I have an idea for a really secure chat client. It would support all the things Skype does that don't cost money (including voice chat, video chat and file transfers). How I envisage it working is this:
1.When a user installs the program and registers for the service on a given host (there could be multiple separate instances of the server which may or may not communicate for the purposes of allowing users on one to talk to users on another), a public and private key-pair is generated on the local device. The public half is submitted alongside the registration details and the private half never leaves the users device (unless the user e.g. copies it to another device so they can use the program there).
2.When the user logs onto the service, they use their private key to digitally sign a login packet which is verified by the central host (to verify that the user is who they claim to be and making phishing and password-theft much harder).
3.To talk to someone (voice, video, text, file transfer, whatever) the client that wants to initiate the conversation asks the central server for the public key of the other guy. Then that public key is used as part of some sort of key exchange to share an encrypted session key in a way that even someone with a complete packet dump of the network traffic AND the private keys of both people couldn't recover the session key (something like Diffie-Helman would probably work here)
4.All communications between users would be peer-to-peer direct conversations. In cases where direct links are not fesable (such as mobile devices where direct p2p links are not an option) all any relay servers ever see is encrypted data packets.
5.Unless specifically asked by the user to do so, none of the communications are ever stored on any persistent storage medium by the client.
6.At the end of the conversation, the session key is destroyed. (how you define "end of the conversation" in an IM client I dont know but certainly ending a video or voice session would count, as would closing the client)
7.The client would cache public keys from users and warn if the cached key and the one the server has are different (thus helping detect if the central server has been compromised by someone)
Assuming the client is implemented properly and the crypto is good (and hasn't been cracked) then this should be highly resistant to eavesdropping.
The protocol would be 100% documented and open.
The client (and there would ideally be multiple implementations to ensure against someone inserting a back-door) would be open source.
If the session keys and key exchange are done properly (and there are no weaknesses in the key exchange or crypto) then even with the private keys of both parties in the conversation AND a full packet dump of the entire conversation, it would be impossible to recover what was transmitted.