On Sat, 26 Sep 2015 20:52:01 -0700 coderman <coderman@gmail.com> wrote:
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
... I've been playing with tox(thanks rysiek!) and it looks rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong.
Oh, I wasn't commenting on the security of the software listed or tox in particular. What I meant is that tox is an interesting project and maybe more publicity from eff would help.
it cannot tell you, honestly, who is doing it all right. (not least because "right" is relative to risk and threat model, which is perspective unique to each user...)
things that are good about Tox.chat: - Opus for media. if you don't know about the Opus Codec, you should! VP8 i don't care about either way.
- Re-uses onions, rather than trying to build its own anonymity overlay for friend finding. - Uses cryptobox for crypto stuffs, rather than rolling own. - Supports clients of various types, per preference, rather than monolithic structure.
the bad: - written in C and passing things around potentially unsafely. see the address parsing in network.c, the DHT code. needs a good audit. - poor network performance primitives with UDP - ok, not a problem because this won't need that scale - beauty of decentralization! :) - DHT is trivial to DoS. a known issue, but if you need survivability i'd chose pond over tox.
best regards,