[kostyakow]

Tox aims to be a secure replacement for Skype.

There's several other similar projects, but they are usually hard to set up and use for an average user.

Tox is FLOS software developed by community, and currently licensed under GPLv3. We are considering changing the license to something more permissive, so it would be possible to put it on the App & Win8 Stores.

Currently, it is in really early stages of development. But we already have basic IM, and nCurses interface. We use NaCl library for encryption and will probably add FFmpeg for video.

We are working on a cross-platform GUI using Qt5. Please note that the screen-shots on the main website are only mockups, and (in my opinion) should have been labeled as such.

Since the website is down, here's some links:

Subreddit: http://www.reddit.com/r/projecttox/

Core code: https://github.com/irungentoo/ProjectTox-Core

Qt GUI code: https://github.com/nurupo/ProjectTox-Qt-GUI

Website code: https://github.com/stal888/ProjectTox-Website

IRC Freenode chanel: #InsertProjectNameHere

[mahyarm]

I'm surprised you guys don't use OTR for secure text chat that will interop with other OTR text chat clients.

You guys should really look into the WebRTC project ( http://code.google.com/p/webrtc/ ) so you don't re-invent the wheel with video conferencing with just raw ffmpeg. You could also make web browser clients in the future possibly. It takes quite a bit of QoS and other work to make video conferencing work right! Take advantage of the PhDs that google & co hire and re-use their full time jobs!

[jnbiche]

Congrats on the progress made so far. I'm eager to see how things shape up.

Would love to see a community project analogous to this one develop in the e-mail space since too many users find PGP to be cumbersome, despite some very nice implementations. Bitmessage and I2P's bote are both very interesting, but the prior project needs more experienced security people working on it (and some serious refactoring), and the latter suffers from the perceived issues of the "darknet" (not an issue for me, but...).

[napoleond]

Would love to see a community project analogous to this one develop in the e-mail space since too many users find PGP to be cumbersome, despite some very nice implementations.

We're on it! https://parley.co will be entering pre-beta later this week. Maybe not technically a "community project" because it's being built by a company that is at least partly motivated by profit, but the whole thing is BSD-licensed so people can do whatever they want with it.

[jnbiche]

Great! Yeah, community would be ideal but a small company like yours is definitely wonderful, as well. As long as it's open source, it's fine by me.

I see you're building on PGP, which has been historically confusing for non-tech folks, but I look forward to see what you've come up with to counter that confusion.

A couple of issues:

1. Not sure if you'll be using the same server/TLS cert for your actual web-based e-mail sender, but I got a giant warning on Android (Kindle Fire running Chrome for Android) about the certificate being invalid. It's probably the fact that you need to host the intermediate certificates on your site (i.e., the chain of trust is "broken"). If you are hosting them, then it might be this issue: http://www.unrelatedshit.com/2011/10/21/positivessl-not-work...

2. Again on the https, have you considered upgrading to TLS 1.1, or 1.2? You'd be able to offer ECDHE for forward secrecy, among other advantages. But you may have reasons for sticking with 1.0.

3. Are you vulnerable to SSL stripping attacks, like Moxie Marlinspike proposed? You are redirecting http requests to https.

Again, you may not be using this server for your actual registration, but just fyi.

One more suggestion: you may want to simplify the pricing. Do you really need 6 different categories? I'd try to eliminate at least 1, and ideally 2 or 3. Three categories may be the sweet spot (I think there's actual empirical research underlying this, but don't have time to search for citations). For a (non-scientific) summary of this, see: http://thinktraffic.net/most-common-pricing-mistake

Good luck, and feel free to e-mail me at my username @ gmail if you need a beta tester.

[napoleond]

Thank you very much for the feedback! We won't be using the same server/cert for the API (though it does make calls to the API for registration), but have had to move the website server around a couple of times already since setting up the cert and it's likely that I cocked something up. I'll look into it ASAP.

We are going to simplify the pricing, at least for the time being. Our beta is going to be more of a pre-beta, and completely free. Supporters will be able to pre-purchase a professional plan at less than half price, but otherwise we still have a lot of kinks to iron out before we feel comfortable charging for Parley (details will all be announced Thursday).

If you want in on the pre-beta, you can either sign up for the mailing list or check back at https://parley.co on Thursday :)

[spacelizard]

I don't see the point of changing to a more permissive license just to get on the iOS and WP8 app stores. Those devices are all compromised to begin with.

[e1ven]

When trying to create a secure network, you're constantly going to be dealing with tradeoffs between enabling communication, and ensuring you can actually talk with people.

You're right that iOS isn't a completely secure OS.. But using a secure app on iOS is better than using regular SMS going through AT&T.

Perfect is very difficult to achieve here- Most PCs have nonfree a BIOS, and even then, many CPUs can be updated by encrypted updates from the manufacturer.

It very well might be possible to ensure that your machine isn't vulnerable... But you're not going to have many people to talk to.

I think the tradeoff for having an iOS app is worth it. It puts the users of the iOS app (and those talking to them) a bit more at risk, but doesn't compromise the whole network.

Let them make that tradeoff. It's better than talking to an empty room.

[zokier]

False sense of security can be even more dangerous.

[graue]

Network effects. Even if my friends' iPhones are "compromised", if I can get them using the same messaging protocol, then that messaging protocol is more useful on my "non-compromised" device.

If we went with your way of thinking, most of my friends would never use Tox, thus making it useless to me, thus meaning I'd have to use a non-end-to-end-encrypted messaging protocol such as SMS or Facebook Chat.

[jaekwon]

Source?

I use a mac, and if it's compromised, I'd like to stop using it.

[asdasf]

>We are considering changing the license to something more permissive, so it would be possible to put it on the App & Win8 Stores.

I'd consider changing the license for other reasons. What is the GPL getting you? If your desire is to have the most people using this software to increase security, you should follow openssh's lead and use an actually free license, or even public domain.