It is not insecure. It uses a proven method Double Ratchet Algorithm which is used with many types of instant messaging programs.
Tox & Riot seem ok for those CLOSE TO YOU interpersonally, or for the Riot chat rooms, as adding contacts or video calling could reveal your IP.
In fact I think that’s quite the opposite. Tox and Riot excel at being used with strangers. You can use them with a VPN or with Tor, unlike Signal which is still bound to a phone number.
Any kind of instant messaging that has VOIP will establish a peer-to-peer connection, including XMPP. This will reveal your IP address unless you’re using Tor or a VPN. For text communications it won’t. The reason for this is most instant messengers try to establish a direct route for VOIP as to keep latency down and provide a clear picture without choppy sound.
I wouldn’t be too worried about revealing your IP address in these circumstances, as there isn’t a whole lot they can do with it. Unless you’ve opened ports on your modem’s firewall and are also running some service from your internet connection that is vulnerable, you shouldn’t have any issues. (If you were doing this you’d know).
Something to keep in mind about OMEMO though is it won’t secure alternate channels of communication, ie VOIP. Additionally not all XMPP clients even support VOIP.
Do not use XMPP with PGP. This lacks forward secrecy, unlike OMEMO, the same rules apply, your VOIP communications won’t be end-to-end encrypted (E2EE).
Also, make sure to see our instant messaging page.
Riot isn’t going anywhere, it is the reference client for the network Matrix. Not to long ago they got $8.5M for further development. There are many governments around the world ie. the French government which are funding it to use as a platform for their communications.
Very soon we’re going to prioritize the federated section see: instant-messenger: list federated above centralized #1701. We’re waiting for Matrix to turn E2EE on by default for private communications.
Like XMPP it is federated, meaning there are literally thousands of servers which all interconnect to each other. This means if one server went offline you could simply pick up your conversation on another server. There is a list of some unofficial but reliable servers at Hello Matrix.
Matrix, (ie Riot) is perfectly ideal for this. At least your communications voice and video communications will also be end-to-end encrypted (E2EE).
I don’t think any service provides E2EE for 1-to-many VOIP communications as the server needs to mix video feeds and send them out to the clients.
Very soon Matrix is going to be the primary messenger we recommend. We’re basically waiting for E2EE to be on by default (which it is in development version).