Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Skype vs. Tox: Which is better for secure communications?

Securing enterprise communications has become a top concern lately. However, finding the application that best suits your enterprise security needs can be challenging. Michael Cobb advises.

My company uses Skype for long-distance calling and video chat, but I have heard that it is not secure enough for...

an enterprise setting. Someone told me about a more secure alternative called Tox. What is it, and is it more secure than Skype? Is it something I should consider using in my business?

The security and privacy of Skype calls have been a matter of debate ever since Skype first appeared in 2003. The main reason for the uncertainty surrounding the security of Skype's instant messaging and video chat services is that it uses a proprietary Internet telephony network called the Skype protocol. This has never been made available for public scrutiny, and applications using the protocol are closed-source. So, although Skype reportedly uses the publicly documented encryption algorithms RSA (key negotiation) and AES (call encryption), security experts cannot verify that these algorithms are used correctly and at all times.

Law enforcement authorities have been able to wiretap Skype calls to traditional phones for a long time.

Edward Snowden's disclosures about the PRISM surveillance program have also heightened concerns that the NSA and the FBI have the ability to eavesdrop on Skype IM messages and video calls. Law enforcement authorities have been able to wiretap Skype calls to traditional phones for a long time, and a push by Skype a few years ago for a more robust system may have made it easier for authorities to gain access to users' calls, messages and transferred files. Instead of calls being solely peer-to-peer, some data is now routed through supernodes located in Microsoft's data center. The U.K. newspaper The Guardian reported that the NSA claimed to have direct access through the PRISM program to the systems of many major Internet companies, including Microsoft, Skype, Apple, Google, Facebook and Yahoo. Microsoft has also confirmed that it scans messages to filter out spam and phishing websites.

Snowden's revelations have kick-started various privacy initiatives -- including Briar, Cryptocat, Invisible.im and BitTorrent Bleep, to name just a few -- that are looking to create more secure online communication tools that are not controlled by a company, but rather by the Internet community as a whole.

One new project called Tox wants to create an open source, security-focused Skype replacement -- the stated goal of the project is to provide secure, yet easily accessible communication for everyone. Tox relies on encrypted peer-to-peer networking to provide direct connections between users, eliminating the need for messages to travel through a central server. All Tox chats are encrypted using the NaCl encryption library, and perfect forward secrecy is used to maintain privacy.

It's too early to recommend Tox as a viable alternative means of secure communication, as the code is still under active development and needs public scrutiny by the security community. There are, however, usable prototype Tox clients that can be tested, and the source code is on GitHub. There is no need to create an account, as it automatically creates public/private encryption keys, with the public key being used as the user's Tox ID. Sharing this ID with others allows you to start chatting.

It is certainly worth monitoring the development of Tox, but in the meantime, enterprises concerned about the lack of privacy when using Skype should look at using alternatives, such as secure voice calling apps from the likes of Whisper Systems and Silent Circle, both of which encrypt calls made through the traditional telecoms infrastructure.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Learn more about securing instant messaging and video conferencing in the enterprise.

This was last published in February 2015

Dig Deeper on Social media security risks

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What application does your enterprise use for long-distance messaging and conferencing?
Cancel
Security and privacy matters have been trending on Skype calls since 2003 because it uses a proprietary internet telephony network dubbed “Skype protocol”. This messaging application has limited the coding to closed sources only and features documented encryption algorithms in line with RSA and AES regulations. However, Skype is facing a new challenge with Tox that seeks to provide open source security which means it will have more coders working for it without costs.
Cancel
We use Cisco products - Webex and Jabber. They're ok, for the most part. They don't integrate as well with Microsoft Outlook, though. 
Cancel
Interesting, open sourced initially made me think of the loop holes. But can reverse psychology really work here? I hope so, phone tapping is shocking!
Cancel
Face-to-face. Then the phone. Then a fax. Next is probably email that's properly secured. Then you get into messaging apps and webinar software that has far less protection as that might hinder the speed with which is has to work. I would trust - within reason - Skype. But I don't know enough about Tox to make a firm decision.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close