Tor Messenger 0.4.0b1 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Tor Messenger. All users are encouraged to upgrade.

Tor Messenger 0.3.0b2 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-signed-build.txt
sha256sums-signed-build.txt.asc

The sha256sums-signed-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.4.0b1 -- March 06, 2017

  • All Platforms
    • Use the tor-browser-45.7.0esr-6.5-1-build1 tag on tor-browser
    • Use the THUNDERBIRD_45_7_0_RELEASE tag on comm-esr45
    • Update tor-browser to 6.5
    • Update tor-launcher to 0.2.10.3
  • Windows
    • Fix automatic generation of complete MAR files
    • Trac 21231: Enable intl-api

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

What is the reason to release this out based on outdated/vulnerable versions of underlying software?

Tor Browser 6.5 is the latest TB version, why do you think that it's "outdated/vulnerable"?

beta versions are for testing , reporting bugs:vulnerabilities ; = unstable.

I'm going to assume you mean because there's a 45.8.0 tagged.

This release got delayed several weeks due to some difficulties producing the incremental updates. Unfortunately, during that debugging period, the current bins were left on dist.tp.o and presumably some users installed them. See https://trac.torproject.org/projects/tor/ticket/21633

We felt it prudent to go through with the release so that those users weren't running unannounced software and to ease the transition to the next version.

There should be another update following shortly.

That's a good answer. What about making rbm builds?

You mean w/ https://gitweb.torproject.org/builders/rbm.git/

Tor Messenger is already built w/ rbm, and has been since the beginning,
https://gitweb.torproject.org/tor-messenger-build.git/

However, only Linux builds are currently reproducible. See,
https://trac.torproject.org/projects/tor/ticket/10942

That will be fixed once Tor Browser starts using rbm as well, and we benefit from their efforts. This is tracked in,
https://trac.torproject.org/projects/tor/ticket/17379

I mean
> The tor-messenger-build repository only contains the components that are specific to Tor Messenger, and has tor-browser-build as a git submodule

Also what about replacing Thunderbird with something TorBirdy-based (tor-mail)?

We have discussed doing this before, but personally (and in my opinion), I am not sure if it's worth the effort unless there is a specific use case. All the TorBirdy settings (for now at least) are applicable to Thunderbird using an extension so for us to invest time in a mail bundle is not completely justifiable, other than the fact that it will make configuration and setup easier. To be clear, this is an open discussion so feedback is welcome. Is there a specific use for a mail bundle you have in mind?

The situation is simple from the user perspective, but may not be obvious from the developer one. Users want something (solution=complete product) ready to use out-of-the-box (not bundle, extension, etc - that's why we have Tor Browser (not bundle, not torbutton) and from the trusted vendor (TTP, not Mozilla).
That's why I asked you whether you started to make rbm builds based on tor-browser-build, because that should significantly reduce the effort needed to make tor-messenger-build and tor-mail-build.

We have tried the "Tor mail bundle" once and it's still part of the build process for Tor Messenger. (See https://gitweb.torproject.org/tor-messenger-build.git/tree/Makefile#n10). It would still work; probably just have to update the version numbers. Perhaps we should give that a beta run and see the feedback we get...

Of course, as you use the THUNDERBIRD_45_7_0_RELEASE tag on comm-esr45. So, you could even decide to make tor-messenger-build based on tor-mail-build based on tor-browser-build.
About the feedback: users asked why you hadn't placed a link on the front page (Pluggable Transports and Stem are good candidates for replacement). If you call the apps Tor Messenger Beta and Tor Mail Beta and put them on the main page, then users would be able to see that a broad feedback is needed.

> that's why we have Tor Browser (not bundle, not torbutton)

Actually, I would argue that that's because at one time there were limitations in what a browser extension could do which didn't meet Torbutton's needs, and changes were taking too long waiting on upstream (Mozilla). That's why Firefox was forked to Tor Browser initially, not for convenience.

Wouldn't it be a lot easier to ship vanilla Thunderbird with TorBirdy than to fork it all together?

That's what we were doing (and still are, at least in the code): vanilla Thunderbird with TorBirdy and Tor Launcher, packed into a Tor Messenger-like bundle.

Wouldn't. Not all changes are accepted upstream.

Why don't you put a link of the Tor Messenger website in the front page of torproject.org (instead of Tor2web for example)? https://thetorproject.github.io/tor-messenger-website/

It's harder for me to sift through the blog posts to find it and I think more people would like to try it out since it would be easier to find it from the front page.

It is listed on the projects page,
https://www.torproject.org/projects/projects.html.en

However, there's some hesitation on how highly to promote this application while it's still in beta. We've been trying to find a balance between getting feedback and not putting users at risk.

Although, there's always the argument that users don't heed warnings and that you shouldn't put anything out there that has the potential to be unsafe, which I sympathize with ...

Thanks for your answer! :)

I downloaded 0.4.0b1 a while back. Now I'm confused.

That's fine; it's the same thing but we were fixing an issue with the updater so didn't announce the release on the blog. See https://trac.torproject.org/projects/tor/ticket/21633 for more information.

Thanks, I had same confusion as the OP.

Please keep up all your good work! I think TM is very promising, and needed with such desperate urgency by journos, lawyers, doctors, climate researchers, etc. that some are starting to use TM for real applications. So I guess I am a very high stakes beta tester now :-/ No pressure, hey? :-/

Thanks

Does it still only accept valid XMPP and IRC certs ? with no option to accept them manually or allow those in the settings.

Thats the only reason I can`t use it. Please fix it.

According to the changelog, that was fixed in 0.3.0b2,
https://gitweb.torproject.org/tor-messenger-build.git/tree/ChangeLog

"Permit storing cert. exceptions in private browsing mode"

Fixed perhaps. But I havn`t managed to make it work.

When you ask it to connect, you get the error of invalid domain, no option to accept the cert and verify it manually or information on "alternatives"

They are atm

1: Add a crt file to messengers cert center.

Problem. How do you get a file like that from oftc.net or random-xmpp.com ? When you do get it or creates it. Its still unvalid because the server is xxx.onion, but the ssl cert is from the servers public xmpp server with xxxx.com.

2: Private browsing ? Well browsing... for a fix to my problem, I have not seen such a function or read about it. Generally browsing with a messenger seems a bit strange.

Whats normally done in other messenger programs.

1: Allow invalid certs setting when the server is setup.
2: Similar option when you connect the first time. (No,Once,always)
3: Saving invalid certs until restart, with the option to verify them in a settings panel.
4: Add fingerprints in the messengers cert settings panel.

3,4 are similar to the "permit storing cert" function mentioned in the change log. But tor messenger still requires valid domains cert at connection,

None of these are provided with tor messenger.

You should be presented with the same "Add Exception" options as in Firefox.

Maybe you're running into this bug where the font is hard to read,
https://trac.torproject.org/projects/tor/ticket/17517

A screenshot demonstrating it,
https://trac.torproject.org/projects/tor/attachment/ticket/17517/tor-messenger-add-exception.png

Any hints on when we can expect these?

(i) a security audit of Tor Messenger, maybe by Ioactive?

(ii) out of beta?

(iii) Tor Messenger in Tails?

Keep up the good work!

Sorry, no dates we can commit to at present.

(ii) will follow (i), assuming good results. We've discussed engaging an independent auditor, but no firm plans as of yet.

For (iii), see https://tails.boum.org/blueprint/replace_Pidgin/

Thanks, arlo, that is helpful.

Totally agree that a favorable audit should precede passing out of beta.

Strictly speaking the following is OT but very important since (as of midnight+1 13 Mar 2017 UTC) it seems the Tails Project has not yet announced Tails 2.1l (the last 32-bit Tails) using their account in this blog:

Everyone who uses Tails on a 32-bit machine needs to purchase a new computer before Jun 2017 in order to continue using Tails! See:

https://tails.boum.org/news/Tails_3.0_will_require_a_64-bit_processor/index.en.html
Tails 3.0 will require a 64-bit processor

> Tails 3.0 will require a 64-bit x86-64 compatible processor. As opposed to older versions of Tails, it will not work on 32-bit processors. We have waited for years until we felt it was the right time to do this switch. Still, this was a hard decision for us to make. Today, we want to explain why we eventually made this decision, how it will affect users, and when.

I don't disagree with their decision but obviously a "heads up" is critical for anyone who will need to purchase a new computer in order to continue using Tails.

Also, any information about how Debian 9.0 (stretch) becoming the new stable, presumably before Jun 2013, will affect Debian users who use the onion mirrors to update their system would be much appreciated!

Thanks for your patience.

Gajim sounds unacceptable owing to inviting easy MITM. I hope TM will be ready for Tails soon. Wish I could help arrange an audit but I can't.

More reason to choose an open source messaging app which has passed a security audit:

Two independent analyses of a commercial messenging app, Confide, are not flattering, The most incendiary implication is that several crippling weaknesses appear to result from willful design decisions. See

https://arstechnica.com/security/2017/03/unfixed-weaknesses-in-confide-stoke-doubts-about-end-to-end-crypto-claims/
Dear Confide: “We would never” isn’t the same as “we can’t”
Confidential messenger service provides no authentication or integrity assurances.
Dan Goodin
9 Mar 2017

> A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that's billed as providing "battle tested, military grade" end-to-end encryption and is reportedly being used by individuals inside the US government.

Omemo implemented?

https://trac.torproject.org/projects/tor/ticket/17457

omemo support coming?

https://trac.torproject.org/projects/tor/ticket/17457

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content