Jump to content

Tox (protocol): Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Prevent vandal action; undid revision 1206545373 by MrOllie (talk)
Tags: Undo Reverted possible conflict of interest
m Reverted 1 edit by Neva blyad (talk) to last revision by MrOllie
Tags: Twinkle Undo Reverted Mobile edit Mobile web edit
Line 57: Line 57:
=== Usability as an instant messenger ===
=== Usability as an instant messenger ===
Though several apps that use the Tox protocol seem similar in function to regular instant messaging apps, the lack of central servers similar to [[XMPP]] or [[Matrix (protocol)|Matrix]] currently has the consequence that both parties of the chat need to be online for the message to be sent and received. The Tox enabled messengers deal with this in separate ways, some prevent the user from sending the message if the other party has disconnected while others show the message as being sent when in reality it is stored in the sender's phone waiting to be delivered when the receiving party reconnects to the network.<ref>{{Cite web|url=https://wiki.tox.chat/users/troubleshooting|title=users:troubleshooting - Tox Wiki|website=wiki.tox.chat|access-date=2019-04-26}}</ref>
Though several apps that use the Tox protocol seem similar in function to regular instant messaging apps, the lack of central servers similar to [[XMPP]] or [[Matrix (protocol)|Matrix]] currently has the consequence that both parties of the chat need to be online for the message to be sent and received. The Tox enabled messengers deal with this in separate ways, some prevent the user from sending the message if the other party has disconnected while others show the message as being sent when in reality it is stored in the sender's phone waiting to be delivered when the receiving party reconnects to the network.<ref>{{Cite web|url=https://wiki.tox.chat/users/troubleshooting|title=users:troubleshooting - Tox Wiki|website=wiki.tox.chat|access-date=2019-04-26}}</ref>

== Architecture ==

=== Core ===

The Tox core is a library establishing the protocol and API. User front-ends, or clients, are built on the top of the core. Anyone can create a client utilizing the core.

Technical documents describing the design of the Core, written by the original Tox core library developer irungentoo, are available publicly.<ref>{{cite web |title=Toxcore Documentation |url=https://github.com/Tox-Docs/Text/tree/master/src_text |url-status=live |archive-url=https://web.archive.org/web/20230520161806/https://github.com/Tox-Docs/Text/tree/master/src_text |archive-date=20 May 2023 |access-date=7 November 2015 |publisher=GitHub}}</ref><ref>{{Cite web |date=2023-05-20 |title=Toxcore Documentation (full copy of a repository saved via web.archive.org) |url=https://codeload.github.com/Tox-Docs/Text/zip/refs/heads/master |access-date=2023-05-20 |archive-url=https://web.archive.org/web/20230520161609/https://codeload.github.com/Tox-Docs/Text/zip/refs/heads/master |archive-date=2023-05-20 }}</ref>

=== Protocol ===

The core of Tox is an implementation of the Tox protocol, an example of the application layer of the [[OSI model]] and arguably the presentation layer. While there's at least one known implementation of the Tox protocol provided by third-party developers,<ref>{{cite web|title=Xot|url=https://github.com/mahkoh/Xot|publisher=GitHub|access-date=6 May 2014}}</ref> it never lived past the prototype stage.

Tox uses the [[Opus (audio format)|Opus audio format]] for audio streaming and the [[VP8|VP8 video compression format]] for video streaming.

=== Encryption ===

Tox uses the cryptographic primitives present in the [[NaCl (software)|NaCl crypto library]], via libsodium. Specifically, Tox employs [[Curve25519]] for its key exchanges, [[Salsa20|XSalsa20]] for symmetric encryption, and [[Poly1305]] for MACs.<ref>{{Cite web|url=https://tox.chat/faq.html#tox-encryption-algorithm|title=A New Kind of Instant Messaging|website=Project Tox|language=en|access-date=2017-02-15}}</ref>

Because the tox protocol can be used by many different applications, and because the tox network broadcasts the used client, it is also possible for clients to use additional encryption when sending to clients which support the same features.

=== Clients ===
A client is a program that uses the Tox core library to communicate with other users of the Tox protocol. Various clients are available for a wide range of systems.

As of June 2023, according to the sources used to populate the table below, there was only one actively maintained desktop client<ref name=":1" /> in existence, authored by a presumably Russian developer.<ref>{{Cite web |title=yat's author Gitlab page |url=https://gitlab.com/neva_blyad }}</ref>

According to their [[Stack Overflow]] and Gitlab accounts,<ref>{{Cite web |title=User НЕВСКИЙ БЛЯДИНА |url=https://stackoverflow.com/users/11609137/%d0%9d%d0%95%d0%92%d0%a1%d0%9a%d0%98%d0%99-%d0%91%d0%9b%d0%af%d0%94%d0%98%d0%9d%d0%90 |archive-url=https://web.archive.org/web/20230607203400/https://stackoverflow.com/users/11609137/%D0%9D%D0%95%D0%92%D0%A1%D0%9A%D0%98%D0%99-%D0%91%D0%9B%D0%AF%D0%94%D0%98%D0%9D%D0%90 |archive-date=2023-06-07 |access-date=2023-05-18 |website=Stack Overflow |language=en}}</ref><ref>{{Cite web |title=НЕВСКИЙ БЛЯДИНА / lovecry.pt · GitLab |url=https://gitlab.com/neva_blyad/lovecry.pt |archive-url=https://web.archive.org/web/20230607194614/https://gitlab.com/neva_blyad/lovecry.pt |archive-date=2023-06-07 |access-date=2023-05-18 |website=GitLab |language=en}}</ref> they were at some point an employee of a Russian company which supplied CCTV hardware and traffic cameras to various police departments around the Russia.<ref>{{Cite web |title=О компании |url=https://korda-group.ru/about_company/ |archive-url=https://web.archive.org/web/20230607204534/https://korda-group.ru/about_company/ |archive-date=2023-06-07 |access-date=2023-05-18 |website=Повышение безопасности дорожного движения |language=ru-RU}}</ref><ref>{{Cite web |title=Реализованные проекты |url=https://korda-group.ru/our-projects/ |archive-url=https://web.archive.org/web/20230607204746/https://korda-group.ru/our-projects/ |archive-date=2023-06-07 |access-date=2023-05-18 |website=Повышение безопасности дорожного движения |language=ru-RU}}</ref>

Most of previously popular clients like µTox and qTox, in turn, saw a decline in development pace, and has since been abandoned<ref>{{Cite web |title=uTox Github: last known commits |website=[[GitHub]] |url=https://github.com/uTox/uTox/commits/develop}}</ref> or deprecated.<ref>{{Cite web |title=chore: update README with archive message · qTox/qTox@14fbfd4 |url=https://github.com/qTox/qTox/commit/14fbfd482d95c196fba1d4cb4944fca6964d00d7 |access-date=2023-05-18 |website=GitHub |language=en}}</ref>

The following list is showcasing most known clients to support Tox, but may be incomplete.<ref>{{cite web |title=Client |url=https://wiki.tox.chat/clients |access-date=17 January 2021 |work=Tox clients}}</ref>

{| class="wikitable sortable"
|-
! Name
! Operating system
! Written in
! Development status & comments
|-
| Antidote<ref>{{cite web|title=Antidote|url=https://antidote.im|access-date=6 August 2015}}</ref>
| [[iOS]]
|[[Swift (programming language)|Swift]]
| Abandoned (see project's GitHub page)
|-
| Antox<ref>{{cite web|title=Antox|url=https://github.com/Antox/Antox|publisher=Github|access-date=6 August 2015}}</ref>
| [[Android (operating system)|Android]]
| [[Scala (programming language)|Scala]], [[Java (programming language)|Java]]
| Abandoned, last update in August 2019
|-
| aTox<ref>{{cite web|title=Atox|url=https://github.com/evilcorpltd/aTox|publisher=Github|access-date=22 January 2021}}</ref>
| [[Android (operating system)|Android]]
| [[Kotlin (programming language)|Kotlin]]
| Active, last update in February 2023
|-
| Cyanide<ref>{{cite web|title=Cyanide|url=https://github.com/krobelus/cyanide|publisher=Github|access-date=3 January 2016}}</ref>
| [[Sailfish OS]]
| [[C++]]
| Abandoned,<ref>{{cite web|title=Last commit in Cyanide's repo|url=https://github.com/krobelus/cyanide/commit/b03c7df96d968c056bfa61f396472b0df2cb5bd2|publisher=GitHub|access-date=12 April 2018}}</ref> last update in Jan 2017
|-
| gTox<ref>{{cite web|title=gTox|url=https://github.com/KoKuToru/gTox|publisher=Github|access-date=7 November 2015}}</ref>
| [[Linux]]
| [[C++]] ([[GTK+ 3]])
| Abandoned in 2015 (see project's GitHub page)
|-
| qTox<ref>{{cite web|title=qTox|url=https://github.com/qTox/qTox|publisher=Github|access-date=21 February 2023}}</ref>
| [[Linux]], [[FreeBSD]], [[OS X]], [[Windows]]
| [[C++]] ([[Qt (software)|Qt]])
| Abandoned in 2023 (see project's GitHub page)
|-
| Toxic<ref>{{cite web|title=Toxic|url=https://github.com/JFreegman/toxic|publisher=Github|access-date=22 January 2021}}</ref>
| [[Linux]], [[FreeBSD]], [[OpenBSD]], [[DragonflyBSD]], [[NetBSD]], [[Solaris (operating system)|Solaris]], [[macOS]], [[Android (operating system)|Android]]
| [[C (programming language)|C]] ([[Ncurses]])
| Active, last update in April 2023
|-
| Toxy<ref>{{cite web|title=Toxy|url=https://wiki.tox.chat/clients/toxy|publisher=Github|access-date=6 August 2015}}</ref>
| [[Windows]]
| [[C Sharp (programming language)|C#]] ([[Windows Presentation Foundation|WPF]])
| Abandoned, last update in September 2018<ref>{{cite web|title=Toxy repo|url=https://github.com/alexbakker/Toxy|publisher=GitHub|access-date=12 April 2018}}</ref>
|-
| Toxygen<ref>{{Cite web|title=Toxygen|url=https://github.com/toxygen-project/toxygen|publisher=Github|access-date=2016-07-01}}</ref>
| [[Linux]], [[Windows]]
| [[Python (programming language)|Python]] ([[Qt (software)|Qt]] via [[PySide]])
| Abandoned, last update in May 2020
|-
| TRIfA<ref>{{cite web|title=TRIfA|url=https://github.com/zoff99/ToxAndroidRefImpl|publisher=Github|access-date=11 May 2018}}</ref>
| [[Android (operating system)|Android]]
| [[C (programming language)|C]], [[Java (programming language)|Java]]
| Active, last update Feb 2023
|-
| µTox<ref>{{cite web |title=µTox |url=https://github.com/uTox/uTox |access-date=7 November 2015 |publisher=Github}}</ref>
| [[Linux]], [[FreeBSD]], [[OS X]], [[Windows]]
| [[C (programming language)|C]]
| Abandoned, last update July 2021
|-
| xWinTox<ref>{{cite web|title=xWinTox|url=https://wiki.tox.chat/clients/xwintox|publisher=Tox-Wiki|access-date=7 November 2015}}</ref>
| [[Linux]], [[FreeBSD]], [[Solaris (operating system)|Solaris]]
| [[C (programming language)|C]]/[[C++]] ([[FLTK]])
| Abandoned,<ref>{{cite web|title=Last commit in xWinTox repo|url=https://github.com/JX7P/XwinTox/commit/1bface57d4e6392503a1b64aa471362f711cb510|publisher=GitHub|access-date=12 April 2018}}</ref> last update in December 2015
|-
| Isotoxin<ref>{{cite web|title=Isotoxin|url=https://wiki.tox.chat/clients/isotoxin|publisher=Tox-Wiki|access-date=21 July 2017}}</ref>
| [[Windows]]
| [[C++]]
| Abandoned,<ref>{{cite web|title=Last commit in the isotoxin repo |url=https://github.com/isotoxin/isotoxin/commits/master |website=Github |access-date=21 August 2020}}</ref> last update in March 2018
|-
| ratox<ref>{{cite web|title=ratox|url=https://git.2f30.org/ratox/file/README.html|publisher=2f30|access-date=26 July 2018}}</ref>
| [[Linux]], [[BSD]], [[OS X]]
| [[C (programming language)|C]]
| Active <ref>{{cite web|title=commit log of the ratox repo |url=https://git.2f30.org/ratox/ |publisher=2f30 |access-date=5 January 2023}}</ref>
|-
|WebTox<ref>{{cite web|title=WebTox|url=https://github.com/codedust/WebTox|publisher=GitHub|access-date=6 September 2017}}</ref>
|[[World Wide Web|Web]]-based
|[[HTML5]] (client) + [[Go (programming language)|Go]] (server)
|Abandoned,<ref>{{cite web|title=Last commit in the WebTox repo|url=https://github.com/codedust/WebTox/commit/31789c7acb7b9f0027be11c369d242fa01116ccc|publisher=GitHub|access-date=12 April 2018}}</ref> last update in Jan 2016
|-
|yat<ref name=":1">{{cite web|title=yat|url=https://gitlab.com/neva_blyad/yat|publisher=GitLab|access-date=25 Mar 2022}}</ref>
|[[Linux]], [[Windows]], [[macOS]]
|[[Vala (programming language)|Vala]]
|Active (last update in June 2023<ref>{{Cite web |date=2023-05-08 |title=Commits · master · НЕВСКИЙ БЛЯДИНА / yat · GitLab |url=https://gitlab.com/neva_blyad/yat/-/commits/master |access-date=2023-05-20 |website=GitLab |language=en}}</ref>)
|-
|[[Pidgin (software)|Pidgin]]
|[[Linux]], [[Windows]]
|[[C (programming language)|C]] (libpurple plugin)
|Original version abandoned since May 2017<ref>{{Cite web |title=The end. · fizyk20/tox-prpl@d8de76a |url=https://github.com/fizyk20/tox-prpl/commit/d8de76a92ea3a9d2ee4d5332236b806a88bda03f |access-date=2023-05-20 |website=GitHub |language=en}}</ref><br />Newest known fork abandoned since Jan 2020<ref>{{Cite web |title=Commits · EionRobb/tox-prpl |url=https://github.com/EionRobb/tox-prpl |access-date=2023-05-20 |website=GitHub |language=en}}</ref>
|-
|[[Miranda NG]]
|[[Windows]]
|[[C++]] (plugin)
|No active development<br />Last update in December 2021<ref>{{Cite web |title=Tox protocol |url=https://forum.miranda-ng.org/index.php?topic=2487.msg29241#msg29241 |access-date=2023-05-20 |website=forum.miranda-ng.org}}</ref>
|}


== Reception ==
== Reception ==

Revision as of 14:32, 12 February 2024

Tox
Stable release
0.2.18 / 18 April 2022; 2 years ago (2022-04-18)[1]
Repository
Written inC
Operating systemLinux, OS X, Windows, Android, iOS, FreeBSD, OpenIndiana, Sailfish OS
TypeVoIP, Instant messaging, Videoconferencing
LicenseGPL-3.0-or-later.
Websitetox.chat Edit this on Wikidata

Tox is a peer-to-peer instant-messaging and video-calling protocol that offers end-to-end encryption. The stated goal of the project is to provide secure yet easily accessible communication for everyone.[2] A reference implementation of the protocol is published as free and open-source software under the terms of the GNU GPL-3.0-or-later.

History

Inception

An idea of developing a secure peer-to-peer messenger which would later turn into Tox sparked on the anonymous imageboard 4chan[3] amidst the allegations that Skype provided NSA with an access to their infrastructure and encryption, just before they were bought by Microsoft.[4][5]

The initial commit to GitHub was pushed on June 23, 2013, by a user named irungentoo.[6] Unofficial community builds became available as early as on August 23, 2013,[7] with first official builds made available in October 2013.[8] On July 12, 2014, Tox entered an alpha stage in development and a redesigned download page was created for the occasion.[9]

Project's fork and Rust implementation

Sometime during 2016, the original reference implementation saw a steady decline in development activity,[10] with the last known commit currently dated Oct 2018.[11] This caused the project to split, with those interested in continuing the development creating a new fork of Tox core[12] called "c-toxcore" around the end of September 2016.

Currently c-toxcore is being developed by a collective known as the TokTok Project.[13] They describe their mission as "to promote universal freedom of expression and to preserve unrestricted information exchange".[14] Their current goals are to continue slow iterative development of the existing core implementation, along with in-parallel development of a new reference implementation in Rust.[13][15]

Initially, the Rust implementation of the protocol library was split in two halves, one handling most of the grunt work of communication with the network, and another one responsible specifically for bootstrap node operation. In December 2022 those were merged, with developers stating that code is now mature enough to support basic communication and bootstrap node operations using TCP connections. As of June 2023 the development is still ongoing, but no client implementations using Rust core library is available yet.[15]

Although the original core library implementation and its forks have been available for the general public for almost a decade, none of them have been reviewed by a competent third-party security researcher.

Back in 2017, WireGuard's author Jason A. Donenfeld opened an issue on the project's GitHub page[16] where he stated that c-toxcore is vulnerable to key compromise impersonation (KCI) attacks.

He has attributed his find to the fact that Tox is relying on a "homebrew crypto" developed by "non-experts" to facilitate handshakes. He also criticized some other design choices used by Tox developers as well, like using raw ECDH values as encryption keys.

This report has caused developers to put an additional disclaimer on the project's GitHub page,[17] stating that Tox is an experimental cryptographic network library that has not been formally audited by an independent third party that specializes in cryptography or cryptanalysis, with a separate disclaimer that users may use it on their own risk.

In March 2023, a post on the project's blog[18] stated that one of the community members is working to redesign the cryptographic mechanism used by Tox to perform handshakes using the AKE mechanisms used in Noise Protocol Framework. This post also contains a detailed explanation of the original vulnerability.

Tox Foundation controversy

During the first two years of its life, the project's business and monetary side was handled by Tox Foundation, a California-registered corporation.[19] On July 6, 2015 an issue was open on the project's GitHub, where a third party stated[20] that Tox Foundation's sole board member, Sean Qureshi, used an amount of money in thousands of US dollars to pay for their college tuition,[21] with those funds coming from Tox Foundation's participation in Google Summer of Code. When asked for additional clarification, irungentoo on behalf of the project's team confirmed the allegations.[22] On July 11, 2015 the project's infrastructure and repositories were moved to a new locations, due to the fact that Qureshi controlled the original project's domains and servers. In the project's blog the development team has announced their "disassociation" with Tox Foundation and Qureshi in particular, and further addressed the issue.[23] This situation caused many prominent contributors to cease Tox-related activity.[24]

Features

Encryption of traffic

Users are assigned a public and private key, and they connect to each other directly in a fully distributed, peer-to-peer network. Users have the ability to message friends, join chat rooms with friends or strangers, voice/video chat, and send each other files. All traffic over Tox is end-to-end encrypted using the NaCl library, which provides authenticated encryption and perfect forward secrecy.

Additional messaging features

Tox clients aim to provide support for various secure and anonymised communication features; while every client supports messaging, additional features like group messaging, voice and video calling, voice and video conferencing, typing indicators, message read-receipts, file sharing, profile encryption, and desktop streaming are supported to various degrees by mobile and desktop clients. Additional features can be implemented by any client as long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. Client developers are strongly encouraged to adhere to the Tox Client Standard[25] in order to maintain cross-client compatibility and uphold best security practices.

Usability as an instant messenger

Though several apps that use the Tox protocol seem similar in function to regular instant messaging apps, the lack of central servers similar to XMPP or Matrix currently has the consequence that both parties of the chat need to be online for the message to be sent and received. The Tox enabled messengers deal with this in separate ways, some prevent the user from sending the message if the other party has disconnected while others show the message as being sent when in reality it is stored in the sender's phone waiting to be delivered when the receiving party reconnects to the network.[26]

Reception

Tox received some significant publicity in its early conceptual stage, catching the attention of global online tech news sites.[27][28][29][30] On August 15, 2013, Tox was number five on GitHub's top trending list.[31] Concerns about metadata leaks were raised, and developers responded by implementing Onion routing for the friend-finding process.[32] Tox was accepted into the Google Summer of Code as a Mentoring Organization in 2014 and 2015.[33][34]

See also

References

  1. ^ "GitHub - TokTok/c-toxcore: The future of online communications". TokTok Project. 2022-03-05. Retrieved 2022-03-05.
  2. ^ "Secure Messaging for Everyone". Tox. Retrieved 6 August 2015.
  3. ^ "Daily reminder that Skype reads the URLs you send, your browser profile, sends encrypted data to Microsoft data centers and gives your conversations to the NSA". 4chan (mirrored). 2013-06-23.
  4. ^ Bogdan Popa (20 June 2013). "Skype Provided Backdoor Access to the NSA Before Microsoft Takeover (NYT)". Softpedia.
  5. ^ Bogdan Popa (31 December 2014). "Leaked Documents Show the NSA Had Full Access to Skype Chats". Softpedia.
  6. ^ "Initial commit". GitHub. Retrieved 18 February 2014.
  7. ^ "Binaries - Tox". 2013-08-23. Archived from the original on 2013-10-04.
  8. ^ "Binaries - Tox". 2013-10-04. Archived from the original on 2013-10-04.
  9. ^ "Binaries - Tox". 2014-08-09. Archived from the original on 2014-08-09.
  10. ^ "Commits · irungentoo/toxcore". GitHub. Retrieved 2023-05-18.
  11. ^ "Fix memory leak when closing TCP connection. · irungentoo/toxcore@bf69b54". GitHub. Retrieved 2023-05-20.
  12. ^ "Commits · TokTok/c-toxcore". GitHub. Retrieved 2023-05-18.
  13. ^ a b "The TokTok Project - Home". toktok.ltd. Retrieved 2023-05-18.
  14. ^ "The TokTok Project - Mission". toktok.ltd. Retrieved 2023-05-18.
  15. ^ a b Tox, tox-rs, 2023-05-08, retrieved 2023-05-18
  16. ^ "Tox Handshake Vulnerable to KCI · Issue #426 · TokTok/c-toxcore". GitHub. Retrieved 2023-05-20.
  17. ^ TokTok/c-toxcore, TokTok Project, 2023-05-18, retrieved 2023-05-20
  18. ^ "Redesign of Tox's Cryptographic Handshake – Tox Blog". 2023-03-02. Retrieved 2023-05-20.
  19. ^ "Tox Foundation - BusinessesCalifornia". www.businessescalifornia.com. Archived from the original on 2016-03-21.
  20. ^ "Current situation of Tox · Issue #1379 · irungentoo/toxcore". GitHub. Retrieved 2023-05-20.
  21. ^ "Current situation of Tox · Issue #1379 · irungentoo/toxcore". GitHub. Retrieved 2023-05-20.
  22. ^ "Current situation of Tox · Issue #1379 · irungentoo/toxcore". GitHub. Retrieved 2023-05-20.
  23. ^ "Current Situation – Tox Blog". 2015-07-11. Retrieved 2023-05-20.
  24. ^ "A split within the Tox project". LWN.net. Nathan Willis. 15 July 2015. Retrieved 14 February 2016.
  25. ^ "Tox Client Standard". Retrieved 7 November 2015.
  26. ^ "users:troubleshooting - Tox Wiki". wiki.tox.chat. Retrieved 2019-04-26.
  27. ^ Kar, Saroj (5 August 2013). "Tox: A Replacement For Skype And Your Privacy?". Silicon Angle. Retrieved 19 February 2014.
  28. ^ Grüner, Sebastian (30 July 2013). "Skype-Alternative Freier und sicherer Videochat mit Tox" [More free and secure video chat with Tox]. Golem.de (in German). Retrieved 19 February 2014.
  29. ^ "Проект Tox развивает свободную альтернативу Skype" [Tox project develops free Skype replacement]. opennet.ru (in Russian). 30 July 2013. Retrieved 19 February 2014.
  30. ^ Nitschke, Manuel (2 August 2013). "Skype-Alternative Tox zum Ausprobieren" [Tox Skype replacement tested]. heise.de (in German). Retrieved 19 February 2014.
  31. ^ Asay, Matt (15 August 2013). "GitHub's new 'Trending' Feature Lets You See The Future". ReadWrite.com. Retrieved 19 February 2014.
  32. ^ "Prevent_Tracking.txt". GitHub. Retrieved 20 February 2014.
  33. ^ "Project Tox". GSoC 2014. Retrieved 7 March 2015.
  34. ^ "Project Tox". GSoC 2015. Retrieved 7 March 2015.