I would use Tox and any of its clients with caution. At one point in time, your friends would be able to execute arbitrary shell commands on your PC if you were running utox and accepted a file download. Even with large security concerns like this, the lead developer believes Tox and uTox is secure because he reads the code he wrote himself (none the less git history is filled with bug fixes he clearly missed in his reading). This isn't exactly reassuring, especially coming from someone who doesn't have provable past experience in security software.
Edit: I just got banned from their IRC for stating this opinion here.
uTox was not originally written by the main toxcore dev. However he and a few other brave volunteers have made a big effort to clean up uTox's code over the past few months. That's why this thread was created now and not 6 months ago.
>I would use Tox and any of its clients with caution.
It's hard to argue with that given that Tox is still in alpha, and this is generally a good idea for any software you use if you have reasons to believe that an adversary is trying to exploit your computer.
That last part is enough to ditch them unless you were fighting with them in IRC. Were you?
Your claims ring true for vast majority of new, COMSEC schemes. Far as Tox, this is what I found on their GitHub page: "Current build status: build failing." I'll add that NSA and malware authors have 0-days on the platforms the tool will likely run on. It will be bypassed like all others on such platforms.
Of all Tox clients, uTox is written in C, using its own UI framework that directly interfaces with X11 and WinAPI. This makes the code itself a mess. The reasoning behind this is that it's somewhat of a meme on /g/ that anything but pure C code is "bloat". I tried contributing a bit last year, did some work on copy/pasting inline images, and found a remote code execution vuln. Then I got fed up with how terribly confusing the codebase was for something so simple. I'm not a professional programmer or anything, just a student, but it seems like it's the same for everyone else in the project.
I wonder if we'll ever get to the point where projects start advertising what methods they use to weed out memory management bugs (i.e. static analysis, fuzzing, etc) because an adversary that can execute arbitrary code on my machine is far more intimidating than one that can eavesdrop (imo).
I think that this is a very important point, and I'd like to quote Bruce Schneier in agreeing that "practical cryptography is rarely broken through the mathematics; other parts of systems are much easier to break" [0].
As a developer of a Tox client (qTox), I personally use a combination of static analysis (Coverity, CppCheck, Clang's scan-build) as well as dynamic analysis (notably the various *Sanitizers) to complement use of modern automatic memory management. But clearly as the many browser vulnerabilities found ever year show, bugs in large projects are a reality and there is no silver bullet, regardless of how sophisticated the current methods might be.
I think that we should absolutely strive for fuzzing, analysis, testing and general security, not in the illusion that software will be perfect, but with the goal of preventing, catching, and fixing bugs before they become an actual in-the-wild threat.
Speaking of that, I wonder why uTox & Tox weren't made in memory safe languages in the first place. There could be many possible reasons, so I won't bother speculating.
I made sure to make the packets in Tox as easy to parse as possible which greatly lowers the chances of fatal packet parsing bugs being present.
As for the main tool I use to find bugs, it's asan (the clang address sanitizer) which is much more useful than static analysis for finding actual bugs.
Of course the main thing I do to try to prevent bugs is reread the code again and again which is what catches pretty much everything.
It's open source so anyone can run their favourite tool on it,
I've been using this for the last 6 months or so. Seems pretty good as a client. Stable on the comms side, although short of an audit, I'm just having faith in the security side of things.
What it really needs is some way of having a roaming profile though. Currently you have to have multiple accounts, one for each device. So my friends list has a lot of duplicates depending on whether they're on their work computer, at home, on their phone, etc...
I'm not actually that fussed about the encryption side of things. I'm far more happy with the lack of reliance on centralised servers. You don't need an account somewhere to get it up and running, you just send a message to a friend and compare secrets to authenticate.
Yeah, way to many messengers seem to assume "Well, everyone has just 1 phone anyways, and where else would you want to use a messenger". I get that desktop clients etc are not the first thing on the priority list, but still it is very annoying (and the first one which gets that right I'm pushing everybody to.)
(Threema actually recommends a workaround: "Just create a groupchat for each of your contacts with all your devices in it and always use that")
I'm a big fan of accountless systems, but utox does need to solve the roaming profile issue. It simply cannot be used in the real world until they nut that one.
Isn't this a project that was developed by users of the /g/ board on 4chan? I've only ever seen it berated on that board (everything is berated on that board) and don't really know how solid the actual software is.
As far as I know, the project really only gained any traction once it distanced itself from /g/'s bikeshedding. I think in light of this the uTox team has made an effort to distance themselves from 4chan entirely.
It's been a while since I read anything about them but last I heard, the crypto was fairly solid and the only problems were one of reliability and user experience; that being said, I'm no expert and we won't know until it gets popular enough to deserve an audit from someone important.
Gee, yet another identity nomenclature - <username>@utox.org! When will this trend end?! Aren't you tired of the ever-growing lists of identities you need to share with people?
I like the idea of Tox but there are a couple issues that make it unusable for most users (at least me and a few I've talked to about it):
- No push notifications of any kind, meaning mobile devices have to keep a connection open (kill their batteries) or poll for updates (and get the message later).
- No multiple device support, so I can't use my phone _and_ my desktop. I have to pick.
It'll be great when it's been polished up and completed a bit more but it's not there yet.
Wow, Skype must have really cemented its place in public conscience as an instant messaging service.
I would think a new service should support video chat before comparing itself to Skype, but no. (I am actually seeking an open-source alternative to Skype that supports video conferencing: I know of audio clients/services, but not about video)
Back in 2001, the ayttm project supported free, secure instant messaging by using gpg to encrypt all messages and by allowing you to split a conversation across multiple networks (Yahoo, MSN, AOL, XMPP).
Appreciate the tip. The Snowden leaks appear to support that GPG is so robust that even NSA analysts use it. So, a project using IM over it is playing it extra smart (albeit clunky). Turns out it's still active:
The main thing for me is the lack of a central account server. Even with XMPP, you still need to have an account and login somewhere to authenticate. With this, you have to authenticate each friend manually, but only the once. After that, there is no account but the profile stored on your hard drive.
Part of the issue is that both uTox and toxcore are GPLv3'd, which forbids "TiVoization" (and therefore makes it legally difficult to release on, say, the App Store). A more permissive license would make that more plausible.
[+] [-] astonex|11 years ago|reply
Edit: I just got banned from their IRC for stating this opinion here.
[+] [-] Jfreegman|11 years ago|reply
[+] [-] tux3|11 years ago|reply
It's hard to argue with that given that Tox is still in alpha, and this is generally a good idea for any software you use if you have reasons to believe that an adversary is trying to exploit your computer.
[+] [-] RottenHuman|11 years ago|reply
[+] [-] nickpsecurity|11 years ago|reply
Your claims ring true for vast majority of new, COMSEC schemes. Far as Tox, this is what I found on their GitHub page: "Current build status: build failing." I'll add that NSA and malware authors have 0-days on the platforms the tool will likely run on. It will be bypassed like all others on such platforms.
[+] [-] lawl|11 years ago|reply
[+] [-] stal|11 years ago|reply
[deleted]
[+] [-] blucoat|11 years ago|reply
Of all Tox clients, uTox is written in C, using its own UI framework that directly interfaces with X11 and WinAPI. This makes the code itself a mess. The reasoning behind this is that it's somewhat of a meme on /g/ that anything but pure C code is "bloat". I tried contributing a bit last year, did some work on copy/pasting inline images, and found a remote code execution vuln. Then I got fed up with how terribly confusing the codebase was for something so simple. I'm not a professional programmer or anything, just a student, but it seems like it's the same for everyone else in the project.
[+] [-] tetrep|11 years ago|reply
[+] [-] tux3|11 years ago|reply
As a developer of a Tox client (qTox), I personally use a combination of static analysis (Coverity, CppCheck, Clang's scan-build) as well as dynamic analysis (notably the various *Sanitizers) to complement use of modern automatic memory management. But clearly as the many browser vulnerabilities found ever year show, bugs in large projects are a reality and there is no silver bullet, regardless of how sophisticated the current methods might be.
I think that we should absolutely strive for fuzzing, analysis, testing and general security, not in the illusion that software will be perfect, but with the goal of preventing, catching, and fixing bugs before they become an actual in-the-wild threat.
[0] https://www.schneier.com/essays/archives/1997/01/why_cryptog...
[+] [-] bobdole1971|11 years ago|reply
[+] [-] irungentoo|11 years ago|reply
As for the main tool I use to find bugs, it's asan (the clang address sanitizer) which is much more useful than static analysis for finding actual bugs.
Of course the main thing I do to try to prevent bugs is reread the code again and again which is what catches pretty much everything.
It's open source so anyone can run their favourite tool on it,
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] lawl|11 years ago|reply
That way you get decentralized messaging and don't need to trust their crypto.
https://wiki.tox.im/Tox_Pidgin_Protocol_Plugin
[+] [-] adwf|11 years ago|reply
What it really needs is some way of having a roaming profile though. Currently you have to have multiple accounts, one for each device. So my friends list has a lot of duplicates depending on whether they're on their work computer, at home, on their phone, etc...
I'm not actually that fussed about the encryption side of things. I'm far more happy with the lack of reliance on centralised servers. You don't need an account somewhere to get it up and running, you just send a message to a friend and compare secrets to authenticate.
[+] [-] detaro|11 years ago|reply
(Threema actually recommends a workaround: "Just create a groupchat for each of your contacts with all your devices in it and always use that")
[+] [-] Sir_Substance|11 years ago|reply
[+] [-] lockyc|11 years ago|reply
[+] [-] fastball|11 years ago|reply
[+] [-] vezzy-fnord|11 years ago|reply
[+] [-] counterculture|11 years ago|reply
[+] [-] jzelinskie|11 years ago|reply
[+] [-] subjectsigma|11 years ago|reply
It's been a while since I read anything about them but last I heard, the crypto was fairly solid and the only problems were one of reliability and user experience; that being said, I'm no expert and we won't know until it gets popular enough to deserve an audit from someone important.
[+] [-] kolev|11 years ago|reply
[+] [-] Veratyr|11 years ago|reply
- No push notifications of any kind, meaning mobile devices have to keep a connection open (kill their batteries) or poll for updates (and get the message later).
- No multiple device support, so I can't use my phone _and_ my desktop. I have to pick.
It'll be great when it's been polished up and completed a bit more but it's not there yet.
[+] [-] dbbolton|11 years ago|reply
[+] [-] listic|11 years ago|reply
I would think a new service should support video chat before comparing itself to Skype, but no. (I am actually seeking an open-source alternative to Skype that supports video conferencing: I know of audio clients/services, but not about video)
[+] [-] bluesmoon|11 years ago|reply
[+] [-] nickpsecurity|11 years ago|reply
http://ayttm.sourceforge.net/features.php
[+] [-] chrismartin|11 years ago|reply
[+] [-] adwf|11 years ago|reply
[+] [-] hobarrera|11 years ago|reply
[+] [-] nvk|11 years ago|reply
[+] [-] thomasfl|11 years ago|reply
[+] [-] orange_county|11 years ago|reply
[+] [-] cbsmith|11 years ago|reply
[+] [-] yellowapple|11 years ago|reply
[+] [-] JackH2|11 years ago|reply
[+] [-] JackH2|11 years ago|reply