Is Tox really as decentralized as the developers claim? #1398
Comments
|
please note that our offical website is tox.chat You do raise excellent points however. If I recall correctly bootstrapping can actually be done through any tox node (including other clients). The bootstrap nodes are merely provided to client developers for ease of joining the primary network. I'm not sure if client devs allow an end users to specify exactly what nodes to bootstrap off but the ability should be there (and used to be on toxic from what I recall) The usernames situation is a hard one to solve properly in a decentralized system, and only things like namecoin etc have really done it in a proper fashion. The one offered by tox.party and others is merely a stop gap, for users who are not comfortable with only sharing tox id's supernodes are a tradeoff in design that sidestep some of the harder issues with decentralization. I think it's an okay tradeoff to make personally, but I'm sure others will have their own opinions. |
You can't build a distributed network without bootstrapping, it is technically impossible. The only thing we can do is to make list of bootstrap nodes changeable in clients and collect new bootstrap nodes you get via bootstrap (a la Kad).
It won't compromise communication (because of encryption), but your contacts may become unavailable.
Well, it's all about imperfectness of real internet connection. In IPv6 no NAT world we could just use direct UDP connection without kludges like supernodes. |
They claim a lot of things, none of them seem to have any backing. Anyway, going to unsubscribe from the issue, I don't want to be seen as involved with the project. I honestly doubt you'll get any kind of real response which is a shame considering that you seem to have put in a fair amount of time into investigating it. |
|
Tox is distributed. Bootstrapping is necessary in every distributed network, in Tox you can bootstrap from anyone already in the Tox network, you don't have to use the nodes. Toxcore has a setting to enable hosting of TCP relays so any client can host them if they want which makes it distributed. The usernames are actually something on top of toxcore, toxcore uses tox ids. The username thing is just a URL shortener for ids and isn't in toxcore. Offline messaging is also an optional thing that you won't need to use. Toxcore is distributed but the username thing and offline messaging is decentralized. |
|
@irungentoo Next you say that anyone can be a TCP relay. Again, that's not true decentralization, because by default not everyone is a relay, so a few nodes are most more powerful, the few that relay TCP messages and may collect metadata. So the usernames through DNS thing isn't part of toxcore? But I see lots of people promoting it, even tox developers. Do you have no ambition to come with a real decentralized method to deal with usernames? DNS is really insecure and far from being decentralized. It's just a server point of failure. Offline message will be optional? Good, because they aren't decentralized. But will the users know about this? Will they be aware of the risks of using offline messaging? Or will it be a little checkbox on the clients without any warning? Will it be off by default? This is all very important details. In the end, the argument from you is basically "the things that aren't decentralized are optional" and that's fine. But the Tox Foundation should then either make all of it disabled by default and provide a message telling users about the risks of enabling those non-fully-decentralized services or stop advertising Tox as something it isn't (fully decentralized / distributed). |
|
@hsimons First look up what distributed and decentralized mean. Federated systems (the offline messaging, usernames) are decentralized but not distributed. The reason not everyone is a TCP relay is that not everyone should and wants to relay traffic. Yes, if a real distributed solution for usernames/etc... that works and fits well is created we will use it. The other issues are client issues. I can't control what clients do or how they expose toxcore or other functionality. The only client I have a say in is uTox. |
|
So don't you agree nobody on a mobile connection is actually using a distributed network? They are sending their messages through a few TCP relays, that isn't even close to being decentralized. These TCP relays are supernodes. Good to hear you plan to ditch the DNS solution for usernames, a real distributed method is needed. In the meantime, it would be good to at least warn users those website like http://toxme.se and http://tox.party aren't secure. I understand you can't control what clients do, but you are the leader of the Tox Foundation and owner of the tox website where you distribute binaries of the clients. You have to take responsibility then. Maybe put a warning telling users about how a client uses a third-party functionality that isn't actually distributed, like built-in DNS for usernames, federated, offline messaging, default traffic going through TCP relays like all mobile clients, etc. Because when people go to http://tox.im or http://tox.chat they read that Tox is completely distributed, but when they download a client, that's not true. What do you propose as a solution? Maybe take out the claim that Tox is completely distributed? Or only offer clients that actually are? Mobile clients like Antox are far from being distributed and some desktop clients too. |
|
I was surprised to learn reading this that some of the clients I use every day are effectively sidestepping Tox philosophy (TCP relays, etc). If there had been a message on the wiki saying "warning: uses a proxy relay", or "warning: associates your username with your Tox ID out on the internet somewhere" then I wouldn't have downloaded them, but their being promoted on the official wiki of the website that says Tox is decentralized led me to believe they were "safe" to use. Although these are not your projects, your unabashed promotion of them has caused me to feel cheated and lied to. I would seriously consider implementing warnings at least, and ideally some type of "toxcore verified" badge for clients to apply for that requires them to not use any of these "insecure" practices. |
|
I believe almost everyone, if not everyone, feels the same as @suchipi I bet it wasn't an evil intent of the Tox Foundation, but right now the website is very misleading and users are at risk. Tox must stop advertising itself as fully distributed and start warning users about the points of failures on each client, separately. Who is in charge of the website? Could you forward the community's concerns to them @irungentoo ? This is a critical issue that should be resolved ASAP. Tell me if I, @suchipi or anyone else can help in any way. Let's just not keep lying to users (even if not on purpose). |
|
I have voiced my concerns about supernodes being used for TCP relaying before and was told that it's just not desirable for most normal clients to participate in that because of their poor average connections. However, like @irungentoo said, it's up to the client developer to enable TCP relaying in their client, perhaps with some sort of automatic connection rating system. We have to talk to client developers like @tux3 about that. I also agree that the perils of toxdns should be mentioned in clients and on the sites themselves. This is harmless and would make the community feel acknowledged and involved. Bootstrap nodes are a requirement for first-time joining, but after that your client bootstraps off of saved normal peers if it's at all possible. Thanks for researching independently and calmly voicing your opinions, @hsimons. |
|
About the usernames |
|
Here's the biggest thing you're missing about Tox.
When it's done it should be at least decentralized, if not distributed. |
Please don't lie. TCP relays cannot impersonate/tamper/do anything with your messages. Mobile clients will continue to use TCP relays by default (note that Antox allows you to disable the use of these relays in the settings), as p2p is not viable due to battery life/data usage issues. Until these issues are solved mobile clients will not be "fully decentralised". If this is a major concern for you then I encourage you to turn on UDP mode, or if this is not acceptable cease using Tox on mobile entirely as I doubt this behaviour is going to change any time soon. |
That's fine, no problem at all. But it isn't finished yet and not fully decentralized. But the website claims it is and users are made to believe it is. And this isn't fine. @subliun |
|
@hsimons I just happened to come across this: https://github.com/hsimons/fasttt/commits/master
https://github.com/tickelton/ghdecoy
|
|
@ameenross This ad hominem you are doing doesn't help any anyone. |
|
I'm calling out a troll. The fact that you're asking me to remove my comment just proves it. You instantly removed the repo after I posted my comment!
Whatever. I actually wrote that in my comment, plus a link. So you pretending not to know what it is just fails completely.
I asked you first! |
How does it prove anything? We all know this is emailed to everyone, the message is out there. But at least removing from the issue tracker would help make it less polluted for those that don't read github through emails but use this web interface. Whatever, it's no use talking to you.
Please, stop posting off-topic messages on a serious technical discussion. |
|
@hsimons if you consider 5 minutes ago when you got called out "some time ago", then yes, you did delete it some time ago. If you want to have a serious technical discussion I'd start by telling the truth. |
|
Troll trying to make me out to be a troll.
Lol, yup. It says that in the linky right there.
Yeah, less than 20 minutes before this comment. It was accessible when I posted my comment. Stop pretending to be ignorant. |
|
Let's get back on the technical discussion then. Stop investigating people's Github and start paying attention to the actual issues they raise. Yes, it is a concern for me that when an unaware user reads that Tox is completely decentralized but when he downloads, for example, the mobile client Antox it uses exclusively TCP relays by default, which are basically supernodes. And the only way to disable this is going to the configurations menu and turning on "UDP mode". How many users will really know about this? There is no warning anywhere. Most don't even know how Tox implements TCP relays vs. UDP connections. It's simply unethical to advertise Tox as completely decentralized and offer clients that are semi-decentralized. |
|
Get lost @hsimons For the record, I have got absolutely nothing to do with the Tox project at large, as evidenced by my account. I'm just seriously sick and tired of seeing trolls like you in my GH notification center, wasting my time and mental space. You, OTOH, have NO track record to speak of at all on GH, except that you tried faking it with ghdecoy. You have the guts to call yourself an "independent researcher" but have nothing to show for. You also claim this to be a technical discussion, while a mere 10 minutes after creating this issue you posted over at #1397, proving that it's not really a technical discussion in the least bit. You're trolling, period. |
|
"How many users will really know about this? There is no warning anywhere." This "technical discussion" is not going to go anywhere. |
some bugs != tox actually not being decentralized as advertised Users need to know using mobile clients isn't a distributed solution (TCP relays - supernodes) and DNS usernames. Also, irungentoo said offline messaging will be optional since it isn't distributed, but federated. |
|
@ameenross Have you forgotten the main rule about trolls? Either don't feed or do feed carefully. In both cases you shouldn't be hostile.
Just press the “Unsubscribe” button.
Don't play with words please: even with supernodes Tox is decentralized. It may be not completely distributed in some cases, but even then it preserves pretty high level of decentralization.
Decentralized vs distributed doesn't affect security at all, it actually affects reliability. |
|
@suhr I'd have to press the unsubscribe button on dozens of issues. Not a hobby I'd be very fond of. But thanks for the advice. |
|
Guys guys, you can just go to their profile and click the exclamation mark button at the top right, then 'Report abuse'. |
|
Already did |
|
@suhr And that's only about TCP relays, there's still issues with DNS usernames, offline messaging, bootstrap, etc. But let's do one thing at a time. |
No, nice fallacy though.
Please stop linking to tox.im, it has nothing to do with the Tox Project. |
Could you please explain why? I understood by my investigation that mobile clients use TCP relays (supernodes) instead of UDP connections. Is this not true?
I wasn't aware http://tox.im wasn't affiliated to the Tox project. I thought that was the website advertised on the first time I read about Tox on HackerNews. Am I mistaken? |
If you don't know the answer to this, your comments do not belong on the issue tracker. Either do the research or ask those basic questions in a more appropriate forum. |
|
@JasonLocklin So, my ISP knows all this stuff? Who are my friends on Tox, who I send messages to, for how long we are connected, etc.? I think many users don't know about this and should be warned. |
|
Reddit and IRC are excellent places to ask basic questions like that. The wiki does explain it, but it's understandable if it's not clear enough yet. |
You were saying that 'everyone' using a mobile client has their messages relayed through a few TCP relays. This is clearly not true as there is an option to disable TCP only mode, which makes toxcore prefer UDP connections. I, for one, have that option enabled.
Yes, it was the official website initially but you're well aware of what happened with the whole stqism situation, tox.im is not affiliated with the Tox Project anymore so there is no reason to link to it. I'd still like you to point me to the place where you found that 'Tox is completely distributed without any centralization' on the tox.chat homepage though :) |
|
@hsimons You can only claim what you personally, you cannot assume to claim what "many users" know. The best warning is that this is very early software. It is not finished. So use at your own risk. (They say this anyways) |
I'm sorry, but barely anyone (save for very tech-savvy people) will be aware of this. ---- Choose your communication mode ----
About tox.chat and tox.im, I didn't know stqism was involved and tox.im was his. I knew he was the leader of the Tox Foundation, but not that he owned the website too. Sorry for the confusion. |
Yes there should be a note Tox is not anonymous. Though you can run Tox over Tor.
Yes, this is the registration site job.
Volunteers are welcome. |
|
@suhr ---- Choose your communication mode ----
And then Tox takes care of enabling Tor or not depending on the user choice. |
|
@hsimons However, this proves that the point you're trying to make in the OP is completely invalid. Also, the fact that you keep avoiding my question tells me you didn't start this discussion in the best interest of our users at all. Instead, you're scaring potential contributors away by making invalid claims and spamming their inboxes. |
But offline messaging is a toxcore feature, TCP relays too, etc.
Yes, but it isn't user friendly. The average joe won't think: "there are so few bootstrap nodes, better use some other ones". No, they will just download and use Tox. It needs to be more clear.
What question? Ask it again and I'll give an answer, I probably missed it. Sorry for the misunderstanding.
I made the claims as I understood them from the source code, that's not really well documented and readable, so there can be some confusions. But besides the bootstraping, all my other points remain valid, no? I mean, TCP relays aren't fully distributed, offline messaging being implemented by DrakeFish also isn't, DNS usernames aren't either, etc. It all remains valid as far as I understand. |
Nice cherry picking. Bringing pieces of sentences out of context is not going to help you.
Also not a toxcore issue.
"Also, can you point me to the place on the tox.chat homepage that says that Tox is 'completely distributed without any centralization'? I can't find it."
Yes, you raise some valid concerns but that doesn't take away the fact that some of your claims are invalid and appear to be meant to scare people away instead of trying to help the community. |
Not cherry picking at all, those are main features of Tox. Offline messaging for example has been awaited for months and TCP relaying is the core of tox communications together with UDP.
Good point, this is an issue with the clients. But in the end the clients are approved by the Tox Foundation (irungentoo and others) and pushed into the websites, so they are kind of in agreement with those clients. My proposal, as soon as the user opens a Tox client, he is prompted with the following option:
If he chooses privacy, Tox uses only UDP without resorting to super-nodes (TCP relays), disable the offline (messaging which isn't distributed) and route all traffic through Tor. All this is currently obfuscated to the end-user and Tox by default use the "better performance - less privacy" mode.
I already answered that, maybe you missed it?
Thank you. Let's hope we can further discuss all this and get to a good solution.
The only (partially) invalid claim I had so far was about bootstrap. But it doesn't help that toxcore source code has no documentation and is barely readable. Maybe it should be refactored to be less of a mess, but I know time is limited and irungentoo can't do it.
That's absolutely not my intention, sorry if that's how you are facing this. |
|
@hsimons Here's your reply. |
|
I don't like to feed the trolls which you obviously are given that you keep jumping topics and restarting your first and already refuted points. But I do want to redirect and mention that
No, it doesn't! If anything it needs to be more abstracted. If you care about security, you'll look into it and make decisions off of that. If you don't really care all that much about security, you're our target user. We're trying to replace Skype with something safer and better. We're not going to get grandma who want's to video chat her grand-kids by asking her if she want's to trust our bootstrapping nodes... That's going to make her ask her kids if they could just re-install Skype. I'd encourage every other developer that got tagged, if you even make it down this far to keep the discussion on topic, replacing Skype! @irungentoo close and lock this if you would? Before it wastes more time. @hsimons If you have real valid concerns, stop tagging devs and pulling them away from actual code... And open a separate issue for each problem you have... |
|
Your claims about TCP relays are invalid. Any client can serve as a TCP relay. The client developers must enable this. Furthermore you claimed TCP relays can manipulate messages. This is wrong. Your claims about bootstrapping are invalid. Everyone in the network is a bootstrap node. The supernodes are only used for first-time bootstrapping. After that you bootstrap off of saved normal peers. Your claims about offline messaging are semi-valid. It would be better to use some sort of distributed message store instead of supernodes. You should investigate this instead of really obviously failing to spread FUD on github and detracting from real work. You have been corrected over and over and you consistently ignore corrections, point-dodge, and misconstrue obvious language. It is futile to engage you any longer. |
Keyword here is "can". By default the don't and the target of Tox (average joes) won't ever enable that, which ends in a very very tiny percentage of nodes actually being TCP relays, making them super-nodes with more power they should have.
But there's only a few of those, around half a dozen people control all this first-time bootstrap nodes. Don't you agree there should be more, to make it a little bit more decentralized?
Thanks for understanding.
Count me in! Reading some papers right now, I'll report back if I find something and post possible solutions here on this issue (would be good if @irungentoo reopened it, nothing's solved yet)
Sorry if that's what you think, but this are true concerns I have and I wasn't given much explanation about them, irungentoo continues silent. You and other helped a bit, and we continue the discussion which is a good thing. Let's keep this going, good for everyone. |
|
Take a couple very valid concerns and wrap it in a giant pile of bullshit and lies, as you've done here, and you've effectively convinced everyone to ignore those valid concerns along with the rest of your trolling, thus retarding later attempts at real constructive criticism related to said valid concerns. I call it the Alex Jones effect. I sincerely hope that no one in the Tox community disregards the importance of maintaining a truly distributed network on account of this troll. |
|
I am a friend of Harry (hsimons) hsimons was banned from this repository without any reason while he was discussing the issues.
I don't really understand much of all this talk, I'm a highschool teacher, not a computer guy, but Harry is a great person and I think you should unban him. Thanks. |
It isn't censorship, they're just showing you the door. |
|
great, so the stupid trolling still is going on. I thought it was over weeks ago. |
|
I've recently started running Tox inside of a mesh network - the Freedombone mesh - and so I can confirm that it can be deployed in a completely distributed manner (each peer is also a bootstrap node). Peers can add all others to their DHTnodes list, or if the network was very large they could use a random sample and still have a good chance of being able to easily connect to other Tox IDs. |
|
I love TOX also donated 150$ for irungentoo to keep working on it this month. saying that.. I think people raise good questions, and I think people use the service/protocol for many different reasons, and right or wrong, the fact is the most detail information we can put on the website so people can decide if TOX will work for them in the ways they think with out having to go to a dictionary will help on the freeness and openness of the project towards the whole world. I do infosec and yes I do know that secure and decentralized are not the same, even security and privacy are also opposite in some cases, so the more we stay out of "single" words to attract users the better.. after all this is not a company creating marketing to make $$.. so may as well forget if it sounds simple or not.. and lets populate the site with direct exact definition. just my 2 cents(btw I do agree that some people were spamming and trolling, not defending those actions, just the good questions that were buried in between.) keep up the good work everyone!. |
That's something to think about, but if we automatically promote some clients to TCP relays, we still need a way to advertise those relays to other clients. I'm not sure how to do that without more centralization.
We could add some sort of privacy / convenience slider in the settings, it would certainly be more user friendly than the mess of cryptically named checkboxes we currently have. As far as I know, how to build a secure P2P network is still an open research question. Completely decentralized networks have trouble with Sybil attacks and centralized ones have obvious points of failure. Shipping a Tor client with qTox is something I have half a mind to try. The Tor design is vastly superior to what we have, it does generates trust from centralization (the various authorities), but in practice it's incredibly well studied and effective at anonymization. |
|
Due to end-zo-end encrpytion, those "supernodes" cannot spy on the user very much. Not so the metadata (who chats with whom, how long, how often, from where, at what time, how much dta is transferred, ...). But still they do not know any more than your ISP and your contact's ISP would also know. The only remaining issue is then just reliability. |
|
The whole thread is almost all madness. I am now full of regrets; should've done something better with my time. |
and others
I have studied what I could of the Tox protocol (which isn't easy because there is no documentation and the code isn't really readable since it grew without planning) but I believe I got a good enough understanding of it. And it made me worried. My eyebrows are raised.
TCP connection
All mobile clients enforce TCP connections instead of UDP. However, the toxcore implementation of this isn't distributed, it uses supernodes to route the messages.
Offline messaging
DrakeFish has been working on offline messaging that will soon be merged. But his approach doesn't store and route offline messages in a decentralized fashion. Specially chosen nodes are the ones to store the messages. Again, the idea of supernodes just like on the TCP connection problem. This isn't true decentralization. And there is even a problem with metadata collection here, because the supernode storing the messages know the sender and the recipient of the message.
Usernames
Usernames are created through websites like http://toxme.se which uses Domain Name System (DNS) to do it. A huge point of failure. First, people have to trust the owner of the server not be malicious, then they have to trust the security is good enough so the NSA won't tamper with it, then that no information will be sold to third-parties, MiTM, etc. It simply defeats the purpose of a decentralized service if all usernames are held by a server like this.
Bootstrapping
To connect to the Tox network you must bootstrap through a very limited number of nodes, again causing problem with trust. What if malicious nodes sent you to an alternate network? A more decentralized solution is needed, that doesn't rely on half a dozen of nodes (defeating the purpose of true distribution)
I think the main idea here is the following: tox is distributed as a concept, but everything built on top of it isn't actually distributed or decentralized. There are lots of points of failure and Tox is a pseudo-decentralized software. It's a step above full centralization, but a tiny step.
I believe the Tox website http://tox.im and all other advertising done by the Tox Foundation should address this issue by stop claiming that Tox is distributed or decentralized, because it's far from it. At most, you can claim it is Federated.
This issues have been brought by others in the past, especially @Fuuzetsu called out on many issues of privacy and security of Tox but never was properly addressed by @irungentoo who is the leader of the project.
This is my opinion as an independent researcher and I hope we can have a good discussion over it.
Cheers.
The text was updated successfully, but these errors were encountered: