Reasons why people should NOT use this app for anything important

[lewisl9029]

Usability Issues:

• There has been no effort to maintain backward or forward compatibility, so you might need to reset your data when we release new versions.
• Cordova builds could get randomly paused by the OS when not running in foreground. Which means it will not be able to receive messages until you go back to it.
• The app sometimes has trouble recovering from temporary loss of connection, and a reload is needed to have it reconnect.
• Text selection is not supported in the message list due to issues with Ionic. A possible workaround is to use the click to copy message feature.
• Expect to see higher network usage than messaging apps that you're used to. The messaging protocol design is very naive, and is probably also horribly inefficient in many ways. This is compounded with the fact that as a distributed app, we have no access to push messaging, and need to resort to polling for everything network related.

Security Issues:

• Toc uses the Forge library for all its client side crypto for data at rest, and Telehash's built-in crypto for data in transit, but our specific usage of the libraries hasn't been reviewed at all, and may have vulnerabilities.
• We use a hand rolled deterministic encryption algorithm for securing storage keys in our key-value store. We did this because we couldn't find any implementations of deterministic encryption schemes for javascript. There's a good chance that it's insecure in some way.
• We use an ancient build of Telehash v2, instead of the latest V3 due to the lack of a built-in DHT in v3, and because we cant afford the additional development and testing effort that would be needed to replace v2 with v3 + an external DHT.
• Telehash v2 uses a public DHT that is susceptible to Sybil attacks and can be trivially crawled in theory. We find the privacy-preserving properties of any messaging solution that uses a public DHT somewhat questionable, but we haven't been able to find a better alternative yet.
• HTTPS has not been implemented in the web app due the need to also set up certificates in the seed server for the Telehash DHT, and the process of using HTTPS with Telehash V2 also happens to be poorly documented. This means there's no guarantee that the instance of Toc you're running hasn't been compromised if you're accessing it over the internet. Locally hosted versions and Cordova versions are not affected.

All of the above issues, and any new issues that come up, probably won't get resolved in the foreseeable future since I need to focus on finding a job first, and probably won't have nearly as much time to work on this afterwards.

If you're interested in taking over maintaining and improving the project, feel free to contact me though the email in my Github profile.

[lewisl9029]

Add this as a readme section instead