uTox – Free, Secure Instant Messaging

I would use Tox and any of its clients with caution. At one point in time, your friends would be able to execute arbitrary shell commands on your PC if you were running utox and accepted a file download. Even with large security concerns like this, the lead developer believes Tox and uTox is secure because he reads the code he wrote himself (none the less git history is filled with bug fixes he clearly missed in his reading). This isn&#x27;t exactly reassuring, especially coming from someone who doesn&#x27;t have provable past experience in security software.<p>Edit: I just got banned from their IRC for stating this opinion here.

Something to keep in mind:<p>Of all Tox clients, uTox is written in C, using its own UI framework that directly interfaces with X11 and WinAPI. This makes the code itself a mess. The reasoning behind this is that it&#x27;s somewhat of a meme on &#x2F;g&#x2F; that anything but pure C code is &quot;bloat&quot;. I tried contributing a bit last year, did some work on copy&#x2F;pasting inline images, and found a remote code execution vuln. Then I got fed up with how terribly confusing the codebase was for something so simple. I&#x27;m not a professional programmer or anything, just a student, but it seems like it&#x27;s the same for everyone else in the project.

I wonder if we&#x27;ll ever get to the point where projects start advertising what methods they use to weed out memory management bugs (i.e. static analysis, fuzzing, etc) because an adversary that can execute arbitrary code on my machine is far more intimidating than one that can eavesdrop (imo).

If you&#x27;re worried about how good the encryption is, you can actually use Tox with Pidgin and then layer OTR on top of it.<p>That way you get decentralized messaging and don&#x27;t need to trust their crypto.<p><a href="https:&#x2F;&#x2F;wiki.tox.im&#x2F;Tox_Pidgin_Protocol_Plugin" rel="nofollow">https:&#x2F;&#x2F;wiki.tox.im&#x2F;Tox_Pidgin_Protocol_Plugin</a>

I&#x27;ve been using this for the last 6 months or so. Seems pretty good as a client. Stable on the comms side, although short of an audit, I&#x27;m just having faith in the security side of things.<p>What it really needs is some way of having a roaming profile though. Currently you have to have multiple accounts, one for each device. So my friends list has a lot of duplicates depending on whether they&#x27;re on their work computer, at home, on their phone, etc...<p>I&#x27;m not actually that fussed about the encryption side of things. I&#x27;m far more happy with the lack of reliance on centralised servers. You don&#x27;t need an account somewhere to get it up and running, you just send a message to a friend and compare secrets to authenticate.

<p><pre><code> &quot;Future of Instant Messaging&quot; </code></pre> Not with that UI.

uTox is one client of several. For a full list, see: <a href="https:&#x2F;&#x2F;wiki.tox.im&#x2F;Client" rel="nofollow">https:&#x2F;&#x2F;wiki.tox.im&#x2F;Client</a>

you know its good cause it offers &quot;ROCKSOLID encryption&quot;

Isn&#x27;t this a project that was developed by users of the &#x2F;g&#x2F; board on 4chan? I&#x27;ve only ever seen it berated on that board (everything is berated on that board) and don&#x27;t really know how solid the actual software is.

Gee, yet another identity nomenclature - &lt;username&gt;@utox.org! When will this trend end?! Aren&#x27;t you tired of the ever-growing lists of identities you need to share with people?

I like the idea of Tox but there are a couple issues that make it unusable for most users (at least me and a few I&#x27;ve talked to about it):<p>- No push notifications of any kind, meaning mobile devices have to keep a connection open (kill their batteries) or poll for updates (and get the message later).<p>- No multiple device support, so I can&#x27;t use my phone _and_ my desktop. I have to pick.<p>It&#x27;ll be great when it&#x27;s been polished up and completed a bit more but it&#x27;s not there yet.

Why aren&#x27;t the name&#x2F;Tox ID requirements listed on the site? I tried registering a few times and got an &quot;invalid&quot; error each time.

Wow, Skype must have really cemented its place in public conscience as an instant messaging service.<p>I would think a new service should support video chat before comparing itself to Skype, but no. (I am actually seeking an open-source alternative to Skype that supports video conferencing: I know of audio clients&#x2F;services, but not about video)

Back in 2001, the ayttm project supported free, secure instant messaging by using gpg to encrypt all messages and by allowing you to split a conversation across multiple networks (Yahoo, MSN, AOL, XMPP).

Why would I use this instead of XMPP and OTR?

So how does this improve on existing IM, say: XMPP?

Seems really cool, anyone audited this project yet?

Would be cool ta have FOSS iOS apps made with this.

i prefer software that do not need runtimes and can run without dependencies on major distros.

qTox please consider making static builds