I tried it a while back but never really liked it. Clunky UI and the project in general seemed to have a lot of problems. The kickstarter project was basically a ripoff, the project management is (or at least was) scattered and basically non-existing.
I have much better experience with Matrix[1]/Riot[2].
Matrix is an open protocol with end-to-end encryption (still beta IIRC) and is federated (like IRC) rather than fully distributed.
Matrix is now a stable project with funding and riot has a future business plan to also continue develop.
I rather support KeyBase or Wire (Open Source back-end exists and I think the clients are open source too!) as an alternative. I'm leaning cleanly toward Wire, though everyone I've suggested KeyBase to enjoys it. I like the free storage of KeyBase... sue me.
Note: The interesting part is not the vulnerability itself, that is relatively minor. The interesting part is where the tox developers explain that they don't really understand their code.
I think the most interesting part is irungentoo's (only) response in that thread:
"You are fucked if you get your key stolen. There are so many more fun things you can do if you steal someones key that I simply didn't bother trying to handle that case because it would not provide any actual security."
This seems like a pretty flippant attitude in a thread where other collaborators have already built anticipation for your response. I suppose it's possible irungentoo noticed this flaw and explicitly thought "this is outside of the scope of our security model, so I'll just leave that in there by design," but it seems much more likely that they hadn't considered it at all and are simply rationalizing after the fact. After all, if you recognize the negative security implications of a specific design decision and choose not to address it you are not really writing "secure" software. I think "I didn't consider what might happen if a secret becomes compromised" is obviously a bad look for security software.
I have much better experience with Matrix[1]/Riot[2].
Matrix is an open protocol with end-to-end encryption (still beta IIRC) and is federated (like IRC) rather than fully distributed.
Matrix is now a stable project with funding and riot has a future business plan to also continue develop.
1. https://matrix.org 2. https://riot.im