Is Tox really as decentralized as the developers claim? #1398
23 participants
please note that our offical website is tox.chat
You do raise excellent points however.
If I recall correctly bootstrapping can actually be done through any tox node (including other clients). The bootstrap nodes are merely provided to client developers for ease of joining the primary network. I'm not sure if client devs allow an end users to specify exactly what nodes to bootstrap off but the ability should be there (and used to be on toxic from what I recall)
The usernames situation is a hard one to solve properly in a decentralized system, and only things like namecoin etc have really done it in a proper fashion. The one offered by tox.party and others is merely a stop gap, for users who are not comfortable with only sharing tox id's
supernodes are a tradeoff in design that sidestep some of the harder issues with decentralization. I think it's an okay tradeoff to make personally, but I'm sure others will have their own opinions.
Bootstrapping
You can't build a distributed network without bootstrapping, it is technically impossible. The only thing we can do is to make list of bootstrap nodes changeable in clients and collect new bootstrap nodes you get via bootstrap (a la Kad).
What if malicious nodes sent you to an alternate network?
It won't compromise communication (because of encryption), but your contacts may become unavailable.
TCP connection
Well, it's all about imperfectness of real internet connection. In IPv6 no NAT world we could just use direct UDP connection without kludges like supernodes.
should address this issue by stop claiming that Tox is distributed or decentralized
They claim a lot of things, none of them seem to have any backing. Anyway, going to unsubscribe from the issue, I don't want to be seen as involved with the project. I honestly doubt you'll get any kind of real response which is a shame considering that you seem to have put in a fair amount of time into investigating it.
Tox is distributed. Bootstrapping is necessary in every distributed network, in Tox you can bootstrap from anyone already in the Tox network, you don't have to use the nodes.
Toxcore has a setting to enable hosting of TCP relays so any client can host them if they want which makes it distributed.
The usernames are actually something on top of toxcore, toxcore uses tox ids. The username thing is just a URL shortener for ids and isn't in toxcore.
Offline messaging is also an optional thing that you won't need to use.
Toxcore is distributed but the username thing and offline messaging is decentralized.
@irungentoo
So bootstrapping can be done using any node you want and an unlimited amount of nodes? That's a start, but currently there's half a dozen nodes only by default, all members of the Tox Foundation. That's not really what I'd call decentralization.
Next you say that anyone can be a TCP relay. Again, that's not true decentralization, because by default not everyone is a relay, so a few nodes are most more powerful, the few that relay TCP messages and may collect metadata.
So the usernames through DNS thing isn't part of toxcore? But I see lots of people promoting it, even tox developers. Do you have no ambition to come with a real decentralized method to deal with usernames? DNS is really insecure and far from being decentralized. It's just a server point of failure.
Offline message will be optional? Good, because they aren't decentralized. But will the users know about this? Will they be aware of the risks of using offline messaging? Or will it be a little checkbox on the clients without any warning? Will it be off by default? This is all very important details.
In the end, the argument from you is basically "the things that aren't decentralized are optional" and that's fine. But the Tox Foundation should then either make all of it disabled by default and provide a message telling users about the risks of enabling those non-fully-decentralized services or stop advertising Tox as something it isn't (fully decentralized / distributed).
@hsimons First look up what distributed and decentralized mean. Federated systems (the offline messaging, usernames) are decentralized but not distributed.
The reason not everyone is a TCP relay is that not everyone should and wants to relay traffic.
Yes, if a real distributed solution for usernames/etc... that works and fits well is created we will use it.
The other issues are client issues. I can't control what clients do or how they expose toxcore or other functionality. The only client I have a say in is uTox.
So don't you agree nobody on a mobile connection is actually using a distributed network? They are sending their messages through a few TCP relays, that isn't even close to being decentralized. These TCP relays are supernodes.
Good to hear you plan to ditch the DNS solution for usernames, a real distributed method is needed. In the meantime, it would be good to at least warn users those website like http://toxme.se and http://tox.party aren't secure.
I understand you can't control what clients do, but you are the leader of the Tox Foundation and owner of the tox website where you distribute binaries of the clients. You have to take responsibility then. Maybe put a warning telling users about how a client uses a third-party functionality that isn't actually distributed, like built-in DNS for usernames, federated, offline messaging, default traffic going through TCP relays like all mobile clients, etc.
Because when people go to http://tox.im or http://tox.chat they read that Tox is completely distributed, but when they download a client, that's not true. What do you propose as a solution? Maybe take out the claim that Tox is completely distributed? Or only offer clients that actually are? Mobile clients like Antox are far from being distributed and some desktop clients too.
I was surprised to learn reading this that some of the clients I use every day are effectively sidestepping Tox philosophy (TCP relays, etc). If there had been a message on the wiki saying "warning: uses a proxy relay", or "warning: associates your username with your Tox ID out on the internet somewhere" then I wouldn't have downloaded them, but their being promoted on the official wiki of the website that says Tox is decentralized led me to believe they were "safe" to use. Although these are not your projects, your unabashed promotion of them has caused me to feel cheated and lied to.
I would seriously consider implementing warnings at least, and ideally some type of "toxcore verified" badge for clients to apply for that requires them to not use any of these "insecure" practices.
I believe almost everyone, if not everyone, feels the same as @suchipi
When you go to http://tox.im or http://tox.chat you read that Tox is completely distributed without any centralization, so you think "great!", click "download" and start using it. But in reality, most clients aren't actually fully decentralized? That's a huge issue! For a start, all mobile clients use TCP relays, so they effectively not fully decentralized (the supernodes can see who is messaging who, for how long, recipient/sender, etc.) and can also tamper messages without proper authentication. Then there are desktop clients using insecure DNS for usernames, based on a central server like http://toxme.se or http://tox.party, because there is no implementation of a fully decentralized username solution. And the bootstrap nodes? It's just half a dozen of then, that's nowhere enough to claim decentralization.
I bet it wasn't an evil intent of the Tox Foundation, but right now the website is very misleading and users are at risk. Tox must stop advertising itself as fully distributed and start warning users about the points of failures on each client, separately.
Who is in charge of the website? Could you forward the community's concerns to them @irungentoo ? This is a critical issue that should be resolved ASAP. Tell me if I, @suchipi or anyone else can help in any way. Let's just not keep lying to users (even if not on purpose).
I have voiced my concerns about supernodes being used for TCP relaying before and was told that it's just not desirable for most normal clients to participate in that because of their poor average connections. However, like @irungentoo said, it's up to the client developer to enable TCP relaying in their client, perhaps with some sort of automatic connection rating system. We have to talk to client developers like @tux3 about that.
I also agree that the perils of toxdns should be mentioned in clients and on the sites themselves. This is harmless and would make the community feel acknowledged and involved.
Bootstrap nodes are a requirement for first-time joining, but after that your client bootstraps off of saved normal peers if it's at all possible.
Thanks for researching independently and calmly voicing your opinions, @hsimons.
About the usernames
There has been some discussion on how to best find other users without resorting to using toxids.
Here's the biggest thing you're missing about Tox.
- It's not done yet.
When it's done it should be at least decentralized, if not distributed.
can also tamper messages without proper authentication.
Please don't lie. TCP relays cannot impersonate/tamper/do anything with your messages.
Mobile clients will continue to use TCP relays by default (note that Antox allows you to disable the use of these relays in the settings), as p2p is not viable due to battery life/data usage issues. Until these issues are solved mobile clients will not be "fully decentralised". If this is a major concern for you then I encourage you to turn on UDP mode, or if this is not acceptable cease using Tox on mobile entirely as I doubt this behaviour is going to change any time soon.
When it's done it should be at least decentralized, if not distributed.
That's fine, no problem at all. But it isn't finished yet and not fully decentralized. But the website claims it is and users are made to believe it is. And this isn't fine.
There should be a warning on the website telling users that Tox is still not finished and many features are semi-centralized workarounds for the moment, until they are properly implemented.
But right now the website says Tox is completely distributed, but give download links to clients that are only partially decentralized, due to usernames using DNS, mobile clients using TCP relays (supernodes), offline messages being federated and using supernodes too, etc etc
@subliun
Yes, it is a concern for me that when an unaware user reads that Tox is completely decentralized but when he downloads, for example, the mobile client Antox it uses exclusively TCP relays by default, which are basically supernodes. And the only way to disable this is going to the configurations menu and turning on "UDP mode". How many users will really know about this? There is no warning anywhere. Most don't even know how Tox implements TCP relays vs. UDP connections. It's simply unethical to advertise Tox as completely decentralized and offer clients that are semi-decentralized.
Maybe this happens because Tox isn't finished? Fine, but at least warn users. This is their security and privacy being put to risk, don't just ignore it. I'm sure you also understand how this is a big concern of the community.
@hsimons I just happened to come across this: https://github.com/hsimons/fasttt/commits/master
ghdecoy Billy authored 24 days ago
https://github.com/tickelton/ghdecoy
ghdecoy allows you to create a git repository containing commits crafted in way so that when it is pushed to github periods in the contribution calendar containing no commits will be filled with a random pattern so your account looks sufficiently active.
@ameenross
First, that was an old repository I had, if you check it out it doesn't even exist anymore.
And what are you even implying? What is ghdecoy?
If you doubt my account, just see when it was created: Oct 7, 2010. Now get lost.
This ad hominem you are doing doesn't help any anyone.
How about we stop pointing fingers and discuss the real issues with Tox claiming to be fully decentralized/distributed when it isn't?
I ask you to delete your off-topic message and I will delete mine, let's not pollute the issue tracker, but keep only relevant comments here.
I'm calling out a troll. The fact that you're asking me to remove my comment just proves it. You instantly removed the repo after I posted my comment!
What is ghdecoy?
Whatever. I actually wrote that in my comment, plus a link. So you pretending not to know what it is just fails completely.
let's not pollute the issue tracker
I asked you first!
The fact that you're asking me to remove my comment just proves it
How does it prove anything? We all know this is emailed to everyone, the message is out there. But at least removing from the issue tracker would help make it less polluted for those that don't read github through emails but use this web interface. Whatever, it's no use talking to you.
You instantly removed the repo after I posted my comment
What repo? fasttt? I removed it some time ago. Why are you even talking about my repository? What does that have to do with anything? Are you purposefully trying to cause a flamewar and take our attention away from the real issues concerning centralization of tox? Or just trolling?
Please, stop posting off-topic messages on a serious technical discussion.
@hsimons if you consider 5 minutes ago when you got called out "some time ago", then yes, you did delete it some time ago. If you want to have a serious technical discussion I'd start by telling the truth.
Troll trying to make me out to be a troll.
What repo? fasttt?
Lol, yup. It says that in the linky right there.
I removed it some time ago.
Yeah, less than 20 minutes before this comment. It was accessible when I posted my comment. Stop pretending to be ignorant.
Let's get back on the technical discussion then. Stop investigating people's Github and start paying attention to the actual issues they raise.
Yes, it is a concern for me that when an unaware user reads that Tox is completely decentralized but when he downloads, for example, the mobile client Antox it uses exclusively TCP relays by default, which are basically supernodes. And the only way to disable this is going to the configurations menu and turning on "UDP mode". How many users will really know about this? There is no warning anywhere. Most don't even know how Tox implements TCP relays vs. UDP connections. It's simply unethical to advertise Tox as completely decentralized and offer clients that are semi-decentralized.
Maybe this happens because Tox isn't finished? Fine, but at least warn users. This is their security and privacy being put to risk, don't just ignore it. I'm sure you also understand how this is a big concern of the community.
Get lost @hsimons
For the record, I have got absolutely nothing to do with the Tox project at large, as evidenced by my account. I'm just seriously sick and tired of seeing trolls like you in my GH notification center, wasting my time and mental space.
You, OTOH, have NO track record to speak of at all on GH, except that you tried faking it with ghdecoy. You have the guts to call yourself an "independent researcher" but have nothing to show for.
You also claim this to be a technical discussion, while a mere 10 minutes after creating this issue you posted over at #1397, proving that it's not really a technical discussion in the least bit. You're trolling, period.
"How many users will really know about this? There is no warning anywhere."
Besides this warning?
*Note: Tox is still under heavy development — expect to run into some bugs. *
This "technical discussion" is not going to go anywhere.
*Note: Tox is still under heavy development — expect to run into some bugs. *
some bugs != tox actually not being decentralized as advertised
Users need to know using mobile clients isn't a distributed solution (TCP relays - supernodes) and DNS usernames.
And the same goes for most desktop clients.
Also, irungentoo said offline messaging will be optional since it isn't distributed, but federated.
"Offline messaging is also an optional thing that you won't need to use." irungentoo.
That's nice, but the big questions remain.
Will it be off by default? Will the Tox warn you if when you turn it on that it isn't a distributed service?
This is all very important, the user must know turning on a certain feature make him less secure. Otherwise Tox is blatantly unethical and falsely advertising itself as distributed when it isn't.
Of course, maybe irungentoo will take the responsible choice and add all the necessary warnings, plus making all non-decentralized services off by default.
Let's see his stand on this.
@ameenross Have you forgotten the main rule about trolls? Either don't feed or do feed carefully. In both cases you shouldn't be hostile.
I'm just seriously sick and tired of seeing trolls like you in my GH notification center, wasting my time and mental space.
Just press the “Unsubscribe” button.
tox being actually not being decentralized as the Tox Foundation claims
Don't play with words please: even with supernodes Tox is decentralized. It may be not completely distributed in some cases, but even then it preserves pretty high level of decentralization.
This is all very important, the user must know turning on a certain feature make him less secure.
Decentralized vs distributed doesn't affect security at all, it actually affects reliability.
@suhr I'd have to press the unsubscribe button on dozens of issues. Not a hobby I'd be very fond of. But thanks for the advice.
Guys guys, you can just go to their profile and click the exclamation mark button at the top right, then 'Report abuse'.
@suhr
Everyone using a mobile client has their messages relayed through a few TCP relays (supernodes). This supernodes know who is sending a message and who is receiving, the amount of messages sent, their length, etc.
This is a true issue, because people using Tox are made believe their messages go straight to the recipient, but they actually are not on mobile clients. The supernodes act basically as servers and it's even worse that there are only a few of them.
And that's only about TCP relays, there's still issues with DNS usernames, offline messaging, bootstrap, etc. But let's do one thing at a time.
So, for a start, could we get a warning on the Tox website that mobile clients are partially centralized?
I'd have to press the unsubscribe button on dozens of issues
Could you please press the button at least on this one or at least stop derailing the thread? The community would be really thanked.
Again, I urge everyone keep this focused on technical comments, no off-posting.
Now, back to what matters:
I believe almost everyone, if not everyone, feels the same as @suchipi
When you go to http://tox.im or http://tox.chat you read that Tox is completely distributed without any centralization, so you think "great!", click "download" and start using it. But in reality, most clients aren't actually fully decentralized? That's a huge issue! For a start, all mobile clients use TCP relays, so they effectively not fully decentralized (the supernodes can see who is messaging who, for how long, recipient/sender, etc.) and can also tamper messages without proper authentication. Then there are desktop clients using insecure DNS for usernames, based on a central server like http://toxme.se or http://tox.party, because there is no implementation of a fully decentralized username solution. And the bootstrap nodes? It's just half a dozen of then, that's nowhere enough to claim decentralization.
I bet it wasn't an evil intent of the Tox Foundation, but right now the website is very misleading and users are at risk. Tox must stop advertising itself as fully distributed and start warning users about the points of failures on each client, separately.
Who is in charge of the website? Could you forward the community's concerns to them @irungentoo ? This is a critical issue that should be resolved ASAP. Tell me if I, @suchipi or anyone else can help in any way. Let's just not keep lying to users (even if not on purpose).
This supernodes know who is sending a message and who is receiving, the amount of messages sent, their length, etc.
The problem is your web provider knows the same. Tox is not anonymous and never claimed to be so.
And that's only about TCP relays, there's still issues with DNS usernames, offline messaging, bootstrap, etc. But let's do one thing at a time.
I don't enjoy DNS usernames solution, but it is fully optional, actually clients don't even mention about existence of it. And bootstrap is a thing any distributed network has.
The problem is your web provider knows the same. Tox is not anonymous and never claimed to be so.
Wait, my ISP knows all this stuff? Who are my friends on Tox, who I send messages to, for how long we are connected, etc.?
I wasn't aware of this and I'm sure many other people also weren't!
This also needs to be addressed. Maybe a little warning saying that Tox isn't anonymous?
I don't enjoy DNS usernames solution, but it is fully optional
And it's awesome that it's optional. But those giving the option to use it should let users know about the risks.
And bootstrap is a thing any distributed network has.
But the issue is that clients only bootstrap to half a dozen nodes that all are held by the Tox Foundation. It needs many more nodes by default.
Everyone using a mobile client has their messages relayed through a few TCP relays (supernodes)
No, nice fallacy though.
When you go to http://tox.im or http://tox.chat you read that Tox is completely distributed without any centralization, so you think "great!", click "download" and start using it. But in reality, most clients aren't actually fully decentralized?
Please stop linking to tox.im, it has nothing to do with the Tox Project.
Also, can you point me to the place on the tox.chat homepage that says that Tox is 'completely distributed without any centralization'? I can't find it.
No
Could you please explain why? I understood by my investigation that mobile clients use TCP relays (supernodes) instead of UDP connections. Is this not true?
Please stop linking to tox.im, it has nothing to do with the Tox Project.
I wasn't aware http://tox.im wasn't affiliated to the Tox project. I thought that was the website advertised on the first time I read about Tox on HackerNews. Am I mistaken?
Wait, my ISP knows all this stuff? Who are my friends on Tox, who I send messages to, for how long we are connected, etc.?
If you don't know the answer to this, your comments do not belong on the issue tracker. Either do the research or ask those basic questions in a more appropriate forum.
@JasonLocklin
Sorry for the noob question, as I said I didn't fully investigate the source code of Tox because lack of readability and documentation, but I assumed it protected all my information, because that's what it lead me to believe on the website and other advertisement threads over HackerNews and Reddit.
So, my ISP knows all this stuff? Who are my friends on Tox, who I send messages to, for how long we are connected, etc.? I think many users don't know about this and should be warned.
Reddit and IRC are excellent places to ask basic questions like that. The wiki does explain it, but it's understandable if it's not clear enough yet.
Could you please explain why? I understood by my investigation that mobile clients use TCP relays (supernodes) instead of UDP connections. Is this not true?
You were saying that 'everyone' using a mobile client has their messages relayed through a few TCP relays. This is clearly not true as there is an option to disable TCP only mode, which makes toxcore prefer UDP connections. I, for one, have that option enabled.
I wasn't aware http://tox.im wasn't affiliated to the Tox project. I thought that was the website advertised on the first time I read about Tox on HackerNews. Am I mistaken?
Yes, it was the official website initially but you're well aware of what happened with the whole stqism situation, tox.im is not affiliated with the Tox Project anymore so there is no reason to link to it.
I'd still like you to point me to the place where you found that 'Tox is completely distributed without any centralization' on the tox.chat homepage though :)
@hsimons You can only claim what you personally, you cannot assume to claim what "many users" know. The best warning is that this is very early software. It is not finished. So use at your own risk. (They say this anyways)
I don't see the need to place all these warnings in clear sight. You've been told the answers to your questions several times but repeat the questions regardless.
Take some time and read up on how tox works further but this is not the place to be walked through the workings of tox.
an option to disable TCP only mode
I'm sorry, but barely anyone (save for very tech-savvy people) will be aware of this.
They won't know TCP relays aren't fully decentralized and that UDP connection isn't.
A fine solution for this is a message when starting the mobile client:
---- Choose your communication mode ----
1) Better Performance | Less Privacy
2) Better Privacy | Less Performance
About tox.chat and tox.im, I didn't know stqism was involved and tox.im was his. I knew he was the leader of the Tox Foundation, but not that he owned the website too. Sorry for the confusion.
Simple and would let users aware of the 2 modes.
Currently it's all obfuscated in TCP, UDP and whatnot. Most users won't know what that means.
Maybe a little warning saying that Tox isn't anonymous?
Yes there should be a note Tox is not anonymous. Though you can run Tox over Tor.
Integration with I2P is an open issue.
But those giving the option to use it should let users know about the risks.
Yes, this is the registration site job.
But the issue is that clients only bootstrap to half a dozen nodes that all are held by the Tox Foundation. It needs many more nodes by default.
Volunteers are welcome.
@suhr
But isn't Tox aimed to average joes? I don't think they will know how to use Tor (or even what Tor is).
This should all be done by default.
Again, the same message could apply.
---- Choose your communication mode ----
1) Better Performance | Less Privacy
2) Better Privacy | Less Performance
And then Tox takes care of enabling Tor or not depending on the user choice.
It shouldn't just be partially centralized and not anonymous by default, with the user needing to enable UDP (and know what it is) on the config menu and to also set-up Tor.
Because by default Tox is choosing the Less Privacy for everything.
@hsimons
Granted, it's a little obfuscated and should be more clear for the average user. Please create a separate issue at the repository of said mobile client, toxcore has nothing to do with this. I'm sure its maintainer would also appreciate a pull request if you're into that ;)
However, this proves that the point you're trying to make in the OP is completely invalid.
This is also the case with your 'Bootstrapping' claim. As other people have probably already told you by now, you can use any node to bootstrap into the Tox network, there is no need to use a bootstrap node for that.
Also, the fact that you keep avoiding my question tells me you didn't start this discussion in the best interest of our users at all. Instead, you're scaring potential contributors away by making invalid claims and spamming their inboxes.
toxcore has nothing to do with this
But offline messaging is a toxcore feature, TCP relays too, etc.
toxcore has many features that aren't fully distributed.
you can use any node to bootstrap into the Tox network
Yes, but it isn't user friendly. The average joe won't think: "there are so few bootstrap nodes, better use some other ones". No, they will just download and use Tox. It needs to be more clear.
the fact that you keep avoiding my question
What question? Ask it again and I'll give an answer, I probably missed it. Sorry for the misunderstanding.
making invalid claims
I made the claims as I understood them from the source code, that's not really well documented and readable, so there can be some confusions. But besides the bootstraping, all my other points remain valid, no? I mean, TCP relays aren't fully distributed, offline messaging being implemented by DrakeFish also isn't, DNS usernames aren't either, etc. It all remains valid as far as I understand.
But offline messaging is a toxcore feature, TCP relays too, etc.
toxcore has many features that aren't fully distributed.
Nice cherry picking. Bringing pieces of sentences out of context is not going to help you.
Toxcore has nothing to do with the fact that a mobile client doesn't make a user friendly distinction between tcp-only mode and prefer-udp mode.
Yes, but it isn't user friendly. The average joe won't think: "there are so few bootstrap nodes, better use some other ones". No, they will just download and use Tox. It needs to be more clear.
Also not a toxcore issue.
What question? Ask it again and I'll give an answer, I probably missed it. Sorry for the misunderstanding.
"Also, can you point me to the place on the tox.chat homepage that says that Tox is 'completely distributed without any centralization'? I can't find it."
I made the claims as I understood them from the source code, that's not really well documented and readable, so there can be some confusions. But besides the bootstraping, all my other points remain valid, no? I mean, TCP relays aren't fully distributed, offline messaging being implemented by DrakeFish also isn't, DNS usernames aren't either, etc. It all remains valid as far as I understand.
Yes, you raise some valid concerns but that doesn't take away the fact that some of your claims are invalid and appear to be meant to scare people away instead of trying to help the community.
Nice cherry picking
Not cherry picking at all, those are main features of Tox. Offline messaging for example has been awaited for months and TCP relaying is the core of tox communications together with UDP.
Toxcore has nothing to do with the fact that a mobile client doesn't make a user friendly distinction between tcp-only mode and prefer-udp mode
Good point, this is an issue with the clients. But in the end the clients are approved by the Tox Foundation (irungentoo and others) and pushed into the websites, so they are kind of in agreement with those clients.
Here is a list of the clients developers I could find, let's hope they read this issue and propose solutions to the current situation.
@tux3 @krepa098 @dubslow @dvor @mahkoh @subliun @stal888 @FRIGN @sonOfRa @lehitoskin @4DA @ioerror @GrayHatter @notsecure @nurupo @albel727 @tsudoko
My proposal, as soon as the user opens a Tox client, he is prompted with the following option:
---- Choose your communication mode ----
1) Better Performance | Less Privacy
2) Better Privacy | Less Performance
If he chooses privacy, Tox uses only UDP without resorting to super-nodes (TCP relays), disable the offline (messaging which isn't distributed) and route all traffic through Tor. All this is currently obfuscated to the end-user and Tox by default use the "better performance - less privacy" mode.
"Also, can you point me to the place on the tox.chat homepage that says that Tox is 'completely distributed without any centralization'? I can't find it."
I already answered that, maybe you missed it?
I'll quote myself: "About tox.chat and tox.im, I didn't know stqism was involved and tox.im was his. I knew he was the leader of the Tox Foundation, but not that he owned the website too. Sorry for the confusion." Now I know that tox.im isn't official.
Yes, you raise some valid concerns
Thank you. Let's hope we can further discuss all this and get to a good solution.
doesn't take away the fact that some of your claims are invalid
The only (partially) invalid claim I had so far was about bootstrap. But it doesn't help that toxcore source code has no documentation and is barely readable. Maybe it should be refactored to be less of a mess, but I know time is limited and irungentoo can't do it.
appear to be meant to scare people away
That's absolutely not my intention, sorry if that's how you are facing this.
I'm simply worried about the end-users who aren't tech-savvy and use default Tox clients thinking they are completely protected, when in fact they aren't.
I just called most client developers, so let's see their ideas to fix this issue.
I don't like to feed the trolls which you obviously are given that you keep jumping topics and restarting your first and already refuted points.
But I do want to redirect and mention that
you can use any node to bootstrap into the Tox network
Yes, but it isn't user friendly. The average joe won't think: "there are so few bootstrap nodes, better use some other ones". No, they will just download and use Tox. It needs to be more clear.
No, it doesn't! If anything it needs to be more abstracted. If you care about security, you'll look into it and make decisions off of that. If you don't really care all that much about security, you're our target user.
We're trying to replace Skype with something safer and better. We're not going to get grandma who want's to video chat her grand-kids by asking her if she want's to trust our bootstrapping nodes... That's going to make her ask her kids if they could just re-install Skype.
I'd encourage every other developer that got tagged, if you even make it down this far to keep the discussion on topic, replacing Skype!
@irungentoo close and lock this if you would? Before it wastes more time.
@hsimons If you have real valid concerns, stop tagging devs and pulling them away from actual code... And open a separate issue for each problem you have...
Your claims about TCP relays are invalid.
Any client can serve as a TCP relay. The client developers must enable this. Furthermore you claimed TCP relays can manipulate messages. This is wrong.
Your claims about bootstrapping are invalid.
Everyone in the network is a bootstrap node. The supernodes are only used for first-time bootstrapping. After that you bootstrap off of saved normal peers.
Your claims about offline messaging are semi-valid. It would be better to use some sort of distributed message store instead of supernodes. You should investigate this instead of really obviously failing to spread FUD on github and detracting from real work.
You have been corrected over and over and you consistently ignore corrections, point-dodge, and misconstrue obvious language. It is futile to engage you any longer.
Any client can serve as a TCP relay
Keyword here is "can". By default the don't and the target of Tox (average joes) won't ever enable that, which ends in a very very tiny percentage of nodes actually being TCP relays, making them super-nodes with more power they should have.
The supernodes are only used for first-time bootstrapping
But there's only a few of those, around half a dozen people control all this first-time bootstrap nodes. Don't you agree there should be more, to make it a little bit more decentralized?
Your claims about offline messaging are semi-valid. It would be better to use some sort of distributed message store instead of supernodes
Thanks for understanding.
You should investigate
Count me in! Reading some papers right now, I'll report back if I find something and post possible solutions here on this issue (would be good if @irungentoo reopened it, nothing's solved yet)
spread FUD on github
Sorry if that's what you think, but this are true concerns I have and I wasn't given much explanation about them, irungentoo continues silent. You and other helped a bit, and we continue the discussion which is a good thing. Let's keep this going, good for everyone.
Take a couple very valid concerns and wrap it in a giant pile of bullshit and lies, as you've done here, and you've effectively convinced everyone to ignore those valid concerns along with the rest of your trolling, thus retarding later attempts at real constructive criticism related to said valid concerns. I call it the Alex Jones effect.
I sincerely hope that no one in the Tox community disregards the importance of maintaining a truly distributed network on account of this troll.
I am a friend of Harry (hsimons)
We know each other since we were kids and he asked me to post here so everybody knows what happened to him. I'm not really a computer person, but signing-up to this site was easy enough.
hsimons was banned from this repository without any reason while he was discussing the issues.
Here is what he told me.
Most issues I had with the indiegogo campaign and partially-centralized nature of Tox won't properly addressed and instead I was banned from the repository by irungentoo.
Really, what were they thinking with this donation plan right after money was stole? And how is it different from when Sean stole it? stqism was fired from the Tox Foundation because he used donation money to pay his personal debts. But isn't irungentoo asking for donation money to pay his personal debts right now with this indiegogo campaign? Double-standard?
And I do believe my concerns about Tox being partially-centralized but not being clear about it are also valid and unanswered properly. I even proposed a simple solution and asked all client developers to come and discuss it. #1398
My proposal, as soon as the user opens a Tox client, he is prompted with the following option:
---- Choose your communication mode ----
1) Better Performance | Less Privacy
2) Better Privacy | Less PerformanceI tried continuing conversation on the issue #1397 with the following:
@nurupo
Well said, maybe irungentoo should have posted a detailed reply like yours from the very start to avoid misunderstandings. So I understand @irungentoo wants money so he doesn't have to work and can focus on Tox? Correct?
@codedust
Agree on that, readability is really important, just like documentation, and that's a weird perk. Naming a variable? The donator will call it his own name or something? Doesn't sound like that good of an idea.
@czarkoff
Unsubscribe from the issue if you have nothing to contribute and think everyone that doesn't automatically bow before Tox and thinks the Foundation is perfect is a troll. We are having a real discussion here and your blatant off-topic post is only polluting it. @codedust raised a true concern about naming variables, how about you discuss that instead of calling him a troll feeder or whatever? Or just go away if you have no interest in contributing to this debate.Only to see that I was banned.
A software that advertises as caring about users, the community, privacy, etc. enforces censorship when someone raises issues with their software? What the hell?
I don't really understand much of all this talk, I'm a highschool teacher, not a computer guy, but Harry is a great person and I think you should unban him.
Censorship is never good as we learn from history books.
Thanks.
A software that advertises as caring about users, the community, privacy, etc. enforces censorship when someone raises issues with their software? What the hell?I don't really understand much of all this talk, I'm a highschool teacher, not a computer guy, but Harry is a great person and I think you should unban him.
Censorship is never good as we learn from history books.
It isn't censorship, they're just showing you the door.
great, so the stupid trolling still is going on. I thought it was over weeks ago.
But I must admit, it was an entertaining read. So much technical incompetence on Harry's side, and then the excuse is that the code is not documented enough. Hey, toxcore code and its - admittedly extremely incomplete documentation - are not meant to replace High School education…
I've recently started running Tox inside of a mesh network - the Freedombone mesh - and so I can confirm that it can be deployed in a completely distributed manner (each peer is also a bootstrap node). Peers can add all others to their DHTnodes list, or if the network was very large they could use a random sample and still have a good chance of being able to easily connect to other Tox IDs.
I love TOX also donated 150$ for irungentoo to keep working on it this month. saying that.. I think people raise good questions, and I think people use the service/protocol for many different reasons, and right or wrong, the fact is the most detail information we can put on the website so people can decide if TOX will work for them in the ways they think with out having to go to a dictionary will help on the freeness and openness of the project towards the whole world. I do infosec and yes I do know that secure and decentralized are not the same, even security and privacy are also opposite in some cases, so the more we stay out of "single" words to attract users the better.. after all this is not a company creating marketing to make $$.. so may as well forget if it sounds simple or not.. and lets populate the site with direct exact definition. just my 2 cents(btw I do agree that some people were spamming and trolling, not defending those actions, just the good questions that were buried in between.) keep up the good work everyone!.
it's up to the client developer to enable TCP relaying in their client, perhaps with some sort of automatic connection rating system. We have to talk to client developers like @tux3 about that.
That's something to think about, but if we automatically promote some clients to TCP relays, we still need a way to advertise those relays to other clients. I'm not sure how to do that without more centralization.
My proposal, as soon as the user opens a Tox client, he is prompted with the following option:
---- Choose your communication mode ----
1) Better Performance | Less Privacy
2) Better Privacy | Less PerformanceIf he chooses privacy, Tox uses only UDP without resorting to super-nodes (TCP relays), disable the offline (messaging which isn't distributed) and route all traffic through Tor. All this is currently obfuscated to the end-user and Tox by default use the "better performance - less privacy" mode.
We could add some sort of privacy / convenience slider in the settings, it would certainly be more user friendly than the mess of cryptically named checkboxes we currently have.
As far as I know, how to build a secure P2P network is still an open research question. Completely decentralized networks have trouble with Sybil attacks and centralized ones have obvious points of failure.
You argue that supernodes are inherently bad, but if your goal is spying on users I don't know that it's easier to compromise existing trusted supernodes in a centralized network, than to run a Sybil in a decentralized network. Especially since we don't have a system like Tor's consensus weigth to force new nodes to ramp up slowly.
Shipping a Tor client with qTox is something I have half a mind to try. The Tor design is vastly superior to what we have, it does generates trust from centralization (the various authorities), but in practice it's incredibly well studied and effective at anonymization.
Due to end-zo-end encrpytion, those "supernodes" cannot spy on the user very much.
The content of conversations stays hidde.
Not so the metadata (who chats with whom, how long, how often, from where, at what time, how much dta is transferred, ...). But still they do not know any more than your ISP and your contact's ISP would also know.
If you want to hide th4ese things, tox does not do it, and you must look for other applications taking care of that.
The only remaining issue is then just reliability.
A few central nodes needed for bootstrapping new clients into the network, could easily be taken down. But as @bashrc already pointed out, you can bootstrap from any node.
Thus really, I see no issue with this dedicated bootstrap nodes or TCP nodes.
Clients should, however, make manual bootstrap as easy as possible.
I have studied what I could of the Tox protocol (which isn't easy because there is no documentation and the code isn't really readable since it grew without planning) but I believe I got a good enough understanding of it. And it made me worried. My eyebrows are raised.
TCP connection
All mobile clients enforce TCP connections instead of UDP. However, the toxcore implementation of this isn't distributed, it uses supernodes to route the messages.
Offline messaging
DrakeFish has been working on offline messaging that will soon be merged. But his approach doesn't store and route offline messages in a decentralized fashion. Specially chosen nodes are the ones to store the messages. Again, the idea of supernodes just like on the TCP connection problem. This isn't true decentralization. And there is even a problem with metadata collection here, because the supernode storing the messages know the sender and the recipient of the message.
Usernames
Usernames are created through websites like http://toxme.se which uses Domain Name System (DNS) to do it. A huge point of failure. First, people have to trust the owner of the server not be malicious, then they have to trust the security is good enough so the NSA won't tamper with it, then that no information will be sold to third-parties, MiTM, etc. It simply defeats the purpose of a decentralized service if all usernames are held by a server like this.
Bootstrapping
To connect to the Tox network you must bootstrap through a very limited number of nodes, again causing problem with trust. What if malicious nodes sent you to an alternate network? A more decentralized solution is needed, that doesn't rely on half a dozen of nodes (defeating the purpose of true distribution)
I think the main idea here is the following: tox is distributed as a concept, but everything built on top of it isn't actually distributed or decentralized. There are lots of points of failure and Tox is a pseudo-decentralized software. It's a step above full centralization, but a tiny step.
I believe the Tox website http://tox.im and all other advertising done by the Tox Foundation should address this issue by stop claiming that Tox is distributed or decentralized, because it's far from it. At most, you can claim it is Federated.
This issues have been brought by others in the past, especially @Fuuzetsu called out on many issues of privacy and security of Tox but never was properly addressed by @irungentoo who is the leader of the project.
This is my opinion as an independent researcher and I hope we can have a good discussion over it.
Cheers.