Tor Messenger Beta: Chat over Tor, Easily

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!


Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Any way for links pasted in chat to be formatted as clickable hyperlinks?

Yes, this is on purpose because we don't want users clicking their links and opening a browser that is not Tor Browser. We will fix this in future releases by being smart about it -- by detecting Tor Browser and opening the link there, or by giving you an option of choosing what to do with the link. For now, we decided that we don't want users clicking on links by mistake so that is why they are disabled. (#13618 on Trac.)

That makes sense and what I assumed. Sounds like you've identified the plan forward with this as well. Thanks and great job!

I need help. I have just installed the Tor messenger but 'Add contact', ' New conversation',
'Join chat' are not active.Please advise

Add an account first. You could for example use XMPP or an IRC network. All 1-on-1 chats will be automatically OTR-encrypted. If you want to use an XMPP server that has a hidden service, there are several to choose from, but one I tested to work well in Tor Messenger is rows.io (just check their website for information and use in-band registration to create a new account). Of course if you want to actually have a person to talk to, they also need to have an XMPP account somewhere or should be logged into the same IRC network, depending on what you end up using. There are also less privacy-friendly options like Facebook Messenger available, you can also use these depending on what your needs/wishes are into a chat service.

I am trying to get this chat waorking also...when you go to add a account irc or the other it ask what server you want to use....pick user then server ??????? I have no idea....I am running into the same problem as everyone else trying to log in to my google or facebook account......anyhelp any body ????

Don't use your Google or Facebook accounts, use a Jabber/XMPP account or connect to an IRC network that is Tor-friendly. For example OFTC or Darenet. If you don't have a Jabber account yet, just search the web for a server that sounds good to you and create an account, preferably they offer in-band registration so you can do it right from the Messenger without having to fill in any forms. There are many suitable services, dukgo.com, rows.io, and many more, you also get a free Jabber account if you're member of FSF or FSFE for example. It's really nothing particularly new, these communication protocols have been around for decades now.

I am unable to run it on my Windows Machine (Win 8.1 Pro 64 bit). I have tried using the compatibility mode for win7 and 8 but nothing worked. Tried running as administrator but it does not change anything. There's no error, when I click on the exe it waits for sometime and then nothing happens.

Other users are reporting this issue. It may be related to https://trac.torproject.org/projects/tor/ticket/17453. We are checking and will post an update.

There is now a workaround for this issue:
https://trac.torproject.org/projects/tor/ticket/17453#comment:7

Works for me on Win 7 64bit

See the update above, there's a new release. This issue should now be fixed.

Why wasn't it checked before it was released? if you make such a major misake on one OS, what other faults are there that you haven't checked?

It was checked. It's just that this issue affects some Windows users, not all. The entire purpose of a beta release is to get feedback from users because we cannot check builds on all platforms. (We have updated the builds with the bug fixed.)

Same here on windows 10, nothing happens after install and run.

Can you try the workaround in the above ticket and let us know if it works for you?

See the update above, there's a new release. This issue should now be fixed.

Can this be safely used on Tails or will this negatively affect security?

We can't say yet. We will work with the Tails team; they are tracking the progress at: https://labs.riseup.net/code/issues/8577. Until we have an update, don't use it on Tails, or use it at your own discretion. If it works, tell us!

I had posted earlier about tor messenger not working on Win 8.1. Although it works on my Win server 2012 R2 VM.

Most likely related to https://trac.torproject.org/projects/tor/ticket/17453

See the update above, there's a new release. This issue should now be fixed.

love this!

Does this run on Tails? If not, is there a way to set it up?

We don't know yet but you can follow the progress here: https://labs.riseup.net/code/issues/8577. We will work with the Tails team.

It won't work within the Tor network. When starting the application terminal gave me this error: There seems to have been a quoting problem with your TOR_CONTROL_PASSWD environment variable. When clicking on OK, the program will start but is NOT connected through the Tor network. If you want to use the program in Tails, use it at own risk!!! No guarentees!

It looks like it works if you disable the tor launcher addon and change the proxy port to be that of the default tor proxy of the tails system. I still see the error but I am able to connect to servers on the onion network. There still could be some security issues, so I would be rather cautious about using it with servers on the clearnet.

How To Help:
a) i would like an audit for RICOCHET.
b) POND is not yet ready and no one can try it !
c) i would like false address -robot are ok- for testing Tor Messenger Beta.
d) i love ricochet ; will tor messenger be better or different ?
pls, add a comparison !

thx.

c). You can register accounts from within Tor Messenger for XMPP. If the server supports in-band registration, Tor Messenger will create an account for you. No email address or information required.

d). We love Ricochet! We use both products interchangeably. What Tor Messenger aims to provide is a secure way to connect with your friends over existing social networks like XMPP, IRC, Google Talk, while Ricochet is excellent if you don't want to have any metadata about whom you talk with. It depends on your use but we recommend both products.

your comment "d)" I think clears up the "What it isn't..." section in your main posting. the big difference between tor messenger and ricochet is:
tor sends metadata, but through tor onion routing.
ricochet sends no metadata, but doesn't send messages through onion routing.
correct?

It's not that Tor sends metadata. It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem. And Ricochet sends messages over Tor (that's how it works).

It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem.

Hi sukhbir

Thanks for your effort in trying to create a product for us, Tor users.

Could you or someone else design a Tor-compatible product that is NOT based on the client-server model but instead based on a decentralized model such as, for example, Bitmessage? I understand that in Bitmessage no metadata is being transmitted across the network.

Ricochet peers (users) each have their own Tor onion service running, thereby keeping their communication private within the Tor network and without a central server to collect metadata. It uses onion routing to keep users anonymous.

Using services like Facebook Chat lets you use onion routing to connect, but then Facebook is in a position to gather metadata about who you're communicating with and when, even when concealing the content with OTR.

a) i would like an audit for RICOCHET

What exactly do you mean by "audit"?

Security audits
i suppose it is yet done of course.

could eff , ocap or tor devs publish one ?)
i suppose that a special computer with a special program can search and research every fault (hidden or not) or error ( some aggressive tests can improve this 'app').

it is an experimental app and not recommended in hostile environment ; an audit will bring a reputation label and maybe sponsor,donation,support ...

It is possible for computer security experts and cryptographers to independently assess the robustness of privacy enhancing technology through careful examination.

i meant using the term _audit_ to go far ; a step further.

i was not speaking about development for tablet or cellphone (i have not confidence in these gadget made for social network _ ask to a lawyer what is thinking about that or look at the peoples who are taxed - or in jail - for a call or a message made a month, a week before).

it is not done yet for an hostile environment or when you are in danger ( because it should be illegal ? does it need to be approved from police,, army, government, your partner ? is it a proof of concept and nothing more ? a rewrite from an old terminal command with a modern re-looking which tor ? ).

if it is an experimental tool , we are all the beta-testers : so why do the devs or the security experts not open/organize a ricochet day where the users will be guest to communicate each others ... if it can improve the app , why not !
i prefer that the app stay in the hands of the devs than to be integrated in a tor project. i let them decide what will be the future of their creation ; i hope that they will choose to go a step further for you, for us, for our privacy, for finding maybe a free way when you are under survey ... before it was too late.

Make donations to ricochet and tor project , pls.

Thx.

Windows build not working for me on Windoze 10

Please see https://trac.torproject.org/projects/tor/ticket/17453. Short story: it seems to be an issue that is affecting some users on Windows. We are checking.

See the update above, there's a new release. This issue should now be fixed.

What about implementing OMEMO encryption?
http://conversations.im/omemo/

Definitely worth considering.

I've opened https://trac.torproject.org/projects/tor/ticket/17457

Is this something one can use without have previously registered a chat account somewhere?

Yes, you can register XMPP accounts from Tor Messenger (in-band) if the server supports it. You don't need an existing account. (This is not true for Facebook, Google Talk or Twitter, where you do need existing accounts for Tor Messenger to work.)

any chance explaining what "in-band" is ? an example or list of them please

thank champs

It doesn't open on my machine. It gives an error: 0x0000000070C19BD5 made reference to the memory on 0x0000000000000000. The memory can't be written.

If i launch it as admin it just loads but nothing happens, won't open and won't display any error.

Does this require something else in order to work?

Same here.

Windows 10? If yes, please see https://trac.torproject.org/projects/tor/ticket/17453.

Thanks for letting me know and yes, happening in Windows 10. Will wait for some update then.

Update: we have a workaround on https://trac.torproject.org/projects/tor/ticket/17453#comment:7

See the update above, there's a new release. This issue should now be fixed.

Heyhey, my Windows 8 /64-bit says "Insufficient system resources exist to complete the requested service."

Are you able to run/install other software?

Yep, me too.

Crash
Сигнатура проблемы:
Имя события проблемы: APPCRASH
Имя приложения: instantbird.exe
Версия приложения: 41.0.0.5729
Отметка времени приложения: 000232e8
Имя модуля с ошибкой: d2d1.dll
Версия модуля с ошибкой: 6.1.7601.17514
Отметка времени модуля с ошибкой: 4ce7b7aa
Код исключения: c0000005
Смещение исключения: 0001f3ba
Версия ОС: 6.1.7601.2.1.0.256.1
Код языка: 1049
Дополнительные сведения 1: 0a9e
Дополнительные сведения 2: 0a9e372d3b4ad19135b953a78882e789
Дополнительные сведения 3: 0a9e
Дополнительные сведения 4: 0a9e372d3b4ad19135b953a78882e789

Is this Windows 10? If yes, please report this to https://trac.torproject.org/projects/tor/ticket/17453.

See the update above, there's a new release. This issue should now be fixed.

No. It is win 7sp1 x64

I'm excited about Tor Messenger and really want to try it but downloaded .dmg twice and got the wrong sha256sum. Same number both of time different than original one.

5c0396f876101bd624d500322d7c588d85c844d1

That looks like sha1. Run sha256sum on the DMG. It should match.

installed on windows 8.1 x64 without errors, running doesn't show anything, process explorer shows tor.exe for a few secs. Tor browser runs fine on the same machine.

We are checking. If you have any more information you can provide, please file a ticket with the "Tor Messenger" component.

See the update above, there's a new release. This issue should now be fixed.

Any idea how to get this to jive with Google Talk? Obviously Google raises alerts when trying to connect to their services via Tor. Makes it tough to use my existing account

Thanks!

This will likely be a common problem. We have plans to allow controlling the Tor process from Tor Messenger so you can refresh your circuit and get a new exit node, but that may also not solve the problem. We had (rather, have) a similar issue with TorBirdy and Mike Hearn from Google replied on how to solve this: https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html. You can try this and it may involve giving your phone number, so be careful with that.

That requires you to disable tor, log into gmail to set a cookie, then reenable tor in the same browser for them to see your activity and whitelist you. How do you get the tor browser to stop using tor in order to do this?

I know it's not a proper solution by any shot. But this entire blocking behaviour by Google seems to be random and this is the only solution. In future release, you can refresh your circuit and get a new exit and that might help. But it's not a definitive solution. We know this is a huge problem and we will come up with better ways to handle this in the next release.

It is not a solution. You cannot solve this issue. Google raises an alert every time somebody tries to log into an account from an "unusual place". Google keeps track of where the account owner normally resides and throws a hissy fit every time s/he tries to log in from somewhere else, as determined by geoip location.

The issue is not limited to Tor. It happens when you use a VPN, too. Heck, it happens when you travel abroad, too!

In fact, the issue isn't limited to Google, either. Yahoo does the same. I don't use Facebook, but I suspect that they do the same, too.

There is not much point in supporting these chat protocols in a Tor-dependent messenger. I suggest that you remove them at least until Google, Yahoo, and all the other snoopers decide to become more Tor-friendly.

Not working on windows 7 - 64 bit.
It starts and shutdowns in half a second.
Is there a fix ?

Does it start at all or it doesn't even start? We have tested it in Windows 7 and 8 so will need a bit more information here to proceed.

You can try this: https://trac.torproject.org/projects/tor/ticket/17453#comment:7

See the update above, there's a new release. This issue should now be fixed.

Cannot malicious exit nodes eavesdrop facebook or google credentials?

No, because TLS is enabled for all protocols by default.

No, because TLS is enabled for all protocols by default.

The NSA has found some weak links in the algorithms used to encrypt internet traffic. It means that whatever products or enhancements Tor developers are doing are vulnerable to US government snoops.

Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discreete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)

If you're still interested read the following post by Bruce Schneier as well: "Why Is the NSA Moving Away from Elliptic Curve Cryptography?" (https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html)

Cannot they do a man-in-the-middle attack?

Cannot they do a man-in-the-middle attack?

No need to do man-in-the-middle attack no more. Direct attack is quicker and saves on resources and manpower.

If I want to uninstall Tor Messenger, is it enough to delete the program's folder? I can't find the program on Control Panel (Windows). Thanks

Deleting the folder should be enough since we do not write outside the folder. (Even the profile is in the folder.) If you find Tor Messenger is creating files outside its installation directory that are leaking information, please file a bug.

hello, when i run malwbites shows me riskwaretor mallware. is this ok? thanks

That's odd. Can you file a bug with more information on https://trac.torproject.org/projects/tor/newticket. Choose "Tor Messenger" as the component.

Tor Messenger is safe. Check the code :)

maybe malwarebytes did not know about tm, since tm is new beta.
maybe proxy port action of tm looks "suspicious" to malwarebytes

Using Telegram for now, but hopefully it his will scale up in utility in a couple of years.

Telegram is not secure, you can bet NSA/GCHQ are watching everything on there. Details here: https://web.archive.org/web/20150927213317/http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html

Use an OTR client like Pidgin/Jitsi/Adium/etc. for secure chatting until Tor Messenger development advances further.

That site does not include the latest or previously existing features in Telegram, such as encryption of cloud chats, the password layer on top of 2FA, etc.

And essentially that boils down to hacking into one secret chat with one trillion dollars, which is pretty much not worth it. And supposedly you'd notice, as it could take over a day for the keys to exchange. In which you would know that the chat has been compromised. I can post more info.

Here is Telegram's response. https://core.telegram.org/articles/DH_Hash_Collision

Other stuff from customer support: http://i.imgur.com/gTEbbAx.png

Throws the error "Your Instantbird profile cannot be loaded. It may be missing or inaccessible." after runninf .dmg on Mac !!

"On OS X, copy the Tor Messenger application from the disk image to your local disk before running it."

Problem signature:
Problem Event Name: APPCRASH
Application Name: instantbird.exe
Application Version: 41.0.0.5729
Application Timestamp: 000232e8
Fault Module Name: d2d1.dll
Fault Module Version: 6.1.7601.17514
Fault Module Timestamp: 4ce7b7aa
Exception Code: c0000005
Exception Offset: 0001f3ba
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Windows 10? Please see https://trac.torproject.org/projects/tor/ticket/17453. Sorry, this seems to be known bug that we will fix in the next release.

See the update above, there's a new release. This issue should now be fixed.

I download Tor Messenger and install it but its not opening. I am using window 7 on my PC

Most likely related to https://trac.torproject.org/projects/tor/ticket/17453

See the update above, there's a new release. This issue should now be fixed.

Hi sukhbir:

its transport protocols are written in a memory-safe language (JavaScript)

I'm shocked and puzzled as to why Tor developers would consider JavaScript to be safe.

Since its conception and rollout by Netscape till today, hundreds of security holes have been discovered in JavaScript.

Tor developers are a diverse group and I'm sure among them are many who hold the same beliefs as you.

The point was that JavaScript is a memory managed language, which theoretically eliminates a certain class of exploits. Further, as you said, Mozilla's JS VM has been in production for quite some time and seen some battle hardening.

I'm curious why you're not interested in integrating Ricochet's concept of secure, anonymous, server-less communications entirely inside the Tor network into Tor Messenger. It seems to align perfectly with the Tor Project's aims, especially as Tor Browser's functioning (accessing both the outside web and hidden services) is so analogous to Tor Messenger (accessing both outside third party IM servers and a Ricochet-style system of hidden service IM nodes).

Is it just a lack of resources (since you're so busy getting the baseline messaging client up and running)? Do you not like the Ricochet concept enough to integrate it? Do you think there aren't enough people who'd use it to be worth the development effort? Are there other important reasons?

I'm sure the Ricochet developers do good work, but the Tor Project would provide a better implementation, better support, and better auditing simply due to having more funding, better familiarity with Tor, and the sheer number of people focused on your products both inside and outside of the organization.

Are you planning on integrating the Ricochet concept into Tor Messenger in the future (near, medium, or distant/wishlist), or will that never occur?

Thanks for all your hard work.

We love Ricochet. That's why we made sure to point to it in the blog post. Many of us use both Ricochet and Tor Messenger.

The goal for Tor Messenger is to meet people where they are -- so you can have more safety on your side, while still interacting with your friends who e.g. use XMPP and OTR but haven't seen the light yet. While the goal of Ricochet (ok, one of the goals) is to give people a chat approach where there's no "middle", and thus no central point for the adversary to break in and snoop on things.

(In fact, we spent a while over the past few weeks trying to sort out whether the name 'Tor Messenger' would confuse people into thinking that we think this is the one true way, and we think approaches like Pond and Ricochet are not the one true way. We don't think that. We like both approaches.)

Whether one day the Tor Messenger client adds support for the Ricochet protocol is still a matter under discussion by the Tor Messenger folks and the Ricochet developer. One reason against is actually because the Ricochet person wants Ricochet to be an experience (i.e. including a client with good usability), not just a standardized protocol that all sorts of apps can implement and present to the user however they want. One argument on the other side though is that Ricochet is going to have a tough time being its own self-contained network, while also still using Qt (and thus not working well on mobile). More thinking to be done there for sure.

As for the "doing it inside Tor Messenger would provide better familiarity with Tor" angle, we've actually brought the main Ricochet person under our umbrella and we're happy to call him a Tor person now. So we help him, and he helps us, just as much as in the Tor Messenger case.

And lastly, on the funding angle, actually neither project has any funding currently. We're working on helping both of them to fix that.

Thanks for your response.

Please keep in mind that you're not necessarily restricted to only using Ricochet's protocol for hidden service IM nodes, so if you are interested in the concept but can't come to an agreement with the Ricochet devs or for whatever reason can't integrate it into Tor Messenger, you could always develop your own standardized protocol (e.g. based on TorChat; though the benefits of not having to reinvent the wheel are obvious).

I hope it's possible to integrate Ricochet (or something similar) into Tor Messenger in the future, as they seem like a perfect fit, and I tend to favor single programs that do everything instead of multiple programs that do one thing each (more dev eyes/interest in a larger project, and it's harder to get non-tech users interested in using multiple programs for the same function). It's understandable, though, that the Ricochet developer may not want to lose control of his project (which might occur if it gets submerged into Tor Messenger).

Keep up the good work.

Agreed on all points.

> your friends who e.g. use XMPP and OTR but haven't seen the light yet.

By seeing the light, do you mean using Tor or that there is something wrong with using XMPP with OTR?

I use XMPP and OTR (and Tor). But when I do, because of the XMPP design, there is a central server somewhere out there (probably more than one), which gets to know all my contacts. A bad person could break into that server, and learn the contact lists of all the users. Designs like Ricochet don't have that central server, so they don't have that particular risk.

If we could move everybody in the world over to a Ricochet-like protocol, that would be great. We should totally work towards that. But since it requires a Tor install, many people -- especially those on mobile platforms -- aren't in a position yet to do that easily.

Thanks for the informative reply, arma. I'm very excited about Ricochet too. I hope Ricochet makes it to the mobile phone platform one day also.

An even more secure solution for mobile phones would be having IM software like Ricochet run on a separate (offline) hardware device, similar to JackPair (https://www.jackpair.com). That way the mobile phone could be completely compromised and under targeted surveillance and it would not affect the user's security.

The genius of JackPair is the use of 3.5mm audio jacks as a data transmission channel between the offline hardware device and the cellphone. Virtually eliminating the possibility of a compromised cellphone infecting the offline hardware encryption device through a 3.5mm audio cable.

One step at a time I suppose ;). I believe future secure communications will rely on separate hardware devices treating cellphones as compromised dumb modems. Moving the "endpoint" off the cellphone's hardware and onto the hardware of a secure offline hardware device plugged into the cellphone via a hard to exploit data channel (3.5mm audio jack, Bluetooth maybe, but definitely not Bad USB).

I agree that using "compromised" hardware is an industry business/politic bug and speaking about cellphone or laptop/tablet is useless as long as you will buy a product without any warranty of privacy.

Encrypting the voice is a big & serious challenge.

i do not know if ricochet can be installed on data memory card.

The real challenge could be to convince the industry the necessity of a real product protecting our privacy.
In fact, it is about the contract : the contract is done from, with, for a government (20 peoples ?) nothing involving the consumer and the contract done between a client and a service do include a third unknown person.

*a compromised original product still stay it.

"And lastly, on the funding angle, actually neither project has any funding currently. We're working on helping both of them to fix that."

Can you give any more details on this? Who, where, when,...

Does it launch it's own tor service or does it require to have Tor Browser opened first and will use its service?
If it starts an independent tor service, can we use it for other apps (curl, torsocks etc)?? You know as we do with tor browser for example (redirecting apps to 127.0.0.1:9150).

Thanks.

It launches its own Tor service. This is a feature, in that it simplifies everything from your perspective, but it's also sort of sad in that it would be nice for you to be able to run many applications at once, and they all use a single Tor client, and also they do it safely. We're not there yet though:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting/TorProcessShare

And yes, if you want to attach some other program to the Tor that Tor Messenger launches, feel free.

The socks address for tor messenger is 127.0.0.1:9152

I managed to run the messenger part individually (debian:jessie) while my regular tor was on and configured the socks5 proxy as above. It worked fine but a way to check whether it is actually trafficking through tor or not would be nice. In the same manner it should work under tails as well.

The only account I had to try it on was twitter and it looked like an old messenger (no pics or video, just links you would have to manually transfer to a browser)

I couldn't figure out how to check a #hash channel but somehow it knew who of my followed identities were on at the time.

You can twitt just fine and you can RT but there was no way to FV something.

I can't say much about a messenger since I haven't used one for ages (!Y maybe 12-13 years ago) ..

So what's the deal with 9152 instead of 9150?

It doesn't work at all, Windows 7 64bit, Windows 8.1 32bit, and Windows 10 64bit.

Faulting application name: instantbird.exe, version: 41.0.0.5729, time stamp: 0x000232e8
Faulting module name: d2d1.dll, version: 6.2.9200.16765, time stamp: 0x528bf6b2
Exception code: 0xc0000005
Fault offset: 0x002284f6
Faulting process id: 0x1728
Faulting application start time: 0x01d112c2de7b0b89
Faulting application path: Tor Messenger\Messenger\instantbird.exe
Faulting module path: C:\Windows\system32\d2d1.dll
Report Id: 26f0368d-7eb6-11e5-8e12-005056c00008

Faulting application name: tormessenger-install-0.1.0b2_en-US.exe, version: 0.0.0.0, time stamp: 0x53c50d97
Faulting module name: SyncShellExtension86_70.dll, version: 0.0.0.0, time stamp: 0x560252bd
Exception code: 0xc0000005
Fault offset: 0x0000ce6e
Faulting process id: 0x1938
Faulting application start time: 0x01d112c2bdcd2844
Faulting application path: tormessenger-install-0.1.0b2_en-US.exe
Faulting module path: BitTorrent Sync\SyncShellExtension86_70.dll
Report Id: 0c5a1308-7eb6-11e5-8e12-005056c00008

Yep, see the above comments and also
https://trac.torproject.org/projects/tor/ticket/17453
Stay tuned for an update that fixes it!

Will there be skype support in the future?

Gosh. I don't want to speak for the Tor Messenger developers here, but I wouldn't be optimistic. Skype is notoriously closed, proprietary, incompatible, etc.

(I was going to say "I hope not", but actually, I do hope there's Skype support in the future -- it would mean that Microsoft came to its senses and embraced the open source world, the world of peer-reviewable protocols, and so on. Let's not hold our breath though.)

Most likely, no, for the reasons arma said.

Will Tor Messenger support TextSecure protocol?

This! I want to know this as well! (Protocol v2, axolotl.)

Yes! That would be really great.

If you'd go with Javascript, here are some libraries to consider using:
https://github.com/joebandenburg/libaxolotl-javascript
https://github.com/macropodhq/axolotl
https://github.com/alax/forward-secrecy
https://github.com/alexeykudinkin/axolotl.js

But it'd be possible to use ctypes as well, like with the OTR extension added tor Tor Messenger

Something that's definitely worth considering. We will open a ticket about this shortly.

That's great to hear!

Good to hear. I'm really surprised there isn't a concerted effort to marry up against TextSecure. They are the only people doing it right as far as I can tell. Axolotl makes OTR actually usable for the practical user. It has to work seamlessly across a users devices, which is the critical nut that OWS have finally cracked.

I feel like interoperation with 'all the services' is a distraction, and perhaps a misguided goal. How are you layering security over these proprietary protocols? Surely just routing traffic through Tor doesn't do anything to help the fact these are mostly plaintext protocols?

I've installed Tor messenger, but it dousn't start... Appcrash. Something with d2d1.dll. Windows 8.1 x64

Yep, see the above comments and also
https://trac.torproject.org/projects/tor/ticket/17453
Stay tuned for an update that fixes it!

Avira wants to move instantbird to quaratine and I guess this is why the program doesn't work for me :(

You might enjoy
https://www.torproject.org/docs/faq#VirusFalsePositives
and
https://trac.torproject.org/projects/tor/ticket/17454

(Ok, you probably won't enjoy them, but they might give you some hope for the future.)

Any plans for an android client?

Not at present. You might enjoy Chatsecure, which used to be Gibberbot, on Android.

But een Android/iOS/WP mobile client would properly be more useful then a desktop client, i do now 90% of my chats on my mobile, and i think that i am not the only one like that.

crashhhhhhhhhhhhhh

If you are on Windows, you can try this workaround: https://trac.torproject.org/projects/tor/ticket/17453#comment:7

Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

We are tracking this here: https://trac.torproject.org/projects/tor/ticket/17469.

Avira and McAfee say it's a virus... :-o http://i.imgur.com/DtNDAYE.jpg

See https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily#comment-113488 (arma's comment earlier).

This is magic... effectively got Adium back for Facebook Messenger.... brilliant job... Thanks

Any suggestion to fix the problem when i click to open tor messenger but nothing appear..

Are you Windows 10? If yes, we know this is a bug. We have a workaround here: https://trac.torproject.org/projects/tor/ticket/17453 ... or you can just wait for the next release, which should be next week.

any plans to add gpg encryption support?

We use OTR (https://otr.cypherpunks.ca/). I am not sure how GPG fits into this?

Is instabird being funded directly or indirectly by the Department of State? Is Department of State funding for instabird tied to Congressional legislation on sanctions against Iran? Will Tor Project release its contract (or subcontract) with Department of State for instabird? Why does Sponsor O's Trac page not say Department of State? Where is the transparency?????

"Department of state" is not the owner of internet , tor messenger is open source , Iran has its own censure policy ... for a real transparency make donations at this project, thx.

I appreciate what you are doing, I wish I can run the app to try it out at least. Windows 7 64-bit. It's not starting because of this:

Problem Event Name: APPCRASH
Application Name: instantbird.exe
Application Version: 41.0.0.5729
Application Timestamp: 000232e8
Fault Module Name: d2d1.dll
Fault Module Version: 6.2.9200.16765
Fault Module Timestamp: 528bf6b2
Exception Code: c0000005
Exception Offset: 002284f6
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

You can try the following workaround: https://trac.torproject.org/projects/tor/ticket/17453#comment:7

I am unable to connect to OFTC or any other IRC network. Maybe its because tor-messenger connects to ip's (servers) that forward traffic and resulting in failed connects. Can we use tor-messenger for hidden services?

Yes, you can use Tor Messenger with hidden services. Just provide an onion address instead wherever applicable.

OFTC seems to throttle Tor connections on and off, and we are aware of this. One possible solution would be try this with a new exit and checking if that works or not. You can't currently do this from Tor Messenger but it's in our to-do list. (https://trac.torproject.org/projects/tor/ticket/10950).

Avira finds TR/ATRAPS.gen in the Windows installer and instantbird.exe...

See arma's comment above: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily#comment-113488

Audit! Audit! Audit!

What's the difference between Tor Messenger and TorChat?

Tor Messenger is based on the client-server model and builds on existing networks like IRC, XMPP, etc. TorChat was a decentralized service that is no longer active? (Also Tor Project does not develop TorChat.)

i tried running it in windows 10, to no avail but windows 7, its running okay.

You can try the following workaround: https://trac.torproject.org/projects/tor/ticket/17453#comment:7

Downloaded the client, installed it and when I try to run it says:
Instandbird has stopped working

Unfortunately :(
I'm on Windows 7 Ultimate 64 bit

Try the workaround in https://trac.torproject.org/projects/tor/ticket/17453 or wait for the next release.

Tried with 2 Gmail accounts.. on 1, no problems. The other failed, and I got a gmail message saying "someone has your password" - access was blocked due to "unsafe app"

This is a problem with Gmail/Google. See https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily#comment-113404 for a workaround.

Win 7 64bit here. Tor Messenger is not working for me. It is just not starting after executing the exe. Compatibility mode (e.g. Win Vista) is not helping either.
In the taskmanager I can see that the Instantbird process is starting (even with ~78MB of RAM usage) and closing after around three seconds. There is no error whatsoever, it is just closing the process and never opening any window.

Try the workaround in https://trac.torproject.org/projects/tor/ticket/17453 or wait for the next release.

Signature du problème :
Nom d’événement de problème: APPCRASH
Nom de l’application: instantbird.exe
Version de l’application: 41.0.0.5729
Horodatage de l’application: 000232e8
Nom du module par défaut: d2d1.dll
Version du module par défaut: 6.2.9200.16765
Horodateur du module par défaut: 528bf6b2
Code de l’exception: c0000005
Décalage de l’exception: 002284f6
Version du système: 6.1.7601.2.1.0.256.48
Identificateur de paramètres régionaux: 1036
Information supplémentaire n° 1: 0a9e
Information supplémentaire n° 2: 0a9e372d3b4ad19135b953a78882e789
Information supplémentaire n° 3: 0a9e
Information supplémentaire n° 4: 0a9e372d3b4ad19135b953a78882e789

Try the workaround in https://trac.torproject.org/projects/tor/ticket/17453 or wait for the next release.

I was able to connect to my Google Apps (for Work) gTalk account, but when I try to connect to a regular gmail gChat account it says Not Authorized and won't connect.

I'm guessing this has to do with 2-step verification. Same issue I'm having, despite correct password.

Likely has to do with 2-step verification. I'm having the same issue, despite entering the correct password.

Two things: check that you create an authorized app for use with 2-step. And secondly, see the comments above related to Google. (Ctrl+F "TorBirdy")

Hi, thanks for the nice work! I will test it soon.

Are you sure this really supports Facebook chat? I think Facebook dropped its XMPP support sometime earlier this year (see https://developers.facebook.com/docs/chat ) and as far as I can see Instantbird uses XMPP for the Facebook chat.

You mention in the release notes that it works wit gtalk and facebook, but does this assume thay they have their XMMP endpoints open? Facebook closed theirs a couple of months ago and gtalk only works if the user has not migrated to hangout. Is it sitll valid in those cases?

Does not start on Windows 8.1.

Maybe test a little before releasing?

We did test but there was an issue with hardware acceleration on some computers. We have a workaround here that will be fixed in the next release: https://trac.torproject.org/projects/tor/ticket/17453.

My Facebook account doesn't allow me to log in because it is from an unknown location. But this is going to happen all the time, right? What can I do about it?

LOL, does not accept any username for facebook.

Seriously, why are you pushing out a broken product? Are you developing pc games in your free time?

Jesus.

Works for me but is timing out on "Downloading Contact List..."
Make sure you use your "User Name". NOT the same as what you use to log in. You can find it by going to your profile and grabbing the text after facebook.com/

The reason why I switched from pidgin to gain as XMPP-Client was that there openpgp plugin allows to send offline-messages to your contacts -- something that doesn't work with OTR. An other tool that allows to send encrypted offline messages is retroshare and at least I think that an messanger that's not capable to send offline messages is quite useless. Personally, I prefer OpenPGP solutions over OTR, mostly because I have to share my public just once and not at every single contact (on the down-side their is no deniability).

I doubt this is a good idea. With this you basically send the message that it is OK to log via Tor to your personal gmail or facebook account - which obviously defeats the purpose of connecting via Tor on the first place.

The identity of most people is linked to their "normal" accounts, especially on Facebook which enforces a strict "real names" policy.

Furthermore, both gmail or facebook will kick you out if you try to connect via Tor, and that is going to be confusing and furstrating for the vast majority of uninformed users.

Summing up:

- not user friendly
- it encourages super bad OPSEC.

This is not just for Google Talk or Facebook. This is for IRC and Jabber as well, both of which work fine without associating any real identity. Not to mention, like we said in the blog post, a lot of people use Google Talk or Facebook because they have their existing networks there -- we are just providing a secure way for them to use it without revealing their location or the content of their chats, which Tor and OTR take care of quite nicely.

"Not user friendly". We know we can do better. It will help to know the specific concerns.

Why doesnt TOR work with Jitsi.org I think its the best encrypted chat platform because it also handles end to end encrypted VOIP and video calls, and is open source

Thoughts?

Is SILC still relevant? At one time there were some SILC servers operating as hidden services. I didn't see an Instantbird add-on for the SILC protocol. Pidgin works and is recommended on the main SILC website.

SILC - Secure Internet Live Conferencing
http://silcnet.org/

Feedback/Bugreport
The error message you get when running it right from the .dmg on OS X 10.11.1 is not correct: "Profile Missing Your Instantbird profile cannot be loaded. It may be missing or inaccessible."

Expected behaviour: Dialog:"Tor Messenger can not run from the disk image, pls copy to applications folder"

also the window for the "Tor Network Settings" stays ontop of all other windows

Try this: "On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.".

Current version of todays date when connecting to irc networks that have ssl v2/v3 disabled and allow only TLSv1 to v1.2 and high ciphers such as aes256-gcm-sha384
please fix it.

The messenger tor works, but when you get using the Facebook "message", he warns that the password may be wrong, but is not! everything is right, the other features are OK, but when using the facebook does not work ... I'm on windows 8 64bit ... help!

I had this and it was because I was using Authentication on Facebook. I used the Code Generator on the Facebook App on my iPhone and got a 6 digit code to use as the password.... could it be that causing it for you?

When attempting to connect via Google Talk, it fails during authentication even though the correct password is presented. I figure this has to do with 2-step verification. Any way around this?

Please see https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily#comment-113404 for more information.

These recommendations did not work. Any other ideas?

When logged into gmail through Tor browser, I am getting the following warning. Logging in again does not solve it:
"Gmail is having authentication problems. Some features will not work. Try logging in to fix the problem"

The 2 options provided here don't resolve both that error nor the ability to login to Tor Messenger.

If you change your security settings, by turning "access to less secure apps" to on and allow access from new devices/locations, it might connect. This worked for me, hopefully it will for you too.

This is a big issue for usability! Most people do not notice this option exists because they only ever use gtalk through the web interface, but if you try to use pidgin it's a big problem. Tor Messenger already special-cases gmail accounts; it should handle gtalk auth errors with a link to a page with current screenshots of exactly how to do it.

Another usability issue is that Gmail and Facebook use geolocation to detect suspicious activity, and might lock you out if you start coming in through tor; Tor Messenger should at least give a warning about this.

The press has taken notice of the debut of TM:

http://www.theregister.co.uk/2015/10/30/tor_messenger_a_death_knell_for_leaky_chats_headache_for_cops/
Tor Messenger beta debuts, promises unlogged Jabber for all
Instant messages with onion breath to scare away the spooks
30 Oct 2015
Darren Pauli

For US persons who dare to attend political events, or to reside in cities where Things Happen, ACLU has obtained further evidence that FBI's spy planes do indeed collect electronic evidence:

http://arstechnica.com/tech-policy/2015/10/fbi-planes-gathered-days-of-video-electronic-surveillance-over-baltimore/
FBI planes gathered days of video, electronic surveillance over Baltimore
Sean Gallagher
30 Oct 2015

Occupy organizers have previously reported interference with their cell phones when a particular police vehicle equipped with a directional roof aerial similar in appearance to military versions of IMSI catchers passed near their locations.

This is a good illustration of why ordinary people need TM.

Anti-war activists, environmentalists, Occupy people: watch out for electronic surveillance of personal communication devices from drones designed for military/police use, such as ScanEagle (made by Insitu), NOVA (made by Altavian), and Qube (made by AeroVironment), which according to FAA are all now operating domestically in "anti-poaching" and "environmental surveillance" [telecom environment?] roles for various US police agencies. Recall that emails leaked from the Italian malware-as-a-service company Hacking Team show that Insitu was interested in serving malware from its drones. NSA has for many years served malware from military drones, apparently including Scan Eagles operating in Africa. See

https://theintercept.com/drone-papers

According to FAA, Dow Chemical and BNSF are among the mega-corporations operating Chinese manufactured "patrol drones", and these could conceivably be re-purposed to attack demonstrators. There are preliminary indications that dozens of US drone start ups are marketing activist-surveillance-as-a-service to companies associated with the big banks.

Oppression everywhere, and it is very quickly getting much worse. The appropriate response: redouble our determination to oppose oppression of dissidents and to expose state-sponsored human rights violations and other criminality. In particular, we must bring to justice the baby-killing hospital bombing drone assassins and those who enable CIA-sponsored kidnapping/torture.

> Does this run on Tails? If not, is there a way to set it up?

Plus one.

Could one disable javascript in Tor Browser but still use TM? (It seems that Javascript can be exploited by bad guys attacking the browser. And can't TBB people fix that bug where latest FireFox ignores the default image loading setting?).

> you can register XMPP accounts from Tor Messenger (in-band) if the server supports it. You don't need an existing account. (This is not true for Facebook, Google Talk or Twitter, where you do need existing accounts for Tor Messenger to work.)

Can one do that safely? Can you work with riseup.net to provide a TM-friendly chat server? Note that leaked emails from Hacking Team show that Czech police targeted the riseup mail server, so the threat model must at a minimum include companies like Gamma and Hacking Team. For this reason, please seek an outside audit of TM.

> Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discreete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)

Second that. This is a very important issue for Tor people to track.

> Since its conception and rollout by Netscape till today, hundreds of security holes have been discovered in JavaScript.

That was my first thought too.

> The point was that JavaScript is a memory managed language, which theoretically eliminates a certain class of exploits. Further, as you said, Mozilla's JS VM has been in production for quite some time and seen some battle hardening.

More details might help encourage the doubters. And obtaining an independent security audit of TM, especially as part of a future edition of Tails, should be an important goal.

Look, it isn't that Javascript is particularly bad as a language. Other than that it has some issues from being designed in an era where security wasn't at the forefront as much, it isn't really any worse than any other language with a similar sized library. For example, it isn't particularly worse than Java. The problem isn't the language itself, it's that the primary (original) use of the language was to allow code on a foreign computer to execute on yours, and it has a larger attack surface than HTML and CSS (possibly by orders of magnitude.)

That means that Javascript has gotten a bad reputation in some parts of the security community, but that reputation is only really relevant for Javascript on a webpage that isn't fully trusted by the user. Javascript potentially allows websites to run harmful code on your computer, but if you're running a program on your computer it doesn't matter that it uses Javascript because it's already running on your computer.

> Yes, this is on purpose because we don't want users clicking their links and opening a browser that is not Tor Browser. We will fix this in future releases by being smart about it -- by detecting Tor Browser and opening the link there, or by giving you an option of choosing what to do with the link. For now, we decided that we don't want users clicking on links by mistake so that is why they are disabled. (#13618 on Trac.)

I think that is a good design decision, sukhbir. Glad to see you are thinking about things like potential user Epic Fail, because our enemies certainly are.

I'm having the same problem! While trying to connect to Facebook and Gmail like 3 or 4 times I get the not correct password message. Both are on 2-step verification and I'm on Ubuntu 15.10! I'll check out the site you posted above!

Crashes on Windows 10 x64.

Try the new version!

Tried to log to my Facebook account and Tor Messenger wouldn't let me, asking me if I did any mistakes on my password. As I switched back to my regular Facebook page, it read it was blocked as "Someone intended to log in from an "unusual" place, showing me a Map with a pin somewhere between Myanmar and India. I don't know how this might help you guys, but this is definitely not working smoothly on FB.

Hi, what about client for mobile platforms, namely android?

You might enjoy ChatSecure for Android.

AVG says it is a virus.

See https://www.torproject.org/docs/faq#VirusFalsePositives and
https://trac.torproject.org/projects/tor/ticket/17454

Heii, this post sounds interstin, but i don't own a PC
Is it possible to get a Android-Version of it ?

Many greetings
Basti

You might enjoy ChatSecure for Android.

Chatsecure has tor support. But only with the "orbot" app installed beside it: https://guardianproject.info/apps/orbot/

(You have to tick the "Connect via Tor" option in the account settings or at account setup.)

Just remember. If you're creating new accounts. You must ALWAYS connect with the "use tor" option. Connect just once without tor, and that connection will be logged and your anonymity likely compromised.

is there going to be a PortableApps verison?

The Tor Messenger packages are all self-contained. So they're nearly there!

Do you intend to develop an app IOS etc.

You might enjoy ChatSecure for iOS.

Google blocked my sign-on because if it coming from a non-standard country (in this case it was Paris, France). I think it will likely be difficult to use Google Talk through this without dealing with these issues. The other downside is that even if you do train Google to allow logins globally, you've now weakened the protection Google provides regarding account security.

I don't know what the issue is but I cannot log into Facebook. Correct username and password. Could it be the Facebook login verification?

Can you please try the solution in https://trac.torproject.org/projects/tor/ticket/17464 and tell us if it works for you? We would like to fix this in the next release.

How on earth does Facebook chat get encrypted? I don't understand?

I also try to configure it, put in my username and password, but it continually tells me my password is incorrect ..... and it's not incorrect. I've changed it to a new one, same result.

Facebook chat will get encrypted if the person you are talking with is using Tor Messenger, or another OTR-enabled client. When you start a conversation, it will be encrypted. Facebook can't see the content of the conversation. It will just see that you are talking with the person, but not what you are talking about.

If you are having problem using FB, please see https://trac.torproject.org/projects/tor/ticket/17464. Let us know if it works for you.

Ugh every time I open up preferences, the whole application locks up and freezes and I have to force quit it. Quality.

Are you on OS X? See https://trac.torproject.org/projects/tor/ticket/17456. (It's a beta, we are fixing the problems as they come, that's the entire purpose :)

tor messenger is not working for me with my google account, it says I entered in the wrong password, but all the info, both email and password are correct for logging in with "google talk"

Please see https://trac.torproject.org/projects/tor/ticket/17477 for now. We will try to fix this in the future but this is Google blocking logins from Tor exits, something we have tried to fix in the past but couldn't.

I'd love to see mobile apps, which for many of the people I communicate with, are critical to have a hope of achieving a network effect. Signal/TextSecure/RedPhone somehow interoperating with much of this codebase would be my dream. It's kind of a bummer that you have many of the same goals as OWS but don't appear to be working together. For many users, secure messaging choices will be an even tougher call once the Signal chrome extension (hopefully FF too) becomes available.

Great work!

My feedback & experience:

How to use it with system Tor, if clearnet connections are forbidden by iptables? To do that for Tor Browser Bundle I just remove tor-launcher xpi file (64 bit version). Otherwise, I even would not get firefox started. Here, in Tor Messanger, we have no such file, but directory Messenger/extensions/tor-launcher@torproject.org instead. I deleted it. After that my Tor Messanger got started. I also changed port in network preferences to proper one.

I wanted to test it with XMPP server which has a mirror in onion. I specified onion address as host and finally got it working (account was registered in advance). And now many troubles started...

I added tor messanger XMPP account to the roster of my another XMPP IM client (mcabber). Then, Tor Messagnger asked me to "allow" that contact, and I allowed it. However, after this authorization "allowed" account did not get listed in tor messagnger's contact list (roster), which is strange. It means I cannot see contacts I authorized to see my status. Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported. I was very surprized. Why it is not enabled by default? I found it in preferences and enabled. However, OTR does not work. Neither my Tor messanger contact nor IM contact can start OTR session. I run Tor Messanger with command: ./start-tor-messenger --verbose (it allows me to see warnings). I noticed that each time I click on "start private conversation" I see in log "TypeError: muc is undefined". I opened error console in Tor Messanger, and see an error "Error: __NoSuchMethod__ is depricated; resource:///modules/xmpp.jsm" and then many error messages "muc is undefined; resource:///modules/xmpp.jsm".

If I disable OTR, then messages are passed successfully to both sides. But I failed to get it working with OTR despite (according to prereferences) everything is OK (key was generated, fingerprint was seen).

Another problem are preferences of crtypes-otr extension: sometimes to get button "preferences" working I need to click on "disable", and then on "enable". Otherwise, the window with preferences is not opened.

> Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

> When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported.

This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations.

Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

> This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

You didn't understand what I say. I don't complain about that I cannot see the status. I complain about that I cannot see this contact in my contact list! In normal XMPP clients when I authorize somebody, I can see him in my list despite I cannot see his status(!). In tor messenger I see absolutely nothing. It means if I forgot which contact I authorized, there is no any simple way to find it.

> This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations. Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

OMG, somebody of us does not understand the idea of tor messenger. Is it multiprotocol client? If yes, it must be in compliance with XMPP protocol. Does tor messenger support standard OTR protocol for XMPP? If yes, it must be compatible with all XMPP clients and their OTR implementation. The idea of tor messanger is to be compatible with standard IM protocols, so I can chat with anybody who is not yet using tor messanger, isn't it? So if somebody is using standard XMPP client such as mcabber, which supports OTR, why I cannot use OTR from tor messanger? Is its OTR implementation incompatible with the standard?

Experienced people use convenient IM clients (such as mcabber), which are properly customized to work with Tor and end2end encryption. Then, ordinary people could use tor messanger (XMPP+OTR) to anonymously chat with that IM client. It is only possible, when OTR is compatible on both sides, which, as I see, is not the case.

I think I am pretty clear...

P.S. If we don't bother about compatibility with standard protocols and standrad implementation of OTR, why to use tor messenger? It is better to use ricochet.

OK sorry, I misread this comment. Let's address the issues one by one.

1. You have to enable "show offline contacts". Is this what you meant? If yes, right-click on the empty space in the contacts window and enable this option.

2. I actually misread this part badly but anyways, this was an error that we just fixed. Mcabber should now work (tested). See https://trac.torproject.org/projects/tor/ticket/17552. This was due to an XMPP issue, not the OTR code.

(And yes, our OTR implementation is compatible with other clients, that's the point.)

Thanks a lot for your comment! Indeed, in newer version everything works fine.

1. Yes, thanks, it works.
2. Yes, in 0.1.0b4 it is fixed.

I have just minor comment on script start-tor-messenger, which I run in my terminal as "./start-tor-messenger --debug". It works, but it writes:

./start-tor-messenger: line 268: [: 64: unary operator expected

Probably, you may want to fix this minor warning.

This is more of a suggestion: I don't know much about how Tor works but amongst the list of messengers, i notice theres no "Wickr". I suggest you take a look at Wickr if you haven't and look at how it works as it's a pretty amazing system. Maybe some of the ideas from that may translate well over to TorMessenger or future Tor products?

You can't use a Facebook account if you have account security on full lock down with two factor authentication.

..or Google with 2FA.

Is there a version for Android?

Checkout ChatSecure by the Guardian Project. It's on Android. Currently, we don't have plans with Tor Messenger for mobile.

So, first of all : great work and thanks!

unfortunately I can't get it to run with facebook cause the buffoons at facebook don't want me to use it :)

Any updates on this issue, is there anything I can do to make it work?

Please see https://trac.torproject.org/projects/tor/ticket/17464 and let us know if it works for you?

Sorry, but the instructions are unclear. What to put as "app-name"? "Tor messenger" or something else?

What to use as login name, my "facebook username" or the newly created appname?

I have the same problem. I tried by putting "Tor Messenger" and "TorMessenger" in the app name field, with no results.

I have used my username (the one after facebook.com when you go in yuor Facebook profile) and not my email. I have also followed the instructions for generating an app password.

Is Facebook blocking Tor Messenger somehow?

Why run Tor on any commercially closed operating system possibly acting like a trojan horse?

Is it safe against trojan horses? How?

Is it safe against spy-chips installed on commercial hardware? How?

Is it using iRL kryptokeys or is it sending kryptokeys over the internet? Why is that considered safe?

Is Tor downloading javascript when it is being run? Why?

The imagination of safety on the internet might be the very thing that makes it unsafe. I suggest awareness and openness in all communication until people themselves create "dedicated trusted computer communication and voting devices".

Swing your thing on the youtube and they will not be able to pull down your pants! ;-)

/Martin Gustavsson
Scientific party of Sweden

how to run in kali linux.?

No idea. Try running it how you usually do and see if it works?

Torchat is not opening after successful installation can someone tell me what to do?

am running it on host windows 10

Please try the updated download links. There was a bug which we have fixed. If it still doesn't work for you, let us know.

why there is no usual uninstall tool? and does it make keys in the registry?

Everything is contained in a single folder. To uninstall, just remove the folder and Tor Messenger will be uninstalled. And no, we don't touch the registry.

what if the other using it's not using tor-messenger , we still have an encrypted conversation ? if not
why we use tor-messenger
-----------------------------------
and when i want start a conversation using facebook it's shown that's it's not an privat conversation , "2:24:56 PM - Attempting to start a private conversation with […]"

If the other person is not using Tor Messenger or another OTR-enabled client, you cannot talk with them as Tor Messenger does not allow sending of unencrypted communication. This is by design. Also, if the other person is using OTR, it will still say "Attempting to start..." but if it the conversation actually starts, it will tell you that the conversation is private. If all it says is "Attempting to start..." and nothing after it, then that conversation is not secure.

Password not working on gtalk. falls to connect with any account I try.

Please see https://trac.torproject.org/projects/tor/ticket/17477

How come you list Google Talk as working, when Google denies login because Instabird/Tor messenger don't use OAuth 2.0?

http://googleonlinesecurity.blogspot.ca/2014/04/new-security-measures-will-affect-older.html

When will this be updated? It is very aggravating.

Google Talk will work with third-party XMPP clients, like Tor Messenger. We don't use OAuth for Google Talk.

How can you say this when I have spent the past 12 hours trying to get Google Talk to work and it denies it every time?

Except it does not work at all.

Why do you list Google Talk when it isn't OAuth 2.0 :
Google Will deny login unless you update it.

...

http://googleonlinesecurity.blogspot.ca/2014/04/new-security-measures-will-affect-older.html

Wow what a simply brilliant project.

it would be nice to see android & ios versions of this as many current apps do not support key encryption/decryption.

<

You may enjoy ChatSecure on Android.

You may enjoy ChatSecure on Android.

sukhbir:

Could you do a feature-by-feature comparison of ChatSecure and this creation of yours? We would like to see a list of pros and cons in using your product over ChatSecure. Thanks in advance.

sha256 match but verification with .asc file raise an error !

I successfully imported key with command:
$ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x6887935AB297B391

but then got an error "BAD sign" with
$ gpg --keyid-format long --verify sha256sums.txt.asc tor-messenger-linux64-0.1.0b3_en-US.tar.xz
>gpg: Signature faite le ven. 30 oct. 2015 20:52:30 CET
>gpg: avec la clef RSA 6887935AB297B391
>gpg: MAUVAISE signature de « Sukhbir Singh  »

the sig is for the hashes text file, not the tar, I think!

my apologies, verification of sha256sum.txt with .asc file is ok finally
it was a error of my command ;)

Is there a trustworthy test server where a clueless newbie to chat can try out Tor Messenger without needing to create an account?

If this question seems odd, that is because I have hardly ever used any chat program.

You can create an XMPP account on any of the servers out there which support in-band account registration (meaning you can create an account without leaving Tor Messenger). You can choose from: jabber.ccc.de, jabber.otr.im, jabber.calyxinstitute.org. You do not need to give a name or email address.

> jabber.ccc.de, jabber.otr.im, jabber.calyxinstitute.org

All of these servers have some problems.

  • jabber.calyxinstitute.org and jabber.otr.im do not send unencrypted messages.

  • jabber.ccc.de does not allow to register an account. The error:
    There was an error registering the account. Reason: Forbidden. The requesting entity does not possess the required permissions to perform the action.


I would recommend other servers, which are well tested and work nice as both clearnet and onion servers:

  • securejabber.me with HS giyvshdnojeivkom.onion. Web: https://securejabber.me.

  • jabber.systemli.org with HS x5tno6mwkncu5m3h.onion. Web: https://www.systemli.org/service/xmpp.html
  • rows.io with HS yz6yiv2hxyagvwy6.onion (however, it does not allow to unregister jabber account). Web: https://rows.io


If somebody doesn't care about connections with other XMPP servers, this onion XMPP server is also good: http://cyjabr4pfzupo7pg.onion

That's odd. jabber.ccc.de registration should work -- we have done it all the time and so have other users (just verified again). Perhaps try again as it may have been a temporary issue?

The other issue is that right now we don't recommend any servers. We will have a list for the users and that is one of the improvements we have to make.

Yes, you are right. Now jabber.ccc.de (okj7xc6j2szr2y75.onion) works fine (I tested it again). Thanks for this notice!

However, sadly jabber web page web.jabber.ccc.de no longer works. It would be good if they provide also onion web page and web page for registering/unregistering jabber accounts (not all jabber clients can do this work).

More enthusiastic press coverage:

http://arstechnica.com/security/2015/10/how-to-use-tor-messenger-the-most-secure-chat-program-around/
Take 5 minutes and up your opsec game with Tor Messenger
Sending chat traffic via Tor and requiring OTR is a big win for privacy.
Cyrus Farivar
31 Oct 2015

> On Thursday, the Tor Project released its first public beta of Tor Messenger, an easy-to-use, unified chat app that has security and cryptography baked in. If you care about digital security, you should ditch whatever chat program you're using and switch to it right now.

CF answers an important question not covered in the announcement:

> If you want to sign up for a new XMPP account, you can quickly register one with the Calyx Institute. All you have to do within Tor Messenger, is make up a user name and password, and use the server: jabber.calyxinstitute.org and you’re all set.

Maybe I'm not aware of sth but can you please explain me why there are trojans detected in archive ?

https://www.virustotal.com/en/file/d135610c54766cdbad8bbad1915349b41030241eae47925b68ff7e8c437a7fc7/analysis/1446328564/

There are no trojans. Please have a look at https://www.torproject.org/docs/faq#VirusFalsePositives and
https://trac.torproject.org/projects/tor/ticket/17454. We will work with VirusTotal in future in fixing these problems.

VirusTotal can't do squat about it. You should be working with the producers of the two anti-virus products that are causing the false positives. Good luck with that - you're gonna need it, given who these two producers are.

After downloading, verifying, un-xz-tar, the 32 bit Linux version of the TM application opens in Tails 1.6, but apparently is unable to connect to the Calyx Institute server to create an account as per the instructions in

http://arstechnica.com/security/2015/10/how-to-use-tor-messenger-the-most-secure-chat-program-around/
Take 5 minutes and up your opsec game with Tor Messenger
Sending chat traffic via Tor and requiring OTR is a big win for privacy.
Cyrus Farivar
31 Oct 2015

I guess the problem may be the Tails firewall blocks the default port?

Thanks to CF for volunteering to help chat n00bs test TM!

You should follow the great work the Tails people are doing to get Tor Messenger working: https://labs.riseup.net/code/issues/8577

App refused to start with the message 'You cannot use this version of the application Tor Messenger with this version of Mac OS X. Running 10.5.8 on a dual-core G5. Could you compile a version that isn't restricted to rich people please?

While we would love to support all version on all platforms, building, testing and debugging is difficult as it's a time- and resource-intensive task. Unfortunately we have to stick with the most commonly used platforms. You can open a ticket about this and if a lot of people request, we can look at it.

Again... Why not Jitsi messenger???????? You dont want audio calls over TOR, is that why?

Maybe we will find a way to support WebRTC in the future. But no, no Jitsi.

Please don't support Webrtc. That defeats the entire purpose of chatting anonymously.

If they would find a way to make use of WebRTC in an anonymous manner, why would that be bad? P2P in general is good. Leaking real IP addresses of course is not.

can Jitsi be configured to nnot use start-tls? we have more trust in 'obsolet' tls with can't be invariantly connected to im activity. right now we prefer psi as it has 'obsolet' tls and socks4a and not overloaded with multiprotocol support and unverifyed add-ons.

Google Talk refuses the connection calling this "not a modern messaging client"

Same here

Unable to open the DMG image on OSX 10.11. The sha256 on the downloaded image checks out, as does the signature on the checksum file. However, I get an "Operation timed out" error when trying to open/mount the DMG. No other DMGs have this problem. Is it corrupt?

This be good for mobile

any plans for android?

No, not yet. But we recommend ChatSecure or Signal on Android.

When we use the twitter protocol, will it show whatever Tor node we're using or the IP from Instantbird?

Will this be like group accounts where the admin of a twitter account can see all IPs of others in the Instantbird twitter dm group? Because twitter's user data shows IPs of contributors.

Did you mean a Twitter list? And also, the IP should be of the Tor exit node but I am not sure what you mean by group here so don't take my word for it.

This does not seem to work for services with Two Factor authentication, like Facebook or Yahoo!

If we have our Jabber accounts, facebook and twitter all included in Tor messenger, can anyone we chat with ever see all our accounts we have connected to Tor messenger?

The Jabber server you use can see who you are talking with but not what you are talking about. This is also true for Facebook and Google Talk for conversations with a single person (one-to-one conversations) since everything is encrypted with OTR.

I think he/she asked you about another thing. Let me phrase it more clearly. Suppose, I attached two different XMPP contacts to my tor messenger: user1@server1 and user2@server2. Can people in my contact list from user1@server1 learn that I also have contact user2@server2 in tor messenger?

(To my knowledge, the answer is 'no'. It should not be possible.)

The workaround works on win 10 x64 (assuming everything else functions as it was supposed to).

Instandbird is like Firefox, Thunderbird and SeaMonkey and i use it long time. You can make an Add-on for use TOR and i think, this is the better way! If i use your Bundle i must be configure all my connections that i have in Instandbird, thats very bad!

You can chat through other chat messengers, such as CryptoCat and various others. I do not know how Tor Messenger competes or outperforms any other ones. What is the unique feature of Tor Messenger versus others?

We send everything over Tor and force encryption of conversations using OTR by default.

Isn't any iistant messenger which support socks4a proxy & otp can work across tor network? btw is there any specific recommendations for xmpp server with small footprint to be used in hidden service installation for smaal group of people? thanks

Windows Vista pc

Tools > Addons > Extensions > ctypes-otr > Options

Next to where it says 'Key For Account', I have one Jabber account and one Twitter account listed. The Jabber has its keys and shows the fingerprint. For my twitter, it didn't show anything and asked me to generate them. I generated keys for my Twitter and it shows the fingerprint now. Would it make any difference if keys/fingerprint for my Twitter are made or not since they were not automatically generated when I added the Instantbird app to my Twitter account? Would generating keys/fingerprint uniquely identify me on Twitter if I had more than one Twitter account?

Twitter OTR keys are somewhat irrelevant as we don't support direct messages yet (Instantbird doesn't), so we can't do OTR. We have plans to implement direct messaging support and that will be an awesome thing to have. Thanks for the feedback though, since you can't use Twitter for OTR, we shouldn't ask you to generate keys or allow that.

not able to run on my windows xp system showing error " The procedure entry point _vsnprintf_s could not be located in the dynamic link library msvcrt.dll "

Please see https://trac.torproject.org/projects/tor/ticket/17469.

On current stable Ubuntu:

$ ./start-tor-messenger.desktop
Launching '/Messenger/start-tor-messenger --detach'...
$

But nothing else happens and no processes spawned related to tor-messenger?
Are there dependencies to run?

Can you try running the above command with '--verbose' to see what is wrong? There should have been no issues as such.

A small question: How am I able to choose an account picture?

- Linux 64-bit
- created XMPP account successfully
- when clicking on the placeholder avatar in the TM main window nothing happens

Thank you!

Choosing an account picture is disabled. Access to the webcam is also disabled. Maybe in future we will allow that but right now you can't set the picture (this was on purpose).

You don't need to approve this comment because it's essentially worthless, but kudos to whoever from the Tor Project writes responses to these comments. About 80% of them are completely bullshit, and you still manage to write level-headed responses.

Thank you; we try. User feedback is valuable so even if the comments get mundane, it's something we have to do.

XP-SP-2 has error:
Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

Here is a How To install the Tor Messenger with an explanation on bridge lines also. Let me know if they is anything I could have added. Thank you.

http://www.techlick.com/index.php/21-techlick/10043-how-to-operate-the-new-tor-messenger

Would love it if you fixed Google Talk support. Google denies the login no matter what I do, loggin in with Tor Browser multiple ways does absolutely nothing to fix it.

> You should follow the great work the Tails people are doing to get Tor Messenger working: https://labs.riseup.net/code/issues/8577

Where one anonym wrote:

> Please don't report issues to the Tor Messenger developers unless you can reproduce it outside of Tails too!

Ugh, usual complaints about lack of encrypted/anonymous bug reports (except at this blog, sort of). And the issue is labeled "low priority".

If I understand, my guess was wrong and TM won't yet work in Tails, the Tails people need to make (minor) changes to the code. ("Work" is not the same thing as "work securely", of course.)

Thanks to Tor Messenger team for your work so far. TM appears promising but in future I strongly encourage you to try to bring TM into Tails. I'd like to see a credible security audit of TM as part of Tails specifically. Some of the desiderata listed in replies above also appeal.

Someone criticized Tor Messenger (over at Ars Technica):

> Given how every other week there's news of a latest TOR weakness that's been exploited, it's not THAT secure. Nor it's that anonymous given how flaws have been exploited so people got raided after such flaws and weaknesses were used by Big Gov,,, You've got a messenger on TOR (a network that's regularly in the news for the latest successful takedown)

I believe this comment refers to several highly publicized raids in the past few years conducted by EU and US police agencies on people who were suspected of visiting specific Tor hidden services, not on Tor users generally. From my understanding, the techniques the LEAs are thought to have exploited to obtain the true IP addresses of those people do not directly affect intended TM use cases (someone correct me if I am wrong!).

The poster added that the Tor network

> is attracting more than its fair share of snoopers (and where your traffic will be a bigger chunk of total traffic than a commercial network)

That may be the weirdest argument against using Tor to improve your anonymity against at least some actors that I've seen yet.

Security and anonymity are valid concerns when Beta testing any application intended to enhance anonymity, but it's important to try to have a correct understanding fo the most likely hazards.

Syndicate content Syndicate content