Tor Messenger 0.1.0b4 is released

We are pleased to announce another public beta release of Tor Messenger. This release addresses a number of stability and usability issues, and includes the default bridge configurations for pluggable transports.

The initial public release was a success in that it garnered a lot of useful feedback. We tried to respond to all your concerns in the comments of the blog post but also collected and aggregated a FAQ of the most common questions.

Before Upgrading

Before upgrading to the new release, you will need to backup your OTR keys or simply generate new ones. Please see the following steps to back them up.

In our eagerness to build on work done by Tor Browser, we made the decision to store your profile directory inside the application bundle. This complicates matters when you want to use the same accounts and keys across updates, especially while we don't have an automatic updater. Please see #13861.

Also, as was vociferously pointed out by some of our early adopters, this probably isn't a very intuitive user experience. Copying the extracted application to someone else's computer would unknowingly transfer your accounts and OTR keys. It's unclear if this is commonly done and we'd love feedback on this point to understand the urgency of the issue.

In future releases, we plan on revisiting this decision. The number one item on our roadmap is porting Tor Browser's updater patches (#14388) so that keeping Tor Messenger up-to-date is seamless and automatic. We also plan to add a UI to make importing OTR keys and accounts from Pidgin, and other clients, as easy as possible (#16526).

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).

Changelog

Here is the complete changelog since v0.1.0b2:

Tor Messenger 0.1.0b4 -- November 22 2015

  • All Platforms
    • Bug 17492: Include default bridges configuration
    • Use tor and the pluggable transports from tor-browser 5.0.4
    • Bug 17552: Instantbird should handle XMPP message stanzas with subjects
    • ctypes-otr
      • Bug 17539: Pass username when interpolating resent string
      • Bug 15179: Add an OTR Preferences item to the Tools menu
    • Use the FIREFOX_42_0_RELEASE tag on mozilla-release
    • Use the THUNDERBIRD_42_0b2_RELEASE tag on comm-release
    • Bug 16489: Prevent automatic logins at startup
    • Update Tor Messenger logo in Tor Launcher
  • Mac
    • Bug 16476: Themes preference is positioned incorrectly
    • Bug 17456: Application hang when navigating the preferences menu

Tor Messenger 0.1.0b3 -- October 30 2015

  • Windows
    • Bug 17453: Fix Tor Messenger crash when starting up in Windows

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

There's no way the check the version number in the GUI?

Filed as https://trac.torproject.org/projects/tor/ticket/17749, thanks!

Can tor-messenger be used as an irc client? Most of the time I get the following
*** Looking up your hostname...
*** Checking Ident
*** No Ident response
The current conversation is not private.
*** Found your hostname
Your account is disconnected.

Yes, it can be and is used as an IRC client. Are you connecting to OFTC? Because OFTC occasionally blocks Tor and there is nothing much we can do about it. Try with another IRC network and let us know if it works for you?

Yes, it's OFTC I've been trying to connect to. Which IRC network are tor friendly?

When trying to connect to OFTC some of time it accepts me, other times not. Is there a way in tor-messenger to create a new circuit and try again?

The Tails people have reportedly experimented with creating a new circuit and that is a poor solution at best. So I am not sure if that actually helps since the bans seem arbitrary. They (Tails) also got in touch with the OFTC admins but nothing much progressed there. (As far as creating a new circuit from Tor Messenger, there is no way currently but we have plans for adding ControlPort support: https://trac.torproject.org/projects/tor/ticket/10950).

The IRC networks that work with Tor Messenger: we have heard complaints mostly related to OFTC and Freenode but that may also be because they are among the popular ones. You have to try with the IRC network you use and see if it works for you.

I get banned from irc.freenode.net :(
How do I get around this?

Sorry you have to check with Freenode. Try registering your account?

Hi sukhbir

If you are serious about helping Tor users achieve anonymity, please develop a Tor Messenger that is completely free of Javascript and the like.

Javascript is easily exploitable by hackers and the NSA.

Hi. The JS in Tor Messenger is not the same as the attacker controlled arbitrary JS that a page serves you in a browser.

I confess that I too am afraid of JS by default (e.g. for browser), but I can see you have thought about your design decisions, and I think I somewhat understand your point here.

Will Tor Messenger be available as a Debian package? Maybe not now but when a first stable version will be released? (Tor is available in the repos unlike TBB)

Yes, that's our goal as well. It's just that we haven't decided a timeline for that yet but it's certainly on our priority list (something related is the updater.)

Debian is my off-line OS, so this could be useful for me too although integrating TM with Tails is more important for me right now.

But I am concerned that downloading software using Debian package management may not be as secure, and probably won't be as anonymous, as downloading and verifying GPG signature of tarballs from torproject.org

Can you ask other Tor Project members to post a better explanation for security-minded ordinary Tor users interested in trying Debian's apt-tor-transport? What are the optimal lines for the sources.list file?

(For those who don't know, one rationale for using apt-tor-transport would be to counter the known USG tactic of abusing non-anonymous software updates to figure out which zero-days to send to your IP, if you happen to be a telecom engineer, US nuclear reactor technician, US high school student, climate scientist, journalist, blogger, Black Lives Matter organizer, Wikileaks volunteer, Greenpeace volunteer, anti-nuclear-weapons activist, Syrian exile,... or nephew or grandma of same.)

A bit OT, but I have long pestered Debian to improve the security/anonymity of updates. I have never had any luck finding a clear explanation anywhere of exactly what apt currently does to ensure software packages have not been altered "in transit" between the repository and the user's computer. My understanding-- which I hope is wrong (details please if anyone knows!)-- is that Debian provides a GPG signed statement of a list of MD-5 hashes (shudder!) instead of individually signing packages with strong crypto. Since even SHA-1 would be too weak, it would be concerning if this were true.

Can't find out anything from Debian, but hope you might know more. Even though Debian Project is not same as Tor Project, clearly to a considerable extent security of Tor users is closely tied to security of modern Debian systems. TIA.

I happily switched to Debian's experimental onion address yesterday.

I did "apt-get install apt-transport-tor", and then I put this address in my /etc/apt/sources.list file instead of the main jessie line:

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free

And that was that. There isn't one for security.debian.org yet though. It's early days in their experiment.

Yes, mirroring security.debian.org will be essential for this idea to really work (since security updates are the ones everyone really needs to fetch), but this could be tricky.

The apt-transport-tor package seems not to have a man page, which is a problem. Worse, the only usage suggestion I found predates jessie becoming stable, so I don't seem to have the right lines in my /etc/apt/sources.list.

Since beta 4 I can not log in Facebook (error: Not authorized). App password does not work, and instant passwords usually sent by phone stopped to come. Maybe, FB at last completely banned XMPP service?

Can you please try https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger/FAQ#Facebook and let us know if it works or doesn't for you?

It does not work for me, first at begining of December I normally logged in via normal username and normal password, but short time ago FB changed sth and nothing (App Passwords I tried) works for me. Tor Messenger says: "Error: Not authorized (Did you enter the wrong password?)". :-(

I've done it as written - step by step. Alas, no luck.

Why would someone use this over, say, ricochet? Secondly, can anyone recommend a free and safe XMPP server suitable for use with this program? Thank you.

I use both!

See the original blog post:
https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily
where it talks about Pond and Ricochet too.

(In short, Ricochet is great if all your friends use Ricochet too. For those who don't, you need something like Tor Messenger.)

They're virtually all free. As for "safe", that can mean a lot of things. Some servers like Calyx Institute force OTR, so you or your peer cant accidentally send something in the clear. Others like DuckDuckGo have a .onion address (some even server-to-server Federation over .onion addresses). They all have varying degrees of TLS security (not xmpp specific). See TLS data at xmpp.net. I think the Beem Project maintains a fairly comprehensive list of servers.

Best part about xmpp is that all servers are interoperable (except for a few specific XEP extensions), so everyone can choose the server that suits his or her needs best, and still talk to each other.

> backup your OTR keys or simply generate new ones.

Wouldn't that introduce an opportunity for a MITM every time you generate a new one? I get that OTR doesn't support end-to-end authentication (like PGP does) other than out-of-band key exchange, but once you exchange that key you're either MITMed or not until you generate a new key. Fewer times it can possibly happen, better chances of having an authentic key.

The suggested backup procedure is a bit cumbersome, but I think it worked for me (not yet sure).

any plan to release it on android and iPhone?

I want to run a TOR relay on Windows, and did for some time using Vidatia, then there was some change where I apparently had to update some certificate related things to be accepted as a relay, but I couldn't figure out what to do. I asked and got a snippy brief answer that translated for me at least to "you should know how to figure this out idiot, so stop pestering us". I tried a bit more, but gave up and figured it would all get fixed somehow if I merely waited.

Vidalia disappeared. So what is one to do now?

Years ago I had access to free bandwidth in the same data center the FSF had a rack in where they ran a TOR relay, and I intentionally used IP space in a different /16 than they were in when I ran a relay there.

Though we all were really getting to the bigger internet on the same ASN, FSF did have their own ASN and used it to announce in BGP the IP block they had been allocated back to the data center. I was simply trying to keep as much apparent "distance" as I could due to the strictures against having relays too near each other.

If there is some way the TOR folks could have an easy to use Windows all-in-one Vidalia like (or why can't Vidalia be fixed?, or whatever is needed) package that almost anyone could easily just run that would let them be contributing more relays and bandwidth, and just maybe give them a reasonably usable "help" mechanism where useful help could be obtained without snippy holier-than-thou retorts from wise-ass little pricks ? I suspect there is a HUGE amount of relay network growth by simply targeting that one market.

Back then a company provided T1 to home was great, home end cisco 2501s were being upgraded to 2621s or better, and you could easily create tunnels that appeared to be in some other part of the US, but you still didn't really have real anonymity.

Now one gets > a T3 of bandwidth delivered on an ethernet jack on the carrier's equipment in the cellar, and even with many torrents running, there is easily 10 or 20 megabits or more that TOR is welcome to, but Vidalia where are you?

My understanding is that Vidalia has not been supported upstream for some time.

I don't understand how you want to use Vidalia, but if you just want to check which nodes you are using in your current circuit in Tor Browser, press the down arrow to the right of the green onion icon. You should see the same information about the circuit which Vidalia would give.

For monitoring your own relay, arm might be better?

<8 <8 <8 b4 seems to be working for me!

Following up to clarify: b3 didn't crash and let me create an account anonymously at a Tor friendly Jabber site, but I wasn't able to chat. Preliminary tests suggest that b4 enables me to do encrypted chat using my account. That's awesome! Still hoping to check OTR's verification mechanisms.

Thanks, sukhbir, and keep up the good work!

Noticed in Tor log when using TM v b4 (after Tor sets up with no problems):

Timestamp: ***
Warning: Error: __noSuchMethod__ is deprecated
Source File: resource:///modules/xmpp.jsm
Line: 1679
Timestamp: ***
Error: uncaught exception: 2147500033
Source File: resource://gre/components/ibConvStatsService.js
Line: 378

Able to back up key from account, connect to account, do encrypted chat, verify fingerprint.

Could the b3 post be updated to include a mention of b4 (and future betas)? I just downloaded b3 in error thinking it was the latest. Perhaps the links to download b3 should actually be replaced by links to b4.

Tor Messenger b4 didn't work for me in Tails. One of the messages was about what looks like a tor-related environment variable. Sorry not to be more specific - but anyway, I imagine this is as expected.

It would of course be great if it did work in Tails (or better yet, was shipped with Tails).

I have found I really have to shop around to find an xmpp server that will allow me to sign up using Tor browser (as would be good security in real use), and then also connect using Tor messenger. That's quite a high bar for inexperienced users. It would be really useful to have some pointers on this, even to the extent of letting people know to expect it and not to give up on that account.

> It would of course be great if it did work in Tails (or better yet, was shipped with Tails).

Plus one, but only after we are more confident that TM doesn't contain exploitable holes. Keep on plugging, Sukhbir!

Attempting to use arm, I edited torrc-defaults, adding the line:

DisableDebugger Attachment 0

as suggested by arm, to both Tor Messenger's torrc-defaults, and TBB's.

Then whenever I started Tor Messenger, it attempted to start Tor Browser!

top showed multiple tor browser and instantbird processes.

Killing them and commenting the line made things return to normal.

Would it help to set Tor Messenger's Control Port to 9151, the same as the browser's? Otherwise, I don't see how arm can monitor both: arm -i $control_port_value commits you to just one.

Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

Will it be fixed?

Any timeline yet for when TM may "graduate" from Beta to TM 1.0?

Not working on win XP sp3

A question to addOns:
Is there a whitelist for AddOn in the Tor Messenger? Since many Addons of instantbird are "not compatible with Tor Msger 1.5".

Syndicate content Syndicate content