Tox, a Skype Replacement Built On 'Privacy First'

An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."

Re:Key exchange

I discussed it with one of the admins on their IRC.
"it's up to the users to give their public key to their friends in a way that it won't be intercepted in transit and replaced"

Re:Back door

[AHuxley]

AC the backdoor aspect is both national and international
"FBI Wants Backdoors in Facebook, Skype and Instant Messaging"
http://www.wired.com/2012/05/f...
".... drafted by the FBI, that would require social-networking sites and VoIP, instant messaging and e-mail providers to alter their code to make their products wiretap-friendly."
Then the world was given more details "Encrypted or not, Skype communications prove Ãoevitalà to NSA surveillance" May 14 2014
http://arstechnica.com/securit...
As for the "nobody on the inside has ever leaked out." aspect try http://cryptome.org/2013-info/...
The "inside" can now be understood by aspects like "Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.Ã(TM)s"
http://www.nytimes.com/2013/09...
..."employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987."
How past "parallel construction" and telco support will respond to any new "peer-to-peer and voice calling" will be interesting.
How did the US and UK get to past bespoke crypto telco hardware in the 1950's and beyond? Plain text always seemed to emerge just in time.

Re:Key exchange

[BitterOak]

And how do you exchange key? Do they plan a web of trust à la GPG?

A better approach would be to generate a random session key and each user's client would display some sort of hash (it doesn't need to be really long: 6 or 8 digits would suffice) of that key. Assuming the two parties know each other and recognize each other's voice and/or face, one of them can read the hash to the other. If there's a MITM attack, they won't match. As I said, the hash doesn't need to be long, since one mismatch would indicate trouble.