sukhbir's blog

Tor Messenger 0.3.0b2 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Instantbird. All users are encouraged to upgrade.

Tor Messenger 0.3.0b1 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-signed-build.txt
sha256sums-signed-build.txt.asc

The sha256sums-signed-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.3.0b2 -- 29 December, 2016

  • All Platforms
    • Use the tor-browser-45.6.0esr-6.0-1-build1 tag on tor-browser
    • Use the THUNDERBIRD_45_6_0_RELEASE tag on comm-esr45
    • Update ctypes-otr to 0.0.4
    • Update tor-browser to 6.0.8
    • Don't allow javascript: links in themes
    • Permit storing cert. exceptions in private browsing mode
    • Bugzilla 1321420: Add a pref to disable JavaScript in browser requests
    • Bugzilla 1321641: Disable svg and mathml in content

TorBirdy 0.2.1 is released

We are pleased to announce the seventh beta release of TorBirdy: TorBirdy 0.2.1.

This release fixes an annoying usability issue where TorBirdy sets the calendar timezone to UTC thus overriding the local timezone and breaking the calendar functionality; see commit 3ea8e5d and Bug 20157 for more information.

If you are using TorBirdy for the first time, visit the wiki to get started.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

Here is the complete changelog since v0.2.0 (released on 23 June 2016):

0.2.1, 30 Nov 2016
* Bug 20157: Do not set calendar timezone to UTC
* Bug 20750, 20644: Ensure RSS feeds are displayed in plain text
* Revert setting no_proxies_on to an empty string (see commit b2f6a45b)
* Added support for automatic configuration of systemli.org email accounts

We offer two ways of installing TorBirdy: by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly by Ulrike Uhlig.)

Tor Messenger 0.3.0b1 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Instantbird. All users are highly encouraged to upgrade.

Tor Browser Build

Starting with this release, Tor Messenger will be built on top of Tor Browser instead of Mozilla ESR. This will help us in improving the security of Tor Messenger by making use of Tor Browser's patches. We will also try to keep in sync with the Tor Browser stable release cycle.

Secure Updates

Tor Messenger 0.2.0b2 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-unsigned-build.txt
sha256sums-unsigned-build.txt.asc

The sha256sums-unsigned-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.3.0b1 -- 22 November 2016

  • All Platforms
    • Use the tor-browser-45.5.0esr-6.0-1 branch (e5dafab8) on tor-browser
    • Use the THUNDERBIRD_45_4_0_RELEASE tag on comm-esr45
    • Update ctypes-otr to 0.0.3
    • Trac 16489: Only show "close" button on Windows
    • Trac 16491: Contact list entries don't adapt to the actual font size
    • Trac 16536: Investigate Tor Browser patches relevant to Tor Messenger
    • Trac 17471: Investigate Tor Browser preferences relevant to Tor Messenger
    • Trac 17480: Make url linkification toggleable
    • Trac 19816: Build process should generate mar files
    • Trac 20205: Support SASL ECDSA-NIST256P-CHALLENGE
    • Trac 20208: Put conversations on hold by default
    • Trac 20231: Remove incomplete translations
    • Trac 20276: Fix toggling sounds
    • Trac 20608: Use Instantbird app version
    • Bugzilla 1246431: Properly handle incoming xmpp server messages
    • Bugzilla 1313137: Fix irc "msg is not defined" error
    • Bugzilla 1316000: Remove old Yahoo! Messenger support
  • Mac
    • Trac 20204: Windows don't drag on macOS Sierra
    • Trac 20206: Avoid prompting to download font "Osaka" on macOS Sierra
    • Trac 20207: IB and Tor Messenger still share a notification key
  • Windows
    • Trac 20062: Make stripping signatures reproducible on TM .exe files

Tor Messenger 0.2.0b2 is released

We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade.

Secure Updater

This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.

OS X Profile Directory

In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys.

Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in ~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in ~/Library/Application\ Support/TorMessenger-Data (#13861). However, this should only be case when the application is placed in /Applications. Otherwise, the profile is stored beside the application bundle.

Windows and OS X bundles are now signed

In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys.

Google Summer of Code (GSoC)

This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability.

Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated.

Before upgrading, back up your OTR keys

You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading.

Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861).

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Here is the complete changelog since v0.1.0b6:

Tor Messenger 0.2.0b2 -- September 06, 2016

  • Mac
    • Bug 19269: Fix OS X file permissions
    • Fix OS X profile when application is not placed in /Applications

Tor Messenger 0.2.0b1 -- September 02, 2016

  • All Platforms
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45
    • Bug 19053: Display plaintext in notifications
    • Bug 17363: Remove redundant Tor Messenger folders
    • Bug 14388: Secure automatic updates for Tor Messenger
    • Bug 13861: Preserve user profiles after updates
    • Update libgcrypt to 1.6.6 for CVE-2016-6316
    • Update ctypes-otr to 0.0.2
  • Linux
    • Bug 18634: Switch to building Tor Messenger on Debian Wheezy
  • Mac
    • Bug 13861: Profile directory stored in ~/Library/Application\ Support/TorMessenger-Data
    • Bug 17460: Add graphics for OS X drag and drop to Applications
    • Bug 17648: Fix update service error in error console

TorBirdy 0.2.0: Sixth Beta Release

We are pleased to announce the sixth beta release of TorBirdy and the first in the 0.2 series: TorBirdy 0.2.0. All users are encouraged to upgrade as this release fixes numerous security and privacy issues.

Notable changes include fixing local timestamp disclosure in the date and the message-ID headers, as detailed in tickets #6314 and #6315. The patch for sanitizing the date header is shipped with TorBirdy. The patch for the message-ID header was submitted upstream to Mozilla and merged in Thunderbird 45, and it is therefore recommended that you upgrade to Thunderbird 45 if possible.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

If you are using TorBirdy for the first time, visit the wiki to get started.

Other changes in this release include:

0.2.0, 27 Jun 2016

* Bug #6314: Prevent local timestamp disclosure via Date header
* Bug #6315: Prevent local timestamp disclosure via Message-ID header
* Bug #13721: Fix usage of wrong locale
* Bug #17426: Allow configuration of default email protocol
* Bug #15459: Add support for deterministic XPI generation
* Bug #11387, #13006: Fix non-standard EHLO argument
* Bug #17118: Allow manual account configuration for Gmail with OAuth2
* Bug #19031: Add and audit support for RSS reader
* Bug #7847: Audit and update support for NNTP
* Bug #10683: Update Thunderbird UI to reflect TorBirdy's state
* Bug #19330: Set secure defaults for outgoing mail servers
* Removed compatibility for older versions of Thunderbird and added support for Thunderbird 37+
* Added support for automatic configuration of Riseup email accounts
* Updated various privacy and security settings (see commit 2bdeffbb for a list of the changes)
* Update translations for current languages

Many thanks to Arthur Edelstein and the Tails Developers for this release!

We offer two ways of installing TorBirdy -- either by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly.)

Tor Messenger 0.1.0b6 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important security updates to Instantbird. All users are highly encouraged to upgrade.

Mozilla's ESR cycle

This release of Tor Messenger is the first release based on Mozilla's ESR cycle. As with Tor Browser, all future releases will continue to pair with this cycle.

Secure Updater

We are well aware of the current pain in upgrading Tor Messenger and are actively working towards porting Tor Browser's updater patches (#14388) so that keeping Tor Messenger up to date is as seamless and easy as possible. We continue to apologize for the inconvenience.

Before upgrading, back up your OTR keys

Before upgrading to the new release, you will need to back up your OTR keys or simply generate new ones. Please see the following steps to back them up.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).

Changelog

Here is the complete changelog since v0.1.0b5:

Tor Messenger 0.1.0b6 -- April 06, 2016

  • All Platforms
    • Use the THUNDERBIRD_45_0b3_RELEASE tag on mozilla-esr45
    • Use the THUNDERBIRD_45_0b3_RELEASE tag on comm-esr45
    • Bug 18533: Disable sending fonts or colors as part of messages
    • ctypes-otr
      • GH 68: Don't close notification bar until verification succeeds (patch by Elias Rohrer)
      • GH 71: Improve verifying from the fingerprint manager (patch by Vu Quoc Huy)
      • GH 72: Generate keys automatically after account creation (patch by Vu Quoc Huy)

Tor Messenger 0.1.0b5 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important security updates to libotr, and addresses a number of stability and usability issues. All users are highly encouraged to upgrade.

The initial public release was a success in that it garnered a lot of useful feedback. We tried to respond to all your concerns in the comments of the blog post but also collected and aggregated a FAQ of the most common questions.

OTR over Twitter DMs

Tor Messenger now supports OTR conversations over Twitter DMs (direct messages). Simply configure your Twitter account with Tor Messenger and add the Twitter account you want as a contact. Any (direct) message you send to another Twitter contact will be sent over OTR provided that both contacts are running Tor Messenger (or another client that supports Twitter DMs and OTR).

Facebook support dropped

Facebook has long officially deprecated their XMPP gateway, and it doesn't appear to work anymore. We had multiple reports from users about this issue and decided that it was best to remove support for Facebook from Tor Messenger.

We hear that an implementation of the new mqtt based protocol is in the works, so we hope to restore this functionality in the future.

Before upgrading, back up your OTR keys

Before upgrading to the new release, you will need to back up your OTR keys or simply generate new ones. Please see the following steps to back them up.

In the future, we plan to port Tor Browser's updater patches (#14388) so that keeping Tor Messenger up to date is seamless and automatic. We also plan to add a UI to make importing OTR keys and accounts from Pidgin, and other clients, as easy as possible (#16526).

The secure updater will likely be a part of the next release of Tor Messenger.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).

Changelog

Here is the complete changelog since v0.1.0b4:

Tor Messenger 0.1.0b5 -- March 09, 2016

  • All Platforms
    • Bug 13795: Remove SPI root certificate because Debian no longer ships it
    • Bug 18094: Remove references to torbutton from start-tor-messenger script
    • Bug 18235: Disable Facebook as they no longer support XMPP
    • Bug 17494: Better error reporting for failed outgoing messages
    • Bug 17749: Show version information in the "About" window
    • Bug 13312: Add support for OTR over Twitter DMs
    • Bump libotr to 4.1.1
  • Mac
    • Bug 17896: Add Edit menu to the conversation window on OS X
  • Windows
    • ctypes-otr
      • GH 65: Support Unicode paths on Windows

Tor Messenger 0.1.0b4 is released

We are pleased to announce another public beta release of Tor Messenger. This release addresses a number of stability and usability issues, and includes the default bridge configurations for pluggable transports.

The initial public release was a success in that it garnered a lot of useful feedback. We tried to respond to all your concerns in the comments of the blog post but also collected and aggregated a FAQ of the most common questions.

Before Upgrading

Before upgrading to the new release, you will need to backup your OTR keys or simply generate new ones. Please see the following steps to back them up.

In our eagerness to build on work done by Tor Browser, we made the decision to store your profile directory inside the application bundle. This complicates matters when you want to use the same accounts and keys across updates, especially while we don't have an automatic updater. Please see #13861.

Also, as was vociferously pointed out by some of our early adopters, this probably isn't a very intuitive user experience. Copying the extracted application to someone else's computer would unknowingly transfer your accounts and OTR keys. It's unclear if this is commonly done and we'd love feedback on this point to understand the urgency of the issue.

In future releases, we plan on revisiting this decision. The number one item on our roadmap is porting Tor Browser's updater patches (#14388) so that keeping Tor Messenger up-to-date is seamless and automatic. We also plan to add a UI to make importing OTR keys and accounts from Pidgin, and other clients, as easy as possible (#16526).

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).

Changelog

Here is the complete changelog since v0.1.0b2:

Tor Messenger 0.1.0b4 -- November 22 2015

  • All Platforms
    • Bug 17492: Include default bridges configuration
    • Use tor and the pluggable transports from tor-browser 5.0.4
    • Bug 17552: Instantbird should handle XMPP message stanzas with subjects
    • ctypes-otr
      • Bug 17539: Pass username when interpolating resent string
      • Bug 15179: Add an OTR Preferences item to the Tools menu
    • Use the FIREFOX_42_0_RELEASE tag on mozilla-release
    • Use the THUNDERBIRD_42_0b2_RELEASE tag on comm-release
    • Bug 16489: Prevent automatic logins at startup
    • Update Tor Messenger logo in Tor Launcher
  • Mac
    • Bug 16476: Themes preference is positioned incorrectly
    • Bug 17456: Application hang when navigating the preferences menu

Tor Messenger 0.1.0b3 -- October 30 2015

  • Windows
    • Bug 17453: Fix Tor Messenger crash when starting up in Windows
Syndicate content Syndicate content