Tor Messenger 0.4.0b1 is released

by sukhbir | March 6, 2017

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Tor Messenger. All users are encouraged to upgrade.

Tor Messenger 0.3.0b2 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-signed-build.txt
sha256sums-signed-build.txt.asc

The sha256sums-signed-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.4.0b1 -- March 06, 2017

  • All Platforms
    • Use the tor-browser-45.7.0esr-6.5-1-build1 tag on tor-browser
    • Use the THUNDERBIRD_45_7_0_RELEASE tag on comm-esr45
    • Update tor-browser to 6.5
    • Update tor-launcher to 0.2.10.3
  • Windows
    • Fix automatic generation of complete MAR files
    • Trac 21231: Enable intl-api

Comments

Please note that the comment area below has been archived.

March 06, 2017

Permalink

What is the reason to release this out based on outdated/vulnerable versions of underlying software?

I'm going to assume you mean because there's a 45.8.0 tagged.

This release got delayed several weeks due to some difficulties producing the incremental updates. Unfortunately, during that debugging period, the current bins were left on dist.tp.o and presumably some users installed them. See https://trac.torproject.org/projects/tor/ticket/21633

We felt it prudent to go through with the release so that those users weren't running unannounced software and to ease the transition to the next version.

There should be another update following shortly.

You mean w/ https://gitweb.torproject.org/builders/rbm.git/

Tor Messenger is already built w/ rbm, and has been since the beginning,
https://gitweb.torproject.org/tor-messenger-build.git/

However, only Linux builds are currently reproducible. See,
https://trac.torproject.org/projects/tor/ticket/10942

That will be fixed once Tor Browser starts using rbm as well, and we benefit from their efforts. This is tracked in,
https://trac.torproject.org/projects/tor/ticket/17379

March 08, 2017

In reply to arlo

Permalink

I mean
> The tor-messenger-build repository only contains the components that are specific to Tor Messenger, and has tor-browser-build as a git submodule

Also what about replacing Thunderbird with something TorBirdy-based (tor-mail)?

We have discussed doing this before, but personally (and in my opinion), I am not sure if it's worth the effort unless there is a specific use case. All the TorBirdy settings (for now at least) are applicable to Thunderbird using an extension so for us to invest time in a mail bundle is not completely justifiable, other than the fact that it will make configuration and setup easier. To be clear, this is an open discussion so feedback is welcome. Is there a specific use for a mail bundle you have in mind?

March 08, 2017

In reply to sukhbir

Permalink

The situation is simple from the user perspective, but may not be obvious from the developer one. Users want something (solution=complete product) ready to use out-of-the-box (not bundle, extension, etc - that's why we have Tor Browser (not bundle, not torbutton) and from the trusted vendor (TTP, not Mozilla).
That's why I asked you whether you started to make rbm builds based on tor-browser-build, because that should significantly reduce the effort needed to make tor-messenger-build and tor-mail-build.

March 08, 2017

In reply to sukhbir

Permalink

Of course, as you use the THUNDERBIRD_45_7_0_RELEASE tag on comm-esr45. So, you could even decide to make tor-messenger-build based on tor-mail-build based on tor-browser-build.
About the feedback: users asked why you hadn't placed a link on the front page (Pluggable Transports and Stem are good candidates for replacement). If you call the apps Tor Messenger Beta and Tor Mail Beta and put them on the main page, then users would be able to see that a broad feedback is needed.

> that's why we have Tor Browser (not bundle, not torbutton)

Actually, I would argue that that's because at one time there were limitations in what a browser extension could do which didn't meet Torbutton's needs, and changes were taking too long waiting on upstream (Mozilla). That's why Firefox was forked to Tor Browser initially, not for convenience.

Wouldn't it be a lot easier to ship vanilla Thunderbird with TorBirdy than to fork it all together?

That's what we were doing (and still are, at least in the code): vanilla Thunderbird with TorBirdy and Tor Launcher, packed into a Tor Messenger-like bundle.

It is listed on the projects page,
https://www.torproject.org/projects/projects.html.en

However, there's some hesitation on how highly to promote this application while it's still in beta. We've been trying to find a balance between getting feedback and not putting users at risk.

Although, there's always the argument that users don't heed warnings and that you shouldn't put anything out there that has the potential to be unsafe, which I sympathize with ...

March 07, 2017

In reply to sukhbir

Permalink

Thanks, I had same confusion as the OP.

Please keep up all your good work! I think TM is very promising, and needed with such desperate urgency by journos, lawyers, doctors, climate researchers, etc. that some are starting to use TM for real applications. So I guess I am a very high stakes beta tester now :-/ No pressure, hey? :-/

March 07, 2017

Permalink

Does it still only accept valid XMPP and IRC certs ? with no option to accept them manually or allow those in the settings.

Thats the only reason I can`t use it. Please fix it.

March 07, 2017

Permalink

Fixed perhaps. But I havn`t managed to make it work.

When you ask it to connect, you get the error of invalid domain, no option to accept the cert and verify it manually or information on "alternatives"

They are atm

1: Add a crt file to messengers cert center.

Problem. How do you get a file like that from oftc.net or random-xmpp.com ? When you do get it or creates it. Its still unvalid because the server is xxx.onion, but the ssl cert is from the servers public xmpp server with xxxx.com.

2: Private browsing ? Well browsing... for a fix to my problem, I have not seen such a function or read about it. Generally browsing with a messenger seems a bit strange.

Whats normally done in other messenger programs.

1: Allow invalid certs setting when the server is setup.
2: Similar option when you connect the first time. (No,Once,always)
3: Saving invalid certs until restart, with the option to verify them in a settings panel.
4: Add fingerprints in the messengers cert settings panel.

3,4 are similar to the "permit storing cert" function mentioned in the change log. But tor messenger still requires valid domains cert at connection,

None of these are provided with tor messenger.

March 09, 2017

Permalink

Any hints on when we can expect these?

(i) a security audit of Tor Messenger, maybe by Ioactive?

(ii) out of beta?

(iii) Tor Messenger in Tails?

Keep up the good work!

March 12, 2017

In reply to arlo

Permalink

Thanks, arlo, that is helpful.

Totally agree that a favorable audit should precede passing out of beta.

Strictly speaking the following is OT but very important since (as of midnight+1 13 Mar 2017 UTC) it seems the Tails Project has not yet announced Tails 2.1l (the last 32-bit Tails) using their account in this blog:

Everyone who uses Tails on a 32-bit machine needs to purchase a new computer before Jun 2017 in order to continue using Tails! See:

https://tails.boum.org/news/Tails_3.0_will_require_a_64-bit_processor/i…
Tails 3.0 will require a 64-bit processor

> Tails 3.0 will require a 64-bit x86-64 compatible processor. As opposed to older versions of Tails, it will not work on 32-bit processors. We have waited for years until we felt it was the right time to do this switch. Still, this was a hard decision for us to make. Today, we want to explain why we eventually made this decision, how it will affect users, and when.

I don't disagree with their decision but obviously a "heads up" is critical for anyone who will need to purchase a new computer in order to continue using Tails.

Also, any information about how Debian 9.0 (stretch) becoming the new stable, presumably before Jun 2013, will affect Debian users who use the onion mirrors to update their system would be much appreciated!

Thanks for your patience.

March 12, 2017

In reply to arlo

Permalink

Gajim sounds unacceptable owing to inviting easy MITM. I hope TM will be ready for Tails soon. Wish I could help arrange an audit but I can't.

March 10, 2017

Permalink

More reason to choose an open source messaging app which has passed a security audit:

Two independent analyses of a commercial messenging app, Confide, are not flattering, The most incendiary implication is that several crippling weaknesses appear to result from willful design decisions. See

https://arstechnica.com/security/2017/03/unfixed-weaknesses-in-confide-…
Dear Confide: “We would never” isn’t the same as “we can’t”
Confidential messenger service provides no authentication or integrity assurances.
Dan Goodin
9 Mar 2017

> A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that's billed as providing "battle tested, military grade" end-to-end encryption and is reportedly being used by individuals inside the US government.

April 10, 2017

Permalink

Hello, I am trying to connect to freenode onion server with Tor Messenger,
so I am following the steps of this entry:
https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger/SASL
But the last step:
"copy the private key (middle line) to the preference
messenger.account.accountN.ecdsa in the config editor in Tor Messenger"
I can not do it because there is not that entry in my config editor.
Can anyone help me?

April 10, 2017

Permalink

I could resolve the problem about .edsa, a nice person help me in
irc,oftc.net #tor-messenger. I had to create the entry myself, in
about:config → new →string → messenger.account.accountN.ecdsa →
an then my key → ########, and it is ready for connecting.