The main concern with Tox is that despite being open source, its encryption protocol has not been audited. Also, worth mentioning is that messages are metadata free, which is important because metadata is used as a way to trace users. The encryption happens on a per-message basis. Tox uses NaCl encryption for cryptography and the developers have labelled this as experimental. Combined with end-to-end encryption this is better for privacy when compared to a centralized service. The message that you send is delivered directly to the recipient, as in Peer-to-Peer (P2P). This could potentially result in data being stolen, or the user being spied on.Ī decentralized messenger is one that cuts out the middleman, i.e., there is no server in between you and your contact. When you send a message through a centralized service, it is transmitted (passes through) a server, where it may or may not be stored before it is delivered to the recipient. Examples for this would be Skype, Hangouts, Facebook Messenger, Viber or Telegram. Any instant messaging protocol that uses a cloud-based connection, aka a server, is a centralized service. I ran a test, someone gave me their IP, I then captured the packets going to and from the port which qTox is on, I captured the packets which where sent when I sent them a contact request, when they accepted it, and when we talked, however when I filtered out all the packets that were not either to or from their IP, no packets were left.Let me explain what a centralized messaging service is. I am running Ubuntu GNOME 15.10 with GNOME 3.18. I have also been reading this section which suggests that it can only be done when the friend request is initially sent? Is this the case?
So how exactly can you trace someone's IP through Tox and make sure that it is their IP without asking them for their IP or a hint to it (not because I want to trace the IPs of my contacts without asking them, but so that my method is more foolproof than just capturing packets and asking people which packet came or is going to them)? Or is this the wrong way of doing it? Though there was such a large amount of traffic (mostly UDP and TCP, but some ICMPs as well) that it was hard to really see anything. I then launched WireShark to try and see if I could capture some packets going to and from that port, however I could not find the IPs of any of my contacts (some had given me hints to parts of their IPs and I couldn't even find similar IPs). So I tried to see if I could find the IPs of some of my contacts (I ask for their prior permission), so I first figured out with netstat -tnap which port qTox was running on, the port was 33445. The user in the DHT, the IP address will only be discernible when the However, a userĬannot uncover another user's IP address using only a Tox ID to find Tunneling your Tox connections through Tor.
Other users, as the whole point of peer-to-peer is to connect youĭirectly to your friends. Tox makes no attempt to cloak your IP address when communicating with Identity impossible to forge without stealing your personal private
The form of meta-data, your IP address) from people who are not yourĪuthorized friends, enforcing Off-The-Record Messaging as the defaultĪnd only mode of operation for all messages, and by making your Tox protects your privacy by removing the need to rely on centralĪuthorities to provide messenger services, concealing your identity(In I am a user of Tox, my client is qTox (if that makes any difference), and I was just reading their FAQs section when I came across these sections: