Security Software

R.I.P. Tox Messenger

Tox Messenger was or still is another popular Messenger alternative to Telegram & Co. The project was more known for it’s members rather than the messenger itself.


Tox Messenger
The official Homepage with a ‘new’ Logo.


What exactly went wrong with Tox?

I’ll make it quick and try to summarize the facts.

  1. One of the leader members (now ex) stole 3000 dollars donated money from the Tox Foundation™  in order to pay for his college tuition. See also Wikipedia.
  2. The Tox Logo was stolen.
  3. Some developers seems to not understand their own source code, as proven here.
  4. The Tox Messenger had previously an IP leakage problem (already fixed).
  5. An official statement can be found here. See also here.

Overall spoken the project had more member/leader “problems” than project issue, the protocol itself however is still not bad and I only can hope that a reboot might help to win some trust back, the entire story is really a bad pill when you think about that a lot of people used their real money in order to hope that it helps and because of actions from one or two members the entire reputation is almost destroyed.

Can you still trust Tox?

I wouldn’t say that because of the action of one member/leader the entire project is going to shit but the fact that this isn’t only about the money it’s also how they tried to hide the story and that it took months until something changed is suspicious. Some people never got their money back and the damage to their reputation is permantly. I monitored the story from 2015 and 2016 closely and I think the idea itself isn’t dead but you might consider to ask yourself if you’re not like to donate to some specific members instead which are still trustworthy.

I think there always trolls on the internet trying to spread their FUD but in this case, money was involved which brings the entire story to a more serious level.

Messenger Alternatives

The Matrix protocol seems promising but it’s far from being finished and there some problems with it, for example, it doesn’t protect metadata on the server in his current form but it should be clearly mentioned at this point that this could be fixed in further versions. The Riot client for Matrix seems quite popular. All other clients and the source code are aswell hosted on GitHub.

Don’t switch to other clients because of their promises

A good advice is to not switch to another Client or protocol when there is no audit or some reputation or explanation how the organization exactly works. Just because there is a source code doesn’t mean the developers know what they’re talking about, as sadly yet again shown in the Tox case – which reminded me of the Telegram crypto challenge.

I think if you consider making a switch you should check the following points:

  • Are all messages encrypted
  • Can the messages deleted manually or automatically
  • Can you verify the contact identity
  • Is there a final protocol or is it beta
  • Is there a code audit
  • Is the code open source (keep in mind that open source is not a ‘killer’ argument)
  • Is the messenger and it’s messages still secure if the keys are stolen
  • Is the project and the code properly documented
  • Is it end-to-end encrypted so that the provider can’t read it
  • Who are the people behind the organization
  • How is the overall support
  • Can you pay anonymously in case the program/service isn’t free
  • Is the used protocol weak against known and documented attacks
  • Is there a refund mechanism or a trial period in case you like to test or get your money back
  • Can the government force the organization or developer to give away the keys
  • Does the organization sell your data or make money or in other works are they in the ads business
  • How fast do the developers react in case a security problem is discovered

I guess if you check all the mentioned points on a serious ground there only a handful messenger which deserve a mention

  1. Threema
  2. Matrix (Riot to name one Client of many) even if it’s all more or less beta it looks and smells good
  3. Signal (you also could bridge to Matrix)

… and that’s already it.

Closing Words

I think the whole Tox story is really a shame for those who trusted the leaders, it took too long until they responded. That they at some point even don’t understand their own source code is shocking and shows that promises are alone not enough.

Thankfully there good alternatives available and there having a great support and a good privacy policy. popeanim