Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Skype vs. Tox: Which is better for secure communications?

Securing enterprise communications has become a top concern lately. However, finding the application that best suits your enterprise security needs can be challenging. Michael Cobb advises.

My company uses Skype for long-distance calling and video chat, but I have heard that it is not secure enough for an enterprise setting. Someone told me about a more secure alternative called Tox. What is it, and is it more secure than Skype? Is it something I should consider using in my business?

The security and privacy of Skype calls have been a matter of debate ever since Skype first appeared in 2003. The main reason for the uncertainty surrounding the security of Skype's instant messaging and video chat services is that it uses a proprietary Internet telephony network called the Skype protocol. This has never been made available for public scrutiny, and applications using the protocol are closed-source. So, although Skype reportedly uses the publicly documented encryption algorithms RSA (key negotiation) and AES (call encryption), security experts cannot verify that these algorithms are used correctly and at all times.

Law enforcement authorities have been able to wiretap Skype calls to traditional phones for a long time.

Edward Snowden's disclosures about the PRISM surveillance program have also heightened concerns that the NSA and the FBI have the ability to eavesdrop on Skype IM messages and video calls. Law enforcement authorities have been able to wiretap Skype calls to traditional phones for a long time, and a push by Skype a few years ago for a more robust system may have made it easier for authorities to gain access to users' calls, messages and transferred files. Instead of calls being solely peer-to-peer, some data is now routed through supernodes located in Microsoft's data center. The U.K. newspaper The Guardian reported that the NSA claimed to have direct access through the PRISM program to the systems of many major Internet companies, including Microsoft, Skype, Apple, Google, Facebook and Yahoo. Microsoft has also confirmed that it scans messages to filter out spam and phishing websites.

Snowden's revelations have kick-started various privacy initiatives -- including Briar, Cryptocat, and BitTorrent Bleep, to name just a few -- that are looking to create more secure online communication tools that are not controlled by a company, but rather by the Internet community as a whole.

One new project called Tox wants to create an open source, security-focused Skype replacement -- the stated goal of the project is to provide secure, yet easily accessible communication for everyone. Tox relies on encrypted peer-to-peer networking to provide direct connections between users, eliminating the need for messages to travel through a central server. All Tox chats are encrypted using the NaCl encryption library, and perfect forward secrecy is used to maintain privacy.

It's too early to recommend Tox as a viable alternative means of secure communication, as the code is still under active development and needs public scrutiny by the security community. There are, however, usable prototype Tox clients that can be tested, and the source code is on GitHub. There is no need to create an account, as it automatically creates public/private encryption keys, with the public key being used as the user's Tox ID. Sharing this ID with others allows you to start chatting.

It is certainly worth monitoring the development of Tox, but in the meantime, enterprises concerned about the lack of privacy when using Skype should look at using alternatives, such as secure voice calling apps from the likes of Whisper Systems and Silent Circle, both of which encrypt calls made through the traditional telecoms infrastructure.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Learn more about securing instant messaging and video conferencing in the enterprise.

This was last published in February 2015

Dig Deeper on Social media security risks