Sunsetting Tor Messenger
In 2015, we introduced Tor Messenger, a cross-platform chat program that aimed to be secure by default by sending all of its traffic over Tor and enforcing encrypted one-to-one conversations by bundling and using OTR (Off-the-Record) messaging. The aim was to provide a chat client that supported a wide variety of transport networks like Jabber (XMPP), IRC, Google Talk, Facebook, Twitter; had an easy-to-use graphical interface; and configured most of the security and privacy settings automatically with minimal user intervention.
When we released the first version, we tried to clearly identify the limitations of such a product: Tor Messenger was meant for communicating over existing social networks. This meant that in such a client-server model, your metadata could be logged by the server, but your route to the server would be not be disclosed because it would be over Tor, and your communications would be encrypted with Off-the-Record messaging. We still thought this was a better alternative than the other products in the market, such as Pidgin, because it had safer and secure default configurations.
Eleven beta releases later, we have, sadly, decided to discontinue supporting Tor Messenger. Here's why:
1. Instantbird Development Has Halted
Tor Messenger is based on Instantbird (see the original blog post on why we picked Instantbird), a product that is no longer maintained by its developers. While the chat features will be ported over to Thunderbird as they share the same codebase, the UI itself is no longer developed. The necessity of porting to Thunderbird also gave us the opportunity to step back and assess progress -- the adoption of Tor Messenger was low and the real need is for metadata-free alternatives.
2. The Metadata Problem
As described above, a centralized client-server architecture suffers from metadata leaks and Tor Messenger inherits those problems while being unable to mitigate them. Metadata leaks information about participants and their social graphs, and while it does not reveal the actual data, it can reveal patterns about your communication: who your friends are, when you talk to them, how much you talk to them, etc.
3. Limited Resources
Even after all the releases, Tor Messenger was still in beta and we had never completed an external audit (there were two internal audits by Tor developers). We were also ignoring user requests for features and bug reports due to the limited resources we could allocate to the project. Given these circumstances, we decided it's best to discontinue rather than ship an incomplete product.
Existing Users and Recommendations
We alas recognize that this step doesn't leave users with many good options. Check out EFF's series about secure messaging to get up to speed on what to consider in a messenger. If you still really need XMPP, despite its centralized metadata problems, check out CoyIM.
We realize this announcement may raise some questions, so please feel free to use the comment section below and we will try to address them. We apologize for any inconvenience this may have caused.
We still believe in Tor's ability to be used in a messaging app, but sadly, we don't have the resources to make it happen right now. Maybe you do?
Telegram and Signal are not too bad for secure communication. Would be nice to have something similar but not build on phone number.