
There aren't a lot of cryptographers who would accept KCI vulnerability as a "feature".
Resistance to it would be the feature.
right now it's absolutely awful in terms of everything it has set out to do, the internal dev team even knows of a few more security issues that they haven't publicly disclosed yet and have made little effort to resolve

t. made the linked website, used to be in dev team

Also weirdness with funds being stolen and team splits:

https://chefkochblog.wordpress.com/2018/04/05/r-i-p-tox-mess...

it wasn't much of a team split, just the dev team's resident pakistani computer salesman (stqism) embezzled a bunch of money and ran off, as much as I think Tox is untrustworthy and stupid I can say I'm pretty sure nobody else in Tox was involved with this
Thanks for that bit of insight, it is a confusing story especially when I ran into it. I like the UI of Tox, I wish it were truly solid, but I much rather recommend Pidgin with OTR and IRC / Jabber (although Jitsi is decent in this regard too), or Wire / Signal.
The attack assumes a private key is stolen. Such an assumption breaks most crypto schemes.
What is the definition of central server? What happens when an adversary eavesdrops on a router in a tier 1 network provider?
A central server forces all traffic to route through hardware and software owned by the maker of the technology and the attack vector there is usually logging. A router at an ISP is not a central server. The attack you’re speaking of is a real possibility which is why end to end encryption exists. But p2p is meant to solve a different privacy threat than e2ee.
So the central server definition is a server located in a datacenter?
(comment deleted)
This is great — funnily enough, this is a thing my project (https://getaether.net) is often mistakenly thought of as. I'll link to Tox in my FAQ. Mine is more like a decentralised Usenet, not real time chat.
(comment deleted)
a question -- the faq mention that abuse is prevented via PoW; how does it implement this?
Wow totally forgot about Aether. I still have it installed on an old laptop somewhere. I remember I really enjoyed posting on there but then I'd have trouble connecting to the network and stopped using it. Will have to check it out again
anyone knows how peer discovery works without any central servers ?
Great question, because generally, you need a centralized ICE/STUN/Turn Nat punch through server to connect peers
DNS?
I'd be surprised anyone would rely on DNS for security minded applications. If the goal is to have an easy to use and anonymous service, that can resist takedown attempts, DNS would fail you every step of the way.
Hosting a solution dedicated DNS is not a rocket science these days. Publicly reachable service, that’s a totally different bag of problems.
it has core bootstrap nodeshttps://wiki.tox.chat/users/nodes , and a pretty bad DHT formation, so by distributing a few nasty clients with bad bootstrap URLs you could easily cause multiple splits in the network
Thx for the link.

Do you know if there is some sort of routing taking place ? Or all client are trying to consolidate a full Hash Table ?

Surely they could have come up with a name that isn't so close to toxic. I think it will be an uptake barrier.
I think the name is clever. Tox = Talks. Pronounced the same.
> I think it will be an uptake barrier.

If someone is silly enough to let this be a factor when adopting a new technology, then I'd say that person has more important things to worry about than some encrypted messenger. Fortunately for Tox, the amount of people like this seems very small.

This is not a big problem. The fact that p2p protocols are not push-notification friendly, and can eat through your battery in the background is much bigger issue.
Nice!

Pretty easy to roll your own, these days, in less than 90 LOC: https://gist.github.com/amark/7dceae874a20878fdb9e2a8eed109b...

Here is a quick video demo of it in action: https://www.youtube.com/watch?v=gmdXU82vcbE

Warning! Ugly simple. So glad to see a full featured app like tox, use that instead. But for anyone interested in how they work or building their own... it is all Diffie-Hellman!!! :)

Tox in specific lets libsodium/nacl do all the cryptography and provides little above the core methods, the more complex parts were the networking
libsodium is great! We're considering supporting it in conjunction with WebCrypto. Yeah, networking is hard, but is the main thing we've worked on over the years.

We're using WebRTC and fallback to decentralized WebSocket relays (you can use multiple / nothing exclusive, run your own, etc.). What are you guys using?

What's this have that Signal doesn't?
Signal is server-based and not federated, tox is p2p. Matrix seems to be a closer match to what tox can do.

> The Signal Protocol is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls,[3] and instant messaging conversations.

> Tox is a peer-to-peer instant-messaging and video-calling protocol that offers end-to-end encryption.

https://en.wikipedia.org/wiki/Tox_(protocol)

https://en.wikipedia.org/wiki/Signal_Protocol

https://en.wikipedia.org/wiki/Matrix_(protocol)

A really well designed logo.

(There's a running joke/observation that every time 4chan /g/ tries to produce something, they spend all their time debating logo design instead of working on the product. So for this /g/ project to take off, its logo must be so good as to be beyond reproach.)

Demands to your phone number/identity, and access to all your metadata.

But hey, "Security and privacy"!

Many people that are interested in privacy and security consider server based software to be problematic. Even when server based software is open source, as Signal is, you are required to trust that what is being run on a server is the same code that they have released. And you are also required to trust that it is the only software they are running as it relates to your usage. This requires substantial trust which in modern times has, time and again, been shown to be something that should not be given.

Signal is server based. Tox is serverless.

In the case of Signal they also had unusual peculiarities. They have framed themselves as a privacy and security oriented company yet the first thing they require when signing up is a mobile number. And for years they required Google Play Services and were dependent upon Google Cloud Messaging. These sort of things send quite mixed signals, though to Signal's benefit they no longer require Google Play Services.

Finally there is one practical issue with centralized services. They need to make money. Servers cost money. And as the popularity of a platform grows, the amount of money they need to earn also continues to grow. And that's just to exist - not to make a profit. For free services their most valuable resource that can be spun into money is user information. Signal for now has managed to get by on donations and grants. The vast majority of their funding coming from the "Open Technology Fund" [1], which is a US government program. If their funding dries up you risk seeing their ideological views change as a means of self preservation, or the entire service become unusable. This is not a problem with decentralized services.

Ultimately it all comes down to what you'd prefer - centralized or decentralized. Signal is centralized, Tox is decentralized. Ideologically I believe the future of all digital technology ought and eventually will be decentralized, though the time scale of "future" there is quite immense. Nonetheless, I like to do my small bit today and support decentralized tech whenever possible.

[1] - https://en.wikipedia.org/wiki/Open_Whisper_Systems#Funding

The linked page says their funding from OTF was between 2013-16. You've managed to omit the fact that in Feb 2018 the Signal Foundation was formed - a non profit with $50m initial funding. I see that its nonprofit status is still pending however.
And here we could get into all sorts of back and forth. For instance while it says OTF was from 2013-2016, there is also nothing listed after 2016. Does this mean that OTF cut funding for some reason, that future donations were not listed, that Signal was able to coast just based upon the relatively large OTF donations, or something altogether different? Who knows.

And similarly the problem with funding is not one that's paradoxically not solved by money alone because it then raises new questions. In particular why would you put $50 million into a project like this? Is it simple good will and benevolence expecting that money to simply be gone but in exchange society gains a great centralized communication medium? Well, maybe - but it's also possible that there are different motivations. And when this money runs out what happens next?

Ultimately I'm not trying to convince you not to use Signal, I'm explaining where I see problems with Signal. And with all centralized services it's going to come down to trust. If you trust Signal then you might answer the above questions in one way. If you don't trust them, then your answers would probably be quite different. In my opinion no tech company deserves the benefit of the doubt when it comes to trust anymore.

Seems like a decent Skype substitute, at least.
people like to point out the weaknesses in this every time it is submitted, but the fact is: it's the only example in its class, and that makes it interesting. it would be amazing to see a funding drive and some experts improve it, but for whatever reason, that is not happening. it seems like any kind of desktop skype alternative takes a back seat to mobile apps