On Sat, 26 Sep 2015 20:52:01 -0700 coderman <[email protected]> wrote:
> On 9/26/15, Juan <[email protected]> wrote: > > ... > > I've been playing with tox(thanks rysiek!) and it looks > > rather interesting. I noticed however that it's not listed here > > > > https://www.eff.org/secure-messaging-scorecard > > i am not saying the scorecard is worthless, but rather, it is at best > a signal for subpar projects doing things obviously wrong. Oh, I wasn't commenting on the security of the software listed or tox in particular. What I meant is that tox is an interesting project and maybe more publicity from eff would help. > > it cannot tell you, honestly, who is doing it all right. (not least > because "right" is relative to risk and threat model, which is > perspective unique to each user...) > > > things that are good about Tox.chat: > - Opus for media. if you don't know about the Opus Codec, you should! > VP8 i don't care about either way. > - Re-uses onions, rather than trying to build its own anonymity > overlay for friend finding. > - Uses cryptobox for crypto stuffs, rather than rolling own. > - Supports clients of various types, per preference, rather than > monolithic structure. > > the bad: > - written in C and passing things around potentially unsafely. see the > address parsing in network.c, the DHT code. needs a good audit. > - poor network performance primitives with UDP - ok, not a problem > because this won't need that scale - beauty of decentralization! :) > - DHT is trivial to DoS. a known issue, but if you need survivability > i'd chose pond over tox. > > > best regards,
