Safe communication with Tox

Thanks to Edward Snowden, users have become aware of global intelligence tapping into private communication. The revelations related to the NSA affair may not have exactly ended the tapping of communications and user data, but more and more users now think they should do something to protect their privacy. The WhatsApp alternative Threema, for example, won a lot of users in a short time for better protecting their communication.

A huge player in modern communication – apart from newcomers like WhatsApp and Threema – is the classic Skype, for which Microsoft paid $8.5 million in 2011. WhatsApp is still a relatively recent phenomenon, but Skype has long been criticized for secretly reading and analyzing user data.

In 2013, information went public that Microsoft in general and Skype specifically were involved in the NSA Prism scandal. Since then, data-aware users should assume that communication over Skype is going to spied on by unscrupulous intelligence agencies that will collect and evaluate user data.

Tox in, Skype out

An alternative for Skype has meanwhile emerged. Its name is Tox [1], and it is downloadable for all major platforms [2]. Tox clients are available not only for Linux but also for Mac OS X, Windows, and mobile devices, including both Android and iOS [3].

As with Skype, you can use the Tox app to chat using your keyboard, place VoIP calls, and even have a video conference. Tox provides these features with an important added value: All transmitted information is encrypted.

When a Tox user logs on to client, the client connects not with a central server but with a distributed peer-to-peer network. To communicate, Tox users need to share their Tox IDs, which they use to identify themselves over the Internet.

Although users could share the IDs by email, if you are going to go to lengths to protect your privacy, it makes more sense to share them in an analog fashion, that is, on pieces of paper.

Value-Added Client

Tox provides various clients for Linux: µTox (also known as uTox), Venom, qTox, and Toxic provide essentially the same functions. They differ primarily in the environment they're ideally suited for (Table 1). Whereas Venom is based on Gtk+, qTox is a Qt client. Purists are more likely to use the Toxic command-line client.

Table 1

Tox Clients at a Glance

µTox Lightweight client for every desktop
Toxic Tox client for the command line
qTox Client written using the Qt toolkit
Venom Client developed with Vala/Gtk+
Toxy Tox client for Windows using a Metro design
Poison Tox client for Mac OS X
Antox Tox client for Android
Antidote Tox client for iOS

In the article, I'll present the µTox graphical client and the command-line-based Toxic in more detail. I'll also take a look at Antox, the Tox client for Android devices.

µTox

After starting µTox, the most common Tox client, a pretty clear communication center opens (see the "Installing µTox" box for more details). Your first step is to set the program preferences by way of the gear icon at the lower window edge (Figure 1).

Installing µTox

You can find binaries for the Tox client installation on the Tox project webpage. The Tox wiki recommends the µTox and Toxic clients for Linux, maybe because Tox is itself in development along with these clients.

µTox is available from the project homepage [4] for 32-bit and 64-bit systems. You only need to unzip the tarball. You then run utox from the archive with a double-click or from the command line.

Figure 1: You find your Tox ID in the µTox user settings. It's best to share this ID in an analog manner to allow encrypted chatting.

These are your personal settings, beginning with a username of your choice. You also set status information at this point, such as I'm available or Only in urgent cases .

The Preview function allows you to test phone calls and to find out if an attached webcam is working. You also choose which sound input and output devices to use. In further settings, you should also specify whether the program should save chat histories. It's disabled by default.

Under the settings, you'll find your personal Tox ID, which you'll need to securely share with your friends and acquaintances. Save the ID in the buffer by clicking Copy . Your friends will use this passphrase to add you to their contacts. The plus sign at the bottom of the window is used for this purpose. Clicking it drags a new communication partner into the Tox ID field; you accept a friend using Add . The ID owner then gets a request confirmation message, which he then acknowledges. Nothing now stands in the way of your communication.

You can tell if one of your contacts is online and has Tox loaded when the circle icon next to the contact name is green.

Secure Communication

Messages written with Tox pass encrypted over the Internet. The method used for it is based on the NaCl [5] open software library, named after the chemical symbol for salt. NaCl wants to be the salt in the soup for program developers who need as simple but reliable encryption integrated in their applications as possible. Threema also uses the library for security.

Sending messages works like other instant messaging systems. You select from a contact list, write the message in the text window at the bottom edge of the window, and then send it off (see Figure 2).

Figure 2: The chat function works like other messaging systems, but your data is encrypted and goes via P2P over the Internet without a central server.

µTox also supports group chats, which you can start by clicking the group chat icon next to the plus icon. You then add contacts to the group chat by dragging their usernames while holding the left mouse button.

Tox supports sending files of any type, which you can do by clicking the paperclip icon at the upper right and opening a file selection dialog. Your recipient has to acknowledge the file before it's actually sent.

For video calling, you'll find the camera icon at the upper right. Select a contact and click the icon. As soon as the other party accepts the call, Tox builds the video connection and the image appears in its own window. The connection often took a while in tests. Whereas the image already appeared for the called party, the caller had to wait. The transmission quality was also mixed: Sometimes, the user was left with a still image, which only a new call would remedy.

Toxic

Among the Tox clients, Toxic [6] distinguishes itself by being command-line only (see the "Installing Toxic" box). Although you have no video calls, the CLI client easily keeps up with its graphical colleagues in all other respects. You run the program with the toxic command, and it creates a new data file. To encrypt the Toxic data on the hard drive, enter a password of at least six characters. Toxic is then ready to encrypt changes. A familiarity with IRC helps in using Toxic. The first step is to give yourself a nickname using the /nick command.

Installing Toxic

You can find installation packages [7] for Toxic in DEB and RPM formats for 32-bit and 64-bit systems. Install the package as you would other programs over the distribution's package manager.

You add your friends to the contact list with /add <Tox_ID> , where Tox_ID is the ID that your communication partner shared with you. As with µTox, this step elicits an acknowledgment from your partner. You use /myid to share your own ID.

To keep track of your chats, Toxic assigns each to a different tab, which may not be noticeable at first because of the lack of a graphical interface. The home and contacts tabs are created by default. In home , you execute the Toxic commands (Figure 3); contacts contains your contact list.

Figure 3: The clear command-line operation of Toxic makes it a cinch to use.

Once a friend sends you a message, a new tab opens in the background and Toxic notifies you that the contact is ready to talk. You can toggle between tabs with the Ctrl+O and Ctrl+P key shortcuts.

To start a chat of your own, go to the contacts , where you use the up and down arrow keys to select your contact. If you're in the middle of a chat (Figure 4), use the /call command to initiate a call. To end the call, use the /hangup command.

Figure 4: Toxic puts every conversation in a separate tab.

Table 2 provides a list of oft-used Toxic commands. For help on a command, use the /help command.

Table 2

Important Toxic Commands

Command Function
/add Tox_ID msg Adds a contact with the Toxic ID and the optional message text.
/accept Tox_ID Accepts the contact information.
/decline Tox_ID Declines the contact information.
/requests Lists all the contact requests.
/nick Name Defines a chat alias.
/groupchat Starts a group chat.
/invite num Invites a contact to a group chat.
/join Joins a running group chat.
/close Ends a running group chat.
/sendfile file Sends a file attachment.
/call Calls a contact.
/answer Answers the call.
/reject Rejects the call.
/hangup Ends the call.
/myid Shows your current ID.
/clear Clears the window.
/exit Ends Toxic.

Chatting with Android

Even Android devices have the open source Antox [8] Tox client with which you can do some reasonable chatting (Figure 5). Unfortunately, Antox can't hide the fact that it's not quite mature, which is why it might currently be missing from Google Store. The Tox wiki does provide an APK package of the program [9], however.

Figure 5: You can use Antox on your Android device.

To install this package on your smartphone or tablet, download it and install it using the download app or a file manager. This works, however, only if you mark the Unknown sources check box in Settings | Security | Device administration .

In our tests, sending messages and files went flawlessly. However, the app crashes with incoming calls. If you want to use Antox on your local LAN only, the settings provide the ability to do so.

Conclusion

Communicating encrypted live via chat, phone, or video is no problem for Tox users. Although some of the applications still need a bit of development work, they basically work reliably.

Among them, the command-line Toxic surprises with its high utility value and simple operation. Chatting with the graphical clients tend to make your fingers jump between mouse and keyboard – something you can spare yourself with Toxic once you've familiarized yourself with the commands and keyboard shortcuts. Toxic seems the most mature of all the apps tested here and doesn't have a beta feel about it.