Tor Messenger 0.2.0b2 is released
We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade.
This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.
OS X Profile Directory
In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys.
Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in
~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in
~/Library/Application\ Support/TorMessenger-Data (#13861). However, this should only be case when the application is placed in
/Applications. Otherwise, the profile is stored beside the application bundle.
Windows and OS X bundles are now signed
In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys.
Google Summer of Code (GSoC)
This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability.
Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated.
Before upgrading, back up your OTR keys
You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading.
Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861).
Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.
sha256sums.txt file containing hashes of the bundles is signed with the key
E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.
Here is the complete changelog since v0.1.0b6:
Tor Messenger 0.2.0b2 -- September 06, 2016
- Bug 19269: Fix OS X file permissions
- Fix OS X profile when application is not placed in /Applications
Tor Messenger 0.2.0b1 -- September 02, 2016
- All Platforms
- Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45
- Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45
- Bug 19053: Display plaintext in notifications
- Bug 17363: Remove redundant Tor Messenger folders
- Bug 14388: Secure automatic updates for Tor Messenger
- Bug 13861: Preserve user profiles after updates
- Update libgcrypt to 1.6.6 for CVE-2016-6316
- Update ctypes-otr to 0.0.2
- Bug 18634: Switch to building Tor Messenger on Debian Wheezy
1. How secure is Tor Messenger?
2. What's the difference between Tox(tox.chat) and Tor Messenger?
3. Why there is no dedicated webpage in www.torproject.org?
4. Screenshot please.
5. Does this software is portable?
6. Can I use other Tor proxy on network, rather install Tor on this localhost PC?
The official story is that when the server was rebooted, a mysterious bug accidentally deleted all the comments to recent posts.
However, the deleted posts included quite a few which were embarrassing to the USG (governments hate to see verifiable truth being openly discussed by their citizens), so I don't think very many people are fooled.
1. USG pressure on TP leadership became so fearsome that someone deleted them because they were threatened with extremely dire consequences for failure to comply with a deletion demand. (Ruinous lawsuit? Mass arrests of TP employees and volunteers? Sinkholing the TP website? Drone strike on Cambridge, MA?)
2. Current or former NSA/TAO or GCHQ/JTRIG operatives intruded into the server and deleted the posts, making sure to time the deletion to encourage attribution to a "mystery bug" rather than to enemy action.
The third possibility is that there really was a mystery bug which popped up during the reboot, but I find that hard to believe. The deleted posts were just too embarrassing to USG, and the same thing happened previously at the Tails blog (even before the Snowden leaks!).
The good news is that we know we're getting to the Bad Guys, when they start breaking into servers and deleting posts. Even better, they handed TP an opportunity to investigate how state-sponsored hackers attack blogs they dislike. I hope CitizenLab is doing some forensics on the server in question.
1. Tor Messenger is still in beta. At-risk users should not depend on it for their privacy and safety. An audit is in planning.
2. Tox seems to be its own protocol / network (I don't know anything about it). Tor Messenger is for the transports you're already familiar with, like XMPP and IRC.
5. I believe so, but see above about the profile directory on OS X.
6. Tor Messenger reuses the tor-launcher code from Tor Browser. If you're familiar with configuring Tor Browser for your network conditions, the procedure should be identical.