Tor Messenger 0.4.0b2 is released

by sukhbir | March 31, 2017

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Tor Messenger. All users are encouraged to upgrade.

Tor Messenger 0.4.0b1 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Incremental Updates

Incremental updates are disabled for this version and Tor Messenger will perform a complete update. There was a bug in the update MAR generation process that was fixed in d3834a99 but persisted across recent versions. To fix this and to ensure a smooth automatic update for future releases, we are pushing only complete updates for updating from version 0.4.0b1 to 0.4.0b2. What does this mean for you? Automatic updates will still be performed but will take a little longer.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-signed-build.txt
sha256sums-signed-build.txt.asc

The sha256sums-signed-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.4.0b2 -- 31 March 2017

  • All Platforms
    • Use the tor-browser-45.8.0esr-6.5-2-build1 tag on tor-browser
    • Use the THUNDERBIRD_45_8_0_RELEASE tag on comm-esr45
    • Update tor-browser to 6.5.1
    • Trac 21634: Restore the ability to auto login, but default to off
    • Trac 17517: Consider using different color for "Add Exception"

Comments

Please note that the comment area below has been archived.

March 31, 2017

Permalink

The latest financial reports on the website only cover the period through the end of 2014. In terms of financial transparency, this is not normal timing for US nonprofits.

Do you know when the organization's 2015 and/or 2016 IRS 990 forms or audited financial statements will be made available?

If only people read more than the title they'd notice that the Form 990 is missing for 2016 and all statements are missing for 2015.

April 01, 2017

Permalink

Will you ever implement OMEMO?
Has Tor Messenger ever been audited? Since Instantbird doesn't have OTR support, you had to implement OTR from scratch which concerns me since you may have made a mistake somewhere.
How likely are HTML/JS attacks since Instantbird uses those languages?

Yes, there's a ticket, but that's all you ever get as an answer when asking about OMEMO. Is it actually planned? Has the work started? Any rough estimation when it might be implemented? In few weeks / months? A year? Five years?

Currently there simply isn't any desktop client that does OMEMO in a user friendly way (Gajim is a bad example), but there are really good options on mobile side (Conversations).

Yes, it's something we're considering doing, along with or as an alternative to OTRv4, but no, no work has started.

The only thing on the immediate roadmap is to get an audit, and hopefully be able to take the application out of beta.

Given that, I wouldn't expect it in the next weeks or months. Sorry that I can't be more precise.

We understand it's a desirable feature though, since so many are asking for it.

I looked at the ticket briefly a few days ago. There was some political discussion about the protocol license, and about various forks of the protocol. That might put a damper on things. As for whether it's officially planned, I haven't seen that stated anywhere. The best way to know is to look at the git repo, or better yet submit a patch :-) As you said, very few desktop clients support it yet, and it's a pretty new XEP. Tor Project is a nonprofit funded by donations, so I don't really expect them to be on the cutting edge of this kind of stuff. Actually, if I were them I might say "F it that's upstream's job, go bug the Instantbird developers" right off the bat.

I really think Ricochet is the way to go moving forward. If I had to guess, I would say quite a large percentage of the XMPP userbase is already using Tor anyway. XMPP lost a lot of credibility when Google Talk was discontinued. I think it's back to being a niche now. Case and point, you'd have just as hard a time introducing someone to XMPP as Ricochet, and the latter goes way above and beyond in protecting metadata. I'd rather see TP put all that effort into writing a Ricochet protocol plugin for Tor Messenger, and/or implement the Signal protocol on top of Ricochet. If you're careful you might be able to make Ricochet and XMPP with OMEMO interoperable using an XMPP transport/gateway.

Tor Messenger has yet to be independently audited, and that's why it's still considered beta software.

With some caveats, it does not run arbitrary JavaScript, like when visiting a website. It only runs what has shipped with the application. So, those attacks are much less likely.

April 02, 2017

Permalink

I don't quite understand what is included in the featured download and why. From reading the description, it seems it would include a Tor BROWSER, but if so, WHY ? Assuming I already have Tor installed, how can I get and install the Tor messenger only ? (for MS Windows)

Goal is to exchange private, end to end, one to one instant messages (text only) among known friends

Is Tor browser about stated goal, or some quite different.thing ?

TIA

Tor Messenger is built from the same platform (XULRunner) as Tor Browser and, as such, they share a common codebase. However, they're two different applications.

Tor Messenger comes packaged with a copy of the tor daemon and launches it at startup. More advanced usage is available, same as in Tor Browser. Please see the documentation about "Using a system-installed Tor process with Tor Messenger",
https://gitweb.torproject.org/tor-messenger-build.git/tree/projects/tor…

More information about Tor Messenger can be found at,
https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger

April 04, 2017

In reply to arlo

Permalink

Same poster as above. OK I think I understand now, "Tor Messenger" /is/ a Firefox extension, hence it requires running a FF (Tor browser) instance, right ? Can I easily install the extension in a non-Tor-browser Firefox ? And, /why/ that choice of a browser-hosted extension rather than a standalone instant messaging app, please ?

April 05, 2017

In reply to arlo

Permalink

You're right, I am NOT understanding a thing :=) Sorry!

It being standalone, then, why would "Tor browser" (Firefox) be included at all ?

Tor Browser is not included.

The two applications are built from a common source tree, meaning they share some files. That's the reason why we reference it above.

Sorry if I'm not being clear.

April 05, 2017

In reply to arlo

Permalink

"Tor Browser is not included.
Sorry if I'm not being clear."

Or me being dense... It's cleared now, thanks ! I'll be trying Tor Messenger soon...

April 02, 2017

Permalink

Жалко, что 2 года назад я это не прочитал :O(

April 12, 2017

Permalink

I sense an important opportunity for Tor Messenger to win some friends in the US Congress (one place where Tor needs to find new friends, and fast, because Comey is coming for us):

http://healthitsecurity.com/news/provider-secure-messaging-may-encourag…
Provider Secure Messaging May Encourage Patient Communication
A recent study found that providers utilizing healthcare secure messaging may affect how their patients use the same communication tools.
Secure messaging usage may improve if providers utilize it more often, study finds.
10 Apr 2017

> Healthcare providers may have a positive impact in how patients utilize secure messaging, according to a recent study published in the Journal of Medical Internet Research (JMIR). Provider secure messaging levels can predict their patients’ communicative behavior, researchers explained.

> The research team reviewed healthcare and secure messaging records of more than 81,000 US Army soldiers and approximately 3,000 clinicians with access to a patient portal system. “In this study, we demonstrated that among US Army soldiers, increased provider-initiated and provider-response messaging were associated with statistically-significant increases in the adjusted probability of patient-initiated secure messaging,” researchers wrote. “We also demonstrated that provider-response messaging had a much larger impact on patient messaging than provider-initiated messaging.” Specifically, patients who had providers that were highly responsive to other patients’ messages initiated 334 percent more secure messages than patients with providers who did not personally respond to other patients’ messages.

("334 percent more" is a classically bad way to state a statistical result. The researchers probably meant to say soldiers whose providers supported secure messaging used messaging to communicate with providers 4.3 times more often than soldiers whose providers do not support secure messaging.)

The crucial point to make to lawmakers is that TM is trivially easy to install and use.

April 12, 2017

Permalink

I hope Tor Project will keep a lookout for opportunities like this to tout Tor Messenger, OnionShare, etc, as solutions to many healthcare IT security issues:

https://www.propublica.org/atpropublica/item/propublica-is-hosting-a-ch…
Cynthia Gordy
ProPublica, April 11, 2017, 4:12 p.m.

> ProPublica is holding its first ever hackathon to celebrate the recent launch of our Vital Signs API, inviting participants to Chicago to create solutions for helping patients receive better, more affordable health care.

April 12, 2017

Permalink

I hope an independent security audit of TM happens very soon. I would very much like to see TM be included in Tails 3.0 (coming perhaps as early as June).

Tails 3.0 and later will support only 64 bit architectures.