Tor Messenger Beta: Chat over Tor, Easily

WARNING STARTS

As of March 2018, Tor Messenger is no longer maintained and you should NOT use it. Please see the announcement for more information.

WARNING ENDS

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Anonymous

October 30, 2015

Permalink

Google blocked my sign-on because if it coming from a non-standard country (in this case it was Paris, France). I think it will likely be difficult to use Google Talk through this without dealing with these issues. The other downside is that even if you do train Google to allow logins globally, you've now weakened the protection Google provides regarding account security.

Anonymous

October 30, 2015

Permalink

I don't know what the issue is but I cannot log into Facebook. Correct username and password. Could it be the Facebook login verification?

Anonymous

October 30, 2015

Permalink

How on earth does Facebook chat get encrypted? I don't understand?

I also try to configure it, put in my username and password, but it continually tells me my password is incorrect ..... and it's not incorrect. I've changed it to a new one, same result.

Facebook chat will get encrypted if the person you are talking with is using Tor Messenger, or another OTR-enabled client. When you start a conversation, it will be encrypted. Facebook can't see the content of the conversation. It will just see that you are talking with the person, but not what you are talking about.

If you are having problem using FB, please see https://trac.torproject.org/projects/tor/ticket/17464. Let us know if it works for you.

Anonymous

October 30, 2015

Permalink

Ugh every time I open up preferences, the whole application locks up and freezes and I have to force quit it. Quality.

Anonymous

October 30, 2015

Permalink

tor messenger is not working for me with my google account, it says I entered in the wrong password, but all the info, both email and password are correct for logging in with "google talk"

Anonymous

October 30, 2015

Permalink

I'd love to see mobile apps, which for many of the people I communicate with, are critical to have a hope of achieving a network effect. Signal/TextSecure/RedPhone somehow interoperating with much of this codebase would be my dream. It's kind of a bummer that you have many of the same goals as OWS but don't appear to be working together. For many users, secure messaging choices will be an even tougher call once the Signal chrome extension (hopefully FF too) becomes available.

Great work!

Anonymous

October 30, 2015

Permalink

My feedback & experience:

How to use it with system Tor, if clearnet connections are forbidden by iptables? To do that for Tor Browser Bundle I just remove tor-launcher xpi file (64 bit version). Otherwise, I even would not get firefox started. Here, in Tor Messanger, we have no such file, but directory Messenger/extensions/tor-launcher@torproject.org instead. I deleted it. After that my Tor Messanger got started. I also changed port in network preferences to proper one.

I wanted to test it with XMPP server which has a mirror in onion. I specified onion address as host and finally got it working (account was registered in advance). And now many troubles started...

I added tor messanger XMPP account to the roster of my another XMPP IM client (mcabber). Then, Tor Messagnger asked me to "allow" that contact, and I allowed it. However, after this authorization "allowed" account did not get listed in tor messagnger's contact list (roster), which is strange. It means I cannot see contacts I authorized to see my status. Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported. I was very surprized. Why it is not enabled by default? I found it in preferences and enabled. However, OTR does not work. Neither my Tor messanger contact nor IM contact can start OTR session. I run Tor Messanger with command: ./start-tor-messenger --verbose (it allows me to see warnings). I noticed that each time I click on "start private conversation" I see in log "TypeError: muc is undefined". I opened error console in Tor Messanger, and see an error "Error: __NoSuchMethod__ is depricated; resource:///modules/xmpp.jsm" and then many error messages "muc is undefined; resource:///modules/xmpp.jsm".

If I disable OTR, then messages are passed successfully to both sides. But I failed to get it working with OTR despite (according to prereferences) everything is OK (key was generated, fingerprint was seen).

Another problem are preferences of crtypes-otr extension: sometimes to get button "preferences" working I need to click on "disable", and then on "enable". Otherwise, the window with preferences is not opened.

> Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

> When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported.

This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations.

Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

> This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

You didn't understand what I say. I don't complain about that I cannot see the status. I complain about that I cannot see this contact in my contact list! In normal XMPP clients when I authorize somebody, I can see him in my list despite I cannot see his status(!). In tor messenger I see absolutely nothing. It means if I forgot which contact I authorized, there is no any simple way to find it.

> This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations. Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

OMG, somebody of us does not understand the idea of tor messenger. Is it multiprotocol client? If yes, it must be in compliance with XMPP protocol. Does tor messenger support standard OTR protocol for XMPP? If yes, it must be compatible with all XMPP clients and their OTR implementation. The idea of tor messanger is to be compatible with standard IM protocols, so I can chat with anybody who is not yet using tor messanger, isn't it? So if somebody is using standard XMPP client such as mcabber, which supports OTR, why I cannot use OTR from tor messanger? Is its OTR implementation incompatible with the standard?

Experienced people use convenient IM clients (such as mcabber), which are properly customized to work with Tor and end2end encryption. Then, ordinary people could use tor messanger (XMPP+OTR) to anonymously chat with that IM client. It is only possible, when OTR is compatible on both sides, which, as I see, is not the case.

I think I am pretty clear...

P.S. If we don't bother about compatibility with standard protocols and standrad implementation of OTR, why to use tor messenger? It is better to use ricochet.

OK sorry, I misread this comment. Let's address the issues one by one.

1. You have to enable "show offline contacts". Is this what you meant? If yes, right-click on the empty space in the contacts window and enable this option.

2. I actually misread this part badly but anyways, this was an error that we just fixed. Mcabber should now work (tested). See https://trac.torproject.org/projects/tor/ticket/17552. This was due to an XMPP issue, not the OTR code.

(And yes, our OTR implementation is compatible with other clients, that's the point.)

Thanks a lot for your comment! Indeed, in newer version everything works fine.

1. Yes, thanks, it works.
2. Yes, in 0.1.0b4 it is fixed.

I have just minor comment on script start-tor-messenger, which I run in my terminal as "./start-tor-messenger --debug". It works, but it writes:

  1. <br />
  2. ./start-tor-messenger: line 268: [: 64: unary operator expected<br />

Probably, you may want to fix this minor warning.

Anonymous

October 30, 2015

Permalink

This is more of a suggestion: I don't know much about how Tor works but amongst the list of messengers, i notice theres no "Wickr". I suggest you take a look at Wickr if you haven't and look at how it works as it's a pretty amazing system. Maybe some of the ideas from that may translate well over to TorMessenger or future Tor products?

Anonymous

October 30, 2015

Permalink

You can't use a Facebook account if you have account security on full lock down with two factor authentication.

Anonymous

October 31, 2015

Permalink

So, first of all : great work and thanks!

unfortunately I can't get it to run with facebook cause the buffoons at facebook don't want me to use it :)

Any updates on this issue, is there anything I can do to make it work?

Sorry, but the instructions are unclear. What to put as "app-name"? "Tor messenger" or something else?

What to use as login name, my "facebook username" or the newly created appname?

I have the same problem. I tried by putting "Tor Messenger" and "TorMessenger" in the app name field, with no results.

I have used my username (the one after facebook.com when you go in yuor Facebook profile) and not my email. I have also followed the instructions for generating an app password.

Is Facebook blocking Tor Messenger somehow?

Anonymous

October 31, 2015

Permalink

Why run Tor on any commercially closed operating system possibly acting like a trojan horse?

Is it safe against trojan horses? How?

Is it safe against spy-chips installed on commercial hardware? How?

Is it using iRL kryptokeys or is it sending kryptokeys over the internet? Why is that considered safe?

Is Tor downloading javascript when it is being run? Why?

The imagination of safety on the internet might be the very thing that makes it unsafe. I suggest awareness and openness in all communication until people themselves create "dedicated trusted computer communication and voting devices".

Swing your thing on the youtube and they will not be able to pull down your pants! ;-)

/Martin Gustavsson
Scientific party of Sweden

Anonymous

October 31, 2015

Permalink

Torchat is not opening after successful installation can someone tell me what to do?

am running it on host windows 10

Anonymous

October 31, 2015

Permalink

why there is no usual uninstall tool? and does it make keys in the registry?

Anonymous

October 31, 2015

Permalink

what if the other using it's not using tor-messenger , we still have an encrypted conversation ? if not
why we use tor-messenger
-----------------------------------
and when i want start a conversation using facebook it's shown that's it's not an privat conversation , "2:24:56 PM - Attempting to start a private conversation with […]"

If the other person is not using Tor Messenger or another OTR-enabled client, you cannot talk with them as Tor Messenger does not allow sending of unencrypted communication. This is by design. Also, if the other person is using OTR, it will still say "Attempting to start..." but if it the conversation actually starts, it will tell you that the conversation is private. If all it says is "Attempting to start..." and nothing after it, then that conversation is not secure.

Anonymous

October 31, 2015

Permalink

Password not working on gtalk. falls to connect with any account I try.

Anonymous

October 31, 2015

Permalink

Wow what a simply brilliant project.

it would be nice to see android & ios versions of this as many current apps do not support key encryption/decryption.

<

You may enjoy ChatSecure on Android.

sukhbir:

Could you do a feature-by-feature comparison of ChatSecure and this creation of yours? We would like to see a list of pros and cons in using your product over ChatSecure. Thanks in advance.

Anonymous

October 31, 2015

Permalink

sha256 match but verification with .asc file raise an error !

I successfully imported key with command:
$ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x6887935AB297B391

but then got an error "BAD sign" with
$ gpg --keyid-format long --verify sha256sums.txt.asc tor-messenger-linux64-0.1.0b3_en-US.tar.xz
>gpg: Signature faite le ven. 30 oct. 2015 20:52:30 CET
>gpg: avec la clef RSA 6887935AB297B391
>gpg: MAUVAISE signature de « Sukhbir Singh  »

Anonymous

October 31, 2015

Permalink

my apologies, verification of sha256sum.txt with .asc file is ok finally
it was a error of my command ;)