You have approximately 14.8 seconds to name an IM client or protocol better than tox

>no whatsapp

???

I want normies to leave.

I live in the US, nobody here even knows what a WhatsApp is.

How am I a normie?

Why is the US always so far behind everything?
Whatsapp is messaging done right

>messaging done right
Before they were owned by Facebook, maybe

I don't mind the IM fragmentation, literally everyone has SMS/MMS

>utox
Is it even still alive at this point?

XMPP w/ OTR

Done.

Goodbye.

If it has me and the person I want to speak to it's fine for me

Wire.
Sadly, no one uses it either way.

why does this matter

theres something the terrorists are using which was in teh news recently, its not tox

said it was the most popular in the world

Must be AndroidMessage

>libpurple garbage
Hahahahah.

tox is basically dead and the clients are all garbage.

signal, WhatsApp, telegram

>signal, WhatsApp, telegram
Fuck off, shill.

Lol, optional e2e. In this post-snowden world.

Never.

kys, sqtism

What is this? Is anyone using it outside of Sup Forums memelords? No?

See + WhatsApp. :^)

It's an open, DHT-based, public key as DHT address, always e2e encrypted, forward-secrecy, distributed IM system.

Or the magic combination of features that an IM system needs in the present world.

I've hear it was some kind of forum, called rabbit or something.

>Implying tox is used for anything other than sharing CP
It's worthless

Even the logo is awesome.

ricochet

>whatsapp

Wire and Signal are a thousand times better.

github.com/TokTok/c-toxcore/issues/426

>hey guys there's glaring issues with your crypto
>fUCK YOU YOU CIA NIGGER THIS IS A SEKRIT NSA OP TO DESTROY TOX GET OUT WE'RE PERFECT

And this is why you should never trust homebrew crypto that actively refuses public help by more knowledgeable people.

Seesh, github issues.

Tox crypto was looked at by actual cryptographers a while ago; There was some hacker news thread about it.

There's one known issue, which has to do with impersonating the friends of a person who's private key has been stolen.

The devs are well aware of it, and it will eventually get fixed, but it requires breaking protocol, and c-toxcore from toktok (maintained fork of the original tox library) has other priorities. Namely, cleaning the code and documenting the protocol to some sane standard.

That's a pretty great response, user. Too bad irungentoo and the rest of the GH team has fucking autism and can't handle (proper) criticism.

Who gives a shit, just put up your own server and force SSL connections or something.

matrix/riot

iMessage.

>irungentoo
I'm not sure he's still around. The people running the project right now (the toktok c-toxcore fork) are mostly active client developers.

Wire.

This thread was invaded by the Sup Forums and Sup Forums shilling for CIA.

Retroshare with Tor.

Well, he was around enough to shit all over that GitHub issue and seems pretty happy to just shut down critique along with his dick-sucking posse

>that GitHub issue
Are you referring to the one with a massive security hole if you share your private key with people?

Threema secure messenger

More like GNU Meme, amirite?

Hey look the TIDF showed up.

Great argument as always. :^)

When someone points out a flaw in your crypto, regardless of what attack vector is, you should really listen and not just instantly defend whatever non-existent scope/timeline/protocol you think of on the spot.

Tox has a crypto issue. If someone gains access (read: it doesn't necessarily mean someone shared [i.e. willingly] their key) to another's key, the attacker can now impersonate anyone to that user, or impersonate the user itself.

I'd be very understand if Tox said "Hey, take a look at this document detailing what Tox does and does not, we appreciate you filing this issue, however, it resides outside the scope of what Tox is intended to protect"

Instead you get irungentoo and his gang instantly going into TIDF mode screaming "YOU SHARED YOUR KEY YOU DESERVE IT FUCK OFF"

Tox is full of people who view Tox as an extension of themselves. They've worked very hard on it and don't know how to separate critique from personal attack. And that's how you've ended up in this toxic shithole, and it's like walking on eggshells.

Why would anyone use Tox when there's Wire?

hello kind sir... the whatsapp is a very good app my friend.... thanks good morning

If someone has your private key, you're fucked either way.

Right, but you're even more fucked if that means other people can impersonate your friends to you.

As an example of why this is bad, note that a vulnerability that leaks the private key doesn't necessarily yield code execution, as demonstrated by heartbleed. But if they can impersonate your friend after stealing your private key... you might run an exe from your "trusted friend", effectively yielding code execution.

It's an issue that can and will eventually be fixed.

>isn't peer to peer

what does dcc stand for again, i'm getting forgetful in my old age.

It stands for insecure, server-mediated, not encrypted, trivial to MITM, client to client.

1024-bit RSA
lolololololol

Whatsapp, because it's okay and nearly everyone uses it.

Sounds cool! Does it suck?

All I see is an acknowledged issue that they plan on fixing that relies on the attacker having compromised something that should preferably never have been compromised in the first place.

I also see Chicken Little screaming at the the top of his lungs about how the sky is falling and how the people maintaining an inherited shitshow of a codebase are of inferior intellect because they only want to break the client once.

GitHub was a mistake.

Silence, Conversations with OMEMO and OTR

Signal (and I say this unironically)

Discord.

>lists all trash apps
Wire is the Sup Forums approved app newfriend

Signal>Wire

Get with the times, gramps.

It's okay kiddo you'll eventually grow out of those toddler apps. Chrome and Google in general aren't cool. Signal isn't either. All sub par. Oh and don't worry they let people retake the A+ Certification test. It's easy and you'll pass eventually.

textsecure

Tox is the best protocol right now, it's the clients that are kinda sucky at times.

If you care at all about security you ought to know why it's important to have your conversation not go through a central mystery-box server.

Fuck you, I came into this thread specifically to bait with "Discord." and you have denied me that.

Apologize.

Also, Line.

Club penguin

/thread

Talk more about it, user.

IRC with Blowfish encrypted messages.

>he defends Tox for free

The debate/conversation between iphydf and zx2c4 was perfectly reasonable and actually interesting to read. Then GrayHatter came in and starting explosively shitting everywhere, and the whole thing went kaput.

GitHub isn't a mistake. Letting retards speak on behalf of Tox is. Put GrayHatter on a leash or something for christ's sake, they're worse than stqism's shitposts from way back yonder.

s/starting/started

msn messenger with msn reviver.
no one uses it so no one will bother to hack it

I'm more of a fan of using hacked WoW accounts to all drop dead in org to spell out where the next attack is.

I'm not defending Tox. My two cents is that it's pretty much useless.

The conversation was productive, but hearing zx2c4 constantly bitch about "muh homebrew" and "leave it to the pros" like there's such a thing as perfect crypto is fucking annoying. He literally (truly and literally) suggested a banner telling people to not use a program because you're vulnerable if you expose your private key. It doesn't help that he can't see the reasoning behind making all major fixes to the protocol at once.

GreyHatter was a pussy for locking it.

GitHub is a mistake. The concept is fine, but the culture of GitHub has become absurd.

>if you expose your private key

Again, you're blaming the user for something Tox fails at. See . There are historical examples of vulnerabilities that leak data, including private keys. No one is expecting Tox to be impenetrable, but when you can further improve Tox's security from external vulnerabilities, there should be a movement towards a solution.

I was saying earlier that Tox devs/fans/etc. have an issue where they cannot separate critique from personal attack. You're doing the same thing by making conclusions.

A) You're automatically assuming that if someone's private key is exposed, it's their fault. ("if YOU expose YOUR key" actively blames the user")

B) zx2c4 never said to tell users they shouldn't download Tox. They said you should warn users that they should not assume Tox is secure. And that's pretty reasonable for a project that has already shown an unwillingness to fix handshake flaws, a total lack of documentation, and a shady history (stqism taking money, GSOC shit).

The issue I'm getting at here is that Tox is way too egotistical about itself for being such a new project. Tor has been around for more than a decade and they still go through numerous warnings and a general sense of humility about their code.

Examples:
>People can use Tor to communicate MORE SAFELY
>Tox [...] connects you with and family WITHOUT ANYONE LISTENING IN

>Tor CAN'T SOLVE ALL anonymity problems.
>The ONLY people who can see your conversations are the people you're talking with.

And sure, Tor brags a shitload about who uses Tor successfully, etc. on their website because 15 years worth of numerous publications, research, and testing has shown Tor to be relatively safe. Tox has none of this and yet espouses with conviction of it's safety.

Tox has a moral obligation to its userbase to ensure that people understand its strengths and weaknesses. It begins with the basic assumption, like you were complaining about, that no crypto is perfect.

And because no crypto is perfect, then Tox should indeed warn users of potential pitfalls. And not tuck it away in some "ha ha yeah expect to run in some bugs XD"

Prosody, OMEMO and Conversations as a client

All a nigga needs

I completely understand the user's key being compromised isn't necessarily the user's fault. However, for the sake of the argument, we assume a perfectly vigilant user, this vulnerability still depends on some other method of stealing the user's private key.

He stopped just short of saying that the Tox developers are not competent enough for viable cryptography and that Tox is fundamentally compromised.

>But in case it does, then let this be a wake-up call to developers not to roll your own crypto, as well as a wake-up call to users not to rely on crypto software written by non-experts.

Tox was a Sup Forums meme project. It exists to implement it's own crypto. Despite it's shortcomings, it could definitely be way worse.

>I strongly recommend that you put a large red disclaimer on the Tox website and in all applications indicating to users that Tox is not secure.

By this same logic, Tor, OTR, etc. should all be advertised as fundamentally busted because they're not 110% secure. This guy is seriously overreacting.

zx2c4 didn't suggest jettisoning Tox, but azet sure did, after multiple appeals to "muh experts, Noise is flawless so why even try!" This was his response suggesting that they shut down the Tox network (which really raises some questions).

> I'd recommend taking the project/network off-line for the time being until you have a proper threat model sorted out and discussed
> There're a few ways to take such a project down, a simple one is not to provide working binaries to end-users anymore and make the source-code on GitHub accessible only for experts that want to play with or improve upon Tox properly (i.e. don't automate builds or something like that) - that's harsh, I know :)

>this vulnerability still depends on some other method of stealing the user's private key.
Exactly, which is why I said "...but when you can further improve Tox's security from external vulnerabilities, there should be a movement towards a solution."

>But in case it does, then let this be a wake-up call to developers not to roll your own crypto, as well as a wake-up call to users not to rely on crypto software written by non-experts.

I mean, like I said.
>Flaw pointed out
>NOT OUR JOB
>Let this serve as an example

I spoke earlier last night about Tox's lack of documentation. And the whole reason why zx2c4's issue is such a problem is specifically due to a lack of documentation.

Tox is just improvising what they care about and what they don't on the spot. There's no document or otherwise nailing down what Tox seeks to cover or not. I'm sure the GitHub issue would've been 3-5 comments had there been a threat model.
>hey guys your handshake is fucked
>yeah man, we're aware, Tox isn't going to fix it because it relies on an external force
>[potential debate about whether or not the scope is proper]

Instead you just get shit flinging.

And so why does Tor, OTR, etc, not advertise themselves as fundamentally busted? Because they have clear goals of what they cover, what they don't, how everything works, and in some cases, external audits and years of academic research and testing. Tox has none of this!

I really do want to stress iphydf's and zx2c4's conversations were constructive and gave insight into both's arguments. I'm not attacking iphydf's work, just the general attitude most contributors of Tox seem to have.

The changes made to the repo with the experimental banner and somewhat upfront issues is a step in the right direction. The path forward here relies on documentation.

A lot of fields more or less use the same taglines with important stuff like this:
>If you didn't document it, it doesn't exist.
>DOCUMENT, DOCUMENT, DOCUMENT