I haven't looked into Tox, but I'd be curious to find out the highlights. Really I've just never understood why people complain about XMPP; yes, it's XML which is ugly, but it's also the right tool for the job (easy to stream, very fast SAX-style parsers, event based, etc.), it certainly has its warts, I won't pretend it's perfect, but for the most part it's been around for 20+ years getting the kinks worked out. If we just keep creating new protocols because it's not perfect, we'll never get a more or less universally federated chat protocol like we have for more long form messages (email). I don't know anyone who would say email was the most wonderful modern thing in the world, but they still use it because it's good enough and was lucky enough to become ubiquitous. Similarly, I feel like people should just use XMPP even if they don't like it for that reason (although I'd still love to find out more about Tox, what it's strengths and weaknesses are, etc.)
Tox is a fully distributed (not federated) p2p system. It supports 2-way messaging, multi-way chatrooms, voice and video calling (using Opus and VP8, respectively), file sharing, and desktop streaming, although not all features are supported by all clients. Although any client can implement any feature they like, so long as they can do it atop the actual network system, sticking to the Tox Client Standard is reccomended for maximum compatability. It implements perfect forward security, and uses libsodium for its crypto. There are a variety of clients, although most seem to use toxcore, the reference protocol implementation, under the hood. However, the spec is readily available, and there are independant implementations.
Tox's goal is essentially to create a user-friendly Skype-like chat application, with not centralized server, and strong security by default.
The downside is that your user ID on tox looks like this:
And you have to give it to anybody who wants to connect to you on tox. There are services like ToxMe which can give you email-style shorthands, but as the Tox FAQ notes, this can leave you and your contacts vulnerable to an MITM attack, if the site you use is untrustworthy.
> Tox is a fully distributed (not federated) p2p system
Ah, see, you lost me there already. I'm sure it's clever and well made and all the rest of it, but fully distributed systems either almost never work, are very difficult to get setup and use properly, or end up just not being fully distributed systems (eg. early Skype and it's "supernodes" or whatever it called them, aka "servers", or Tor [which I love] and it's directory authorities which admittedly are elected, but even so are effectively just "servers", or Bittorrent which has either trackers, aka "servers", or hard-coded DHT bootstrap nodes, aka also "servers").
Distributed systems sound great in theory, but in the real world I just never think they're worth the effort, or you have to compromise them and add some centralized element anyways, at which point you might as well just use a federated system so that people who don't want to deal with all that can use a third party server and people who do want their own specially contained distributed node can just run their own server and client.
The bootstrap nodes were probably the first ones on the DHT: hence, no bootstrap needed. If it's a new bootstrap node, it's connected to the old bootstrap nodes, or some other set of nodes in the DHT, just like any other node: distributed, not federated.
But once a node is acutually inside the DHT, it should never need to talk to the bootstrap nodes ever again: that's a pretty major win, in some respects.
Sorry, that was supposed to be a silly joke, but it also made it horribly unclear. I meant: How do you find the nodes to bootstrap yourself into the DHT in the first place? They must be IPs shipped with the client?
I use and love Tox as it got some key fundamentals right.
First, they have full forward secrecy. This is notably unlike Ring, which does not.
Secondly, all communications are end to end encrypted and endpoint-verified, as there's no "legacy SIP support" (eg: SIP) or such nonsense and the DHT addresses your contacts gave you are actual ec25519 public keys.
>the DHT addresses your contacts gave you are actual ec25519 public keys.
For nontechnical users, that's a massive downside. The first tox client to integrate ToxMe into itself will get very popular, very fast, provided it's got the right marketing.
>The first tox client to integrate ToxMe into itself will get very popular, very fast, provided it's got the right marketing.
Ouch. qTox had it for quite some time already, and given that I didn't observe massive increase in its popularity (there was increase, but ~normal), it's got to be the marketing (or lack of thereof)...
Sadly, I don't know about marketing, and while there were some people who could into marketing, hiring them would require money, which Tox ecosystem doesn't have at all, and if it had, it would be spent on hiring devs part or full time. :|
With that being said, it's quite likely that the UI for the integration in qTox is not the best one, and could use some improvements. If you have any suggestions / ideas how it could be made better, please don't hesitate to make an issue on qTox repo with them: https://github.com/qTox/qTox . Or any other part of qTox.
Anyways, aside from qTox also Antox should have ToxMe integration. I don't know about other clients.
> For nontechnical users, that's a massive downside.
I disagree entirely. It's an upside. They get to benefit from PKI without even understanding anything. A person's address gets them the actual person.
ToxMe requires trusting the ToxMe identity provider, and is an obvious point of attack. And we'd no doubt see fake addresses that resemble other peoples, and other such nonsense.
There's minimising the inconvenience (with ideas like the QR code feature they have), and there's plain giving up security for minimal gained convenience, which we should just avoid.
>I disagree entirely. It's an upside. They get to benefit from PKI without even understanding anything. A person's address gets them the actual person.
Yes, but which messaging service will the nontechnical user use? The one where they can exchange usernames, or even phone numbers, and it Just Works? Or the one where they have to give their friends a long alphanumeric sequence of gibberish?
It doesn't benefit them if they don't use the protocol.
>ToxMe requires trusting the ToxMe identity provider, and is an obvious point of attack. And we'd no doubt see fake addresses that resemble other peoples, and other such nonsense.
Obviously. This is why it's a bad thing that nontechs will probably go in that direction, if they use Tox at all.
>(with ideas like the QR code feature they have)
I was hoping somebody had implement QR: that helps a lot, but I'm not sure if it's enough...
