Tox is a peer-to-peer instant messaging protocol with end-to-end encryption, voice calls, video calls and file transfers
Instant Messaging is one of the most popular forms of electronic communication. You don't have to pay extra fees (not counting data charges) for chatting with family members, friends or colleagues regardless of their location.
But, there has been a rising concern about the privacy of such services. State-sponsored attacks and mass surveillance are some major examples.
Tox is a peer-to-peer instant messaging protocol with end-to-end encryption for Windows, Linux, macOS, Android and iOS.
What is a decentralized messenger?
Let me explain what a centralized messaging service is. Any instant messaging protocol that uses a cloud-based connection, aka a server, is a centralized service. Examples for this would be Skype, Hangouts, Facebook Messenger, Viber or Telegram. When you send a message through a centralized service, it is transmitted (passes through) a server, where it may or may not be stored before it is delivered to the recipient. This could potentially result in data being stolen, or the user being spied on.
A decentralized messenger is one that cuts out the middleman, i.e., there is no server in between you and your contact. The message that you send is delivered directly to the recipient, as in Peer-to-Peer (P2P). Combined with end-to-end encryption; this is better for privacy when compared to a centralized service.
Tox encryption and Security
Tox uses NaCl encryption for cryptography and the developers have labelled this as experimental. The encryption happens on a per-message basis. Also, worth mentioning is that messages are metadata free, which is important because metadata is used as a way to trace users. Your data is only stored on your device.
Is Tox secure?
The main concern with Tox is that despite being open source, its encryption protocol has not been audited. The developers don't hide this though and have clearly mentioned this on the official website, which is a good sign. Does Tox expose the IP address? Any P2P service will, that's how they work. Tox does by using your IP and your contact's to help you communicate with one another directly. You could try using it with Tor or a VPN to prevent this.
Note: Your IP address is only visible to people whom you add as contacts, other users can't see it. I strongly advise you to read the service's documentation before using it.
Tox clients
There are many clients available for Tox. The most popular desktop applications are uTox and qTox. The official mobile apps while outdated still work. I also tested Tok Lite (doesn't support calls), which is a fork of the official Antox Android app.
Signing up for Tox
There is no registration required as there is no account. When you install a Tox client and run it, you will see that it has a Tox ID (long alphanumerical ID) that's ready to use. You can change your name to whatever you want to. One of the biggest advantages of Tox is that you don't need to provide a phone number or an email address.
I installed uTox on my computer (set it up) and then installed qTox; it automatically picked up my Tox profile. That's because Tox saves a profile to the \AppData\Roaming\Tox folder. You will see a .Tox file here, this is your Tox profile. You can use it to export your profile to other devices, for e.g. if you want to import it to the mobile app.
Adding Contacts
There are a couple of ways to do this. You can send your Tox ID to someone to invite them to chat. They have to accept your request and optionally add you as a contact. Or you can send your QR code that they can scan to accept your invite (only on mobile apps). Some clients have additional functionality such as an option to send voice messages, capture a screenshot of a selected region on the screen and send it to the contact.
Messages, Voice Calls and Video Calls
Tox allows you to send instant messages to your contacts, but can also be used to make audio calls, and video calls. All communication made through Tox is end-to-end encrypted. The Mobile clients display notifications and function just like most IM apps.
File Transfers
You can send files to your contact and depending on the client that you're using, you'll be able to choose whether to accept the incoming transfer or reject it. This option can also be useful to save data, if you're on a mobile network.
Connectivity
Since everything is peer-to-peer based, the connection speed depends on the network quality of you and your contact. It worked flawlessly on local networks, mobile networks, and long-distance peer-to-peer communication as well. I used IPv6, but it also works with IPv4 networks.
The main issue with the service is probably getting people to use it.
Before I wrote this post, I was using Jami (formerly Ring) for a few days. It had way too many connectivity issues (couldn't deliver messages, unjoinable peer, etc), that I had to ditch it. Maybe you will have better luck with it. Wire used to be good, until it was acquired quietly (went from a Luxembourg based ownership to a US one). It has been criticized by Edward Snowden. Riot is another option, though it uses Matrix (which has been hacked twice iirc). Signal still seems to be the best secure messaging app, but it requires a phone number. Android users can try Briar, which uses Tor (for internet) or Bluetooth/Wi-Fi.
The Electronic Frontier Foundation has issued guidance for getting your mobile device across the border safely and protecting the data on it should it get seized.
https://www.eff.org/sites/default/files/EFF-border-search_2.pdf
Great read, thanks for posting Ilev.
Yes, I was just about to post that. They specifically address the hidden volume. To fill its purpose, you need to lie to law enforcement/homeland security, which is in of itself a crime. Of course once you get to court you can try to plead the fifth, but you may be forced to reveal its existence and the password in the same vein as the non-hidden volume anyway.
The best solution to someone asking for your password isn’t to plead the fifth, but to simply say you forgot it. This is of course also perjury, but nobody can look inside your head to prove it, so unless you told your cellmate about your cunning master plan, you’re good to go.
Or unless you write on a blog about it ;)
Rodalpho, isn’t a Truecrypt hidden volume 100% unidentifiable anyways? I don’t know, maybe an extreme expert would “recognize” certain patterns even if it’s hidden.
Once inside your outer volume, assuming they coerced you enough to get into it, would the US Gov’t have the right to manipulate / alter / delete files as a bargaining technique? I would think it unlawful “officially”, but a little imagination brings up some issues.
Ahh but I am pure as the driven snow! (Except for posting on a blog during work.)
… and except for being Bernie Maddoff’s tax advisor!
I used to be a regular visitor to the United States. About every second year. But I stopped going 7 years ago, largely because of border hassles like this. The Canadians now get my money. I know I’m not alone in this.
I was travelling to the USA once or twice a year but I also a few years ago. Not going to go there again until the craze has disappeared… might be a while!
Just a legal clarification: You are not required to provide your password as this is covered under the 5th Amendment against self incrimination. But should the authorities be made aware that there are files located in certain “areas” than you must provide the authorities with an unencrypted version of those files. As the authorities have a “right” to access the files once they know where it is. I would just say “I’m not aware of any”, and claim my tech guy handles everything, I don’t know tech.
I also travel around with the following file: “a little boy and his priest.avs”. Should anyone seize and opens said file, their computers FRY :)
But this TrueCrypt matryoshka concept is intriguing. Gotta try it out.
DanTe, how can I obtain said file that makes computers fry? How does it work?
Do like I do: troll the usenet for “free software” and see which one promptly got pass your virus scan and kills your stand alone PC. I do this about once a year to get the latest in killer software. Use something like the free SBNews Android or Newsbin Pro and just massively download. I generally look for the small (below 5mB) files that purports to be celebrity sex movies.
This is a really good app. I tested it out by partitioning a hard drive that I planned to use for data. Then I encrypted that partition with True Crypt. I noticed that the partition was visible when I opened up Computer to view all my drives. So I went into Disk Management and removed the drive letter from the partition which made it invisible. True Crypt also has a portable app version so no need to install it on the PC. This makes it hard for even a tech saavy person to get into your guarded files. (unless they know your password, lol)
Of course if you are accused of doing something illegal and are forced to give up your PC to the government forensic labs none of the above will help. Just get a lawyer and see what info/passwords you have to give up :-)
“Of course if you are accused of doing something illegal and are forced to give up your PC to the government forensic labs none of the above will help.”
Not to be rude but you don’t know what you’re talking about. :/
Not to be rude … , but you don’t know what you’re talking about. Have you tried the various TrueCrypt encryption modes? And no, Da Gov’ment don’t have no magic pixie dust that allows them to crack everything.
I also have another question — this article is about the gov’t agents seizing laptops. What’s the issue on DESKtops? Also can be seized, or a different story?
They can also be seized, no difference.