I've been playing with tox(thanks rysiek!) and it looks rather interesting. I noticed however that it's not listed here https://www.eff.org/secure-messaging-scorecard Maybe somebody who knows somebody at eff could drop them a message? Also, apart from retroshare (and tox), is there any other p2p messaging network?
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
... I've been playing with tox(thanks rysiek!) and it looks rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong. it cannot tell you, honestly, who is doing it all right. (not least because "right" is relative to risk and threat model, which is perspective unique to each user...) things that are good about Tox.chat: - Opus for media. if you don't know about the Opus Codec, you should! VP8 i don't care about either way. - Re-uses onions, rather than trying to build its own anonymity overlay for friend finding. - Uses cryptobox for crypto stuffs, rather than rolling own. - Supports clients of various types, per preference, rather than monolithic structure. the bad: - written in C and passing things around potentially unsafely. see the address parsing in network.c, the DHT code. needs a good audit. - poor network performance primitives with UDP - ok, not a problem because this won't need that scale - beauty of decentralization! :) - DHT is trivial to DoS. a known issue, but if you need survivability i'd chose pond over tox. best regards,
the bad: - written in C and passing things around potentially unsafely. see the address parsing in network.c, the DHT code. needs a good audit. - poor network performance primitives with UDP - ok, not a problem because this won't need that scale - beauty of decentralization! :) - DHT is trivial to DoS. a known issue, but if you need survivability i'd chose pond over tox.
last time (more than a year ago) i checked they also send along the long-term signing keys of the communication participants making traffic analysis between peers quite possible. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On 09/26/2015 08:52 PM, coderman wrote:
but if you need survivability i'd chose pond over tox.
From the developer's site:
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.
https://pond.imperialviolet.org/ RR ToxID: E611C7673C4C9C84C7F53BD8A2DF46C3131CB260E5758392B6B22FE18072C57518A2F0786A9A
Dnia niedziela, 27 września 2015 09:51:38 Razer pisze:
On 09/26/2015 08:52 PM, coderman wrote:
but if you need survivability i'd chose pond over tox.
From the developer's site:
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.
https://pond.imperialviolet.org/
RR
ToxID: E611C7673C4C9C84C7F53BD8A2DF46C3131CB260E5758392B6B22FE18072C57518A2F0786A9A
Mine: 3FA2E5273F0C368576FE120B374664E3B41E2CDF21639AFED3DC301490FFB01FAAA47B78D5F4 -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Sun, 27 Sep 2015 19:46:31 +0200 rysiek <rysiek@hackerspace.pl> wrote:
RR
ToxID: E611C7673C4C9C84C7F53BD8A2DF46C3131CB260E5758392B6B22FE18072C57518A2F0786A9A
Mine: 3FA2E5273F0C368576FE120B374664E3B41E2CDF21639AFED3DC301490FFB01FAAA47B78D5F4
and mine 07531C0892CFB8C11ABA1293DC51359C3A77D67B39B44FA9397270EDA5F6493184DFABABC08C We assume we're not being MITMed eh? =P Anyway, a problem with tox for the time being is lack of off-line messaging...
Dnia niedziela, 27 września 2015 16:35:14 Juan pisze:
On Sun, 27 Sep 2015 19:46:31 +0200
rysiek <rysiek@hackerspace.pl> wrote:
RR
ToxID: E611C7673C4C9C84C7F53BD8A2DF46C3131CB260E5758392B6B22FE18072C57518A2F078 6A9A> Mine: 3FA2E5273F0C368576FE120B374664E3B41E2CDF21639AFED3DC301490FFB01FAAA47B78D5 F4 and mine
07531C0892CFB8C11ABA1293DC51359C3A77D67B39B44FA9397270EDA5F6493184DFABABC08C
We assume we're not being MITMed eh? =P
Well, at least we're using two channels. And we can verify it, kind of, by doing an audio call and reading out loud at least part of the ToxID. Live MITMing of audio might be a bit more complicated. ;)
Anyway, a problem with tox for the time being is lack of off-line messaging...
True. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
qTox chat tool is still a work in progress. When I shrink the popout chat window the text typed doesn't wrap; ends up a single column of first-on-the-line letters
Dnia niedziela, 27 września 2015 12:52:49 Razer pisze:
qTox chat tool is still a work in progress. When I shrink the popout chat window the text typed doesn't wrap; ends up a single column of first-on-the-line letters
<anything>Tox is still a work in progress. There was an important update a couple of months ago that broke API compatibility. Just a few months before that there has been a protocol change... Still, it does seem to be a potential contender as far as audio/video calls are concerned. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
Dnia niedziela, 27 września 2015 09:51:38 Razer pisze:
On 09/26/2015 08:52 PM, coderman wrote:
but if you need survivability i'd chose pond over tox.
From the developer's site:
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.
Oh, and this *definitely* holds true for Tox! It needs a good audit, clear protocol specification, and an independent implementation in Python! -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Sat, 26 Sep 2015 20:52:01 -0700 coderman <coderman@gmail.com> wrote:
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
... I've been playing with tox(thanks rysiek!) and it looks rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong.
Oh, I wasn't commenting on the security of the software listed or tox in particular. What I meant is that tox is an interesting project and maybe more publicity from eff would help.
it cannot tell you, honestly, who is doing it all right. (not least because "right" is relative to risk and threat model, which is perspective unique to each user...)
things that are good about Tox.chat: - Opus for media. if you don't know about the Opus Codec, you should! VP8 i don't care about either way.
- Re-uses onions, rather than trying to build its own anonymity overlay for friend finding. - Uses cryptobox for crypto stuffs, rather than rolling own. - Supports clients of various types, per preference, rather than monolithic structure.
the bad: - written in C and passing things around potentially unsafely. see the address parsing in network.c, the DHT code. needs a good audit. - poor network performance primitives with UDP - ok, not a problem because this won't need that scale - beauty of decentralization! :) - DHT is trivial to DoS. a known issue, but if you need survivability i'd chose pond over tox.
best regards,
Dnia niedziela, 27 września 2015 23:50:32 Juan pisze:
On Sat, 26 Sep 2015 20:52:01 -0700
coderman <coderman@gmail.com> wrote:
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
...
I've been playing with tox(thanks rysiek!) and it looks
rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong.
Oh, I wasn't commenting on the security of the software listed or tox in particular.
What I meant is that tox is an interesting project and maybe more publicity from eff would help.
I'm testing it on my non-techie friends and I think it needs a bit more time. I mean, for the most part it works and is already much, much more usable than XMPP+Jingle or SIP/SIMPLE SNAFUs, and actually possible to set-up by a non- techie person, but it also does experience occasional crashes, and sometimes has problems re-connecting to DHT upon user switching the physical Internet connection. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
I've never successfully installed or used the Android APK. Without that there's very, very little point to Tox over just using Jitsi meet, especially when Jitsi's UX design and performance are so good for non-techies. If paranoid, run JM on own domain. No Android app but works on Android mobile Chromium, which does prevent a trust issue because compiling chromium is torture and auditing it is extremely awkward thanks to the pull-in-source-during-the-build process. Would like to see Tox work in a way compatible with my contacts, but only a small hamdful *could* use it and none of them *would*. On 28 September 2015 10:22:53 IST, rysiek <rysiek@hackerspace.pl> wrote:
Dnia niedziela, 27 września 2015 23:50:32 Juan pisze:
On Sat, 26 Sep 2015 20:52:01 -0700
coderman <coderman@gmail.com> wrote:
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
...
I've been playing with tox(thanks rysiek!) and it looks
rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong.
Oh, I wasn't commenting on the security of the software listed or tox in particular.
What I meant is that tox is an interesting project and maybe more publicity from eff would help.
I'm testing it on my non-techie friends and I think it needs a bit more time. I mean, for the most part it works and is already much, much more usable than XMPP+Jingle or SIP/SIMPLE SNAFUs, and actually possible to set-up by a non- techie person, but it also does experience occasional crashes, and sometimes has problems re-connecting to DHT upon user switching the physical Internet connection.
-- Pozdrawiam, Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dnia poniedziałek, 28 września 2015 10:59:07 piszesz:
I've never successfully installed or used the Android APK. Without that there's very, very little point to Tox over just using Jitsi meet, especially when Jitsi's UX design and performance are so good for non-techies.
I have never had a single situation, where VoIP over Jitsi actually worked. And I have tried many, many times. :/ -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
Jitsi desktop or the Jitsi Meet browser app? I've given up on the former, reliability is as bad as Skype and UX is poor. The latter is Chrome only, but reliability and UX is great. On 28 September 2015 12:15:07 IST, rysiek <rysiek@hackerspace.pl> wrote:
I've never successfully installed or used the Android APK. Without
Dnia poniedziałek, 28 września 2015 10:59:07 piszesz: that
there's very, very little point to Tox over just using Jitsi meet, especially when Jitsi's UX design and performance are so good for non-techies.
I have never had a single situation, where VoIP over Jitsi actually worked. And I have tried many, many times. :/
-- Pozdrawiam, Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dnia poniedziałek, 28 września 2015 12:51:22 piszesz:
Jitsi desktop or the Jitsi Meet browser app? I've given up on the former, reliability is as bad as Skype and UX is poor. The latter is Chrome only, but reliability and UX is great.
Ah, interesting! Didn't know about that. Any links? Does it use WebRTC? How is it different from palava.tv? -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
WebRTC: https://meet.jit.si Open source, self-hostable, very good performance despite (I think?) P2P crypto in-browser. Really the only problem is that so few browsers do WebRTC well enough to run it! Usability is *very* noob-friendly, just define a private URL or get one from the server on first-visit, and send to friends. They open the link, and are dropped into chat-server. The hardest UX part of Jitsi meet is teaching people to click "Allow Camera and Mic" on first visit.. you'd be surprised how big a deal this is for people actually. In fact, the difficulty getting people to click just that one button to use Jitsi Meet may be what finally broke my spirit and made me realise that users are quite often too stupid to successfully use *anything* and that only brand reputation makes them persevere to use shit like Skype. On Mon, 2015-09-28 at 15:21 +0200, rysiek wrote:
Dnia poniedziałek, 28 września 2015 12:51:22 piszesz:
Jitsi desktop or the Jitsi Meet browser app? I've given up on the former, reliability is as bad as Skype and UX is poor. The latter is Chrome only, but reliability and UX is great.
Ah, interesting! Didn't know about that. Any links? Does it use WebRTC? How is it different from palava.tv?
On 09/28/2015 07:47 AM, Cathal Garvey wrote:
The hardest UX part of Jitsi meet is teaching people to click "Allow Camera and Mic" on first visit.. you'd be surprised how big a deal this is for people actually.
From the pine nut gallery. No. I'm not surprised at all. Some people just don't do certain things 'the first time'...
Dnia poniedziałek, 28 września 2015 08:56:13 Razer pisze:
On 09/28/2015 07:47 AM, Cathal Garvey wrote:
The hardest UX part of Jitsi meet is teaching people to click "Allow Camera and Mic" on first visit.. you'd be surprised how big a deal this is for people actually.
From the pine nut gallery. No. I'm not surprised at all. Some people just don't do certain things 'the first time'...
Well, there's also a question of how anal-retentive you want to be about it. I tend to be somewhere between "very" and "extremely", which usually gets the otehr side to actually use Etherpads instead of Googl Docs; Tox or https://palava.tv instead of Skype; etc. Actually, I do not have a GDocs account, and I do not have a Skype account. That makes things a bit awkward sometimes, but in the end there is *always* a way to communicate, and if somebody is unwilling to use a tool that does not require me to give my data to the Microsofts and Googles of this world, than I tend to just assume that the whole deal is not worth my time. And you know what? I don't remember the last time I had to make that assumption. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
Dnia poniedziałek, 28 września 2015 15:47:16 piszesz:
WebRTC: https://meet.jit.si
Open source, self-hostable, very good performance despite (I think?) P2P crypto in-browser. Really the only problem is that so few browsers do WebRTC well enough to run it!
Interesting. Similar to https://palava.tv then. I'll look into it, I might use one of them in a project of mine. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
W dniu 28.09.2015 o 16:47, Cathal Garvey pisze:
In fact, the difficulty getting people to click just that one button to use Jitsi Meet may be what finally broke my spirit and made me realise that users are quite often too stupid to successfully use *anything* and that only brand reputation makes them persevere to use shit like Skype.
My thoughts exactly. 20 years ago people could learn to use MS-DOS, but today clicking a colorful, graphical, button is "too difficult". Anything that's new/different and isn't already used by millions of other sheep is instantly seen as evil, difficult and not necessary. What happened to curiosity, to wanting to learn new stuff? The universe is still winning, the current wave of idiots is too much :-P. -- Łukasz "Cyber Killer" Korpalski mail: cyberkiller8@gmail.com xmpp: cyber_killer@jabster.pl site: http://website.cybkil.cu.cc gpgkey: 0x72511999 @ hkp://keys.gnupg.net //When replying to my e-mail, kindly please //write your message below the quoted text.
On Mon, Sep 28, 2015 at 11:22:53AM +0200, rysiek wrote:
I'm testing it on my non-techie friends and I think it needs a bit more time. I mean, for the most part it works and is already much, much more usable than XMPP+Jingle or SIP/SIMPLE SNAFUs, and actually possible to set-up by a non- techie person, but it also does experience occasional crashes, and sometimes has problems re-connecting to DHT upon user switching the physical Internet connection.
Is there an open source alternative to Viber, supporting relatively sound user encryption? Maybe some jabber extension? This: http://alternativeto.net/software/viber/?license=opensource suggests andriod/ios only: https://github.com/WhisperSystems/RedPhone
On Mon, 28 Sep 2015 11:22:53 +0200 rysiek <rysiek@hackerspace.pl> wrote:
Dnia niedziela, 27 września 2015 23:50:32 Juan pisze:
On Sat, 26 Sep 2015 20:52:01 -0700
coderman <coderman@gmail.com> wrote:
On 9/26/15, Juan <juan.g71@gmail.com> wrote:
...
I've been playing with tox(thanks rysiek!) and it looks
rather interesting. I noticed however that it's not listed here
i am not saying the scorecard is worthless, but rather, it is at best a signal for subpar projects doing things obviously wrong.
Oh, I wasn't commenting on the security of the software listed or tox in particular.
What I meant is that tox is an interesting project and maybe more publicity from eff would help.
I'm testing it on my non-techie friends and I think it needs a bit more time. I mean, for the most part it works and is already much, much more usable than XMPP+Jingle or SIP/SIMPLE SNAFUs, and actually possible to set-up by a non- techie person, but it also does experience occasional crashes, and sometimes has problems re-connecting to DHT upon user switching the physical Internet connection.
Connection wise I haven't experienced any problems. Some friends of mine on windows set it up in minutes (they are not particularly techie). It also depends on what client you use I guess. I tested utox on a windows xp machine and it only took a few clicks to install. But having no off-line messaging does impair usability. Not being able to 'add' people unless they are online is...akward.
participants (9)
-
Cathal (Phone) -
Cathal Garvey
-
coderman -
Georgi Guninski -
Juan -
Razer -
rysiek -
stef -
Łukasz 'Cyber Killer' Korpalski