Sunsetting Tor Messenger

In 2015, we introduced Tor Messenger, a cross-platform chat program that aimed to be secure by default by sending all of its traffic over Tor and enforcing encrypted one-to-one conversations by bundling and using OTR (Off-the-Record) messaging. The aim was to provide a chat client that supported a wide variety of transport networks like Jabber (XMPP), IRC, Google Talk, Facebook, Twitter; had an easy-to-use graphical interface; and configured most of the security and privacy settings automatically with minimal user intervention.

When we released the first version, we tried to clearly identify the limitations of such a product: Tor Messenger was meant for communicating over existing social networks. This meant that in such a client-server model, your metadata could be logged by the server, but your route to the server would be not be disclosed because it would be over Tor, and your communications would be encrypted with Off-the-Record messaging. We still thought this was a better alternative than the other products in the market, such as Pidgin, because it had safer and secure default configurations.

Eleven beta releases later, we have, sadly, decided to discontinue supporting Tor Messenger. Here's why:

1. Instantbird Development Has Halted

Tor Messenger is based on Instantbird (see the original blog post on why we picked Instantbird), a product that is no longer maintained by its developers. While the chat features will be ported over to Thunderbird as they share the same codebase, the UI itself is no longer developed. The necessity of porting to Thunderbird also gave us the opportunity to step back and assess progress -- the adoption of Tor Messenger was low and the real need is for metadata-free alternatives.

2. The Metadata Problem

As described above, a centralized client-server architecture suffers from metadata leaks and Tor Messenger inherits those problems while being unable to mitigate them. Metadata leaks information about participants and their social graphs, and while it does not reveal the actual data, it can reveal patterns about your communication: who your friends are, when you talk to them, how much you talk to them, etc.

3. Limited Resources

Even after all the releases, Tor Messenger was still in beta and we had never completed an external audit (there were two internal audits by Tor developers). We were also ignoring user requests for features and bug reports due to the limited resources we could allocate to the project. Given these circumstances, we decided it's best to discontinue rather than ship an incomplete product.

Existing Users and Recommendations

We alas recognize that this step doesn't leave users with many good options. Check out EFF's series about secure messaging to get up to speed on what to consider in a messenger. If you still really need XMPP, despite its centralized metadata problems, check out CoyIM.  

Questions?

We realize this announcement may raise some questions, so please feel free to use the comment section below and we will try to address them. We apologize for any inconvenience this may have caused.

We still believe in Tor's ability to be used in a messaging app, but sadly, we don't have the resources to make it happen right now. Maybe you do?

Anonymous

April 02, 2018

Permalink

Telegram and Signal are not too bad for secure communication. Would be nice to have something similar but not build on phone number.

Matrix/riot is good, but mostly for not too much paranoia people. At the moment encrypted chat history is stored forever at matrix servers, which is not good, but necessary to make multi-client support with synchronized chat histories.

Matrix protocol is now in competition with XMPP+e2e+OMEMO+lot_of_XEPs, but is more mobile based with more integration and support out of the box. Main advantage of matrix for tor people is the support of offline encrypted messages with forward secrecy and encrypted multi-user chats (e2e VoIP and file/image transfer is also supported).

Telegram is shit. No end-to-end encryption by default. There are so called secret chats, which do provide end-to-end encryption, but almost nobody uses them. Telegram's protocol is of questionable quality. The company offers a security bounty for breaking it, but under a very constrained and unrealistic attack scenario. In the past, there had been several security vulnerabilities discovered in the Telegram app. If you are concerned about security, I do not recommend you using Telegram. Telegram's security relies mostly on you trusting Pavel Durov, which makes it not very much different from any other messenger.

Signal is better, but has certain drawbacks too. Namely: It requires a phone number. You can't host your own server. The interface is not very good and feature-rich at the moment. The first two apply to Telegram as well. I don't know about the third one, YMMV.

Tor + XMPP + OTR is the way to go. That's what drug dealers, hackers and other shady entities use.

If you trust to mobile platform in principle, you can use Signal (advertised by Snowden, AFAIR). But it is not as popular as other messengers. When it becomes popular, state entities will start blocking it too, I think.

> Tor + XMPP + OTR is the way to go. That's what drug dealers, hackers and other shady entities use.

In the current political climate, I think it is very dangerous to the continued existence of Tor Project to promote the demonstrably false claim that "only criminals use Tor" [sic].

I use Tor every day, and I've never bought or used illegal drugs or illegal anything, and have no interest in doing so. I use Tor to try to protect my privacy on-line and to try to safely engage in political activism, something which is becoming increasingly dangerous everywhere in the world, including "Western democracies". Many people involved in human rights work use Tor to try to survive will doing this essential but dangerous work.

Chill. Like Tor doesn't already have a rep. The reference is for people that really depend anonymity tools know more than norm avoiding the campus firewall. So yes, even you and the activists are lumped in with the rest of us "shady entities".

Anonymous

April 02, 2018

Permalink

@hoek :
Tungsten messenger, uses Tor. You don't need a phone number or email
XMPP, most servers you can register anonymous
Threema, unfortunately closed source, but is has good reviews. No phone number or mail adres needed

From site:

Is Tungsten’s code open source?

We are currently evaluating going down the open source route, until then our code will be open for third party audits by interested parties and auditors.

Can I export my chat history or data from Tungsten?

The paid version of Tungsten supports flexible export options such as encrypted file dumps, encrypted dumps to cloud services and backups to iCloud. The free version of Tungsten only supports iCloud backup.

Veyr interesting. Natively supports tor. Basic features are free for users. However, now it is not yet opensourced, and desktop clients are not yet provided. Many nice featuers like magic pins. The bad thing that it is centralized (while matrix/riot isn't). The good thing it doesn't store history on servers forever (matrix does).

Anonymous

April 02, 2018

Permalink

Please do not recommend Coy.im as an XMPP messenger.

They do not want to support OMEMO, the encryption protocol based on the modern Signal protocol, which many XMPP messengers implemented or aim to implement[2] and which supports modern stuff such as multi-device messaging and offline messages.
Coy.im instead develop a new version of the OTR protocol (which I assume no other XMPP messenger supports), which does not support multi-device messaging or offline messages.

And IMHO, their reasons to decline OMEMO support are kinda shady. They basically are "we do not use OMEMO personally, so we don't care".

Well, I've read the discussion at github, and motivation of CoyIM author is clear for me. He thinks that OTRv4 is simpler to add than adding completely new protocol.

OMEMO, as I understand, was not developed with anonymity in mind, where multiple devices support is mostly nightmare and not an advantage. Well, we are very far from having any reliable mobile platform for anonymous use! It is both software and hardware problem, many proprietary and closed source firmware, etc... If we still have troubles with desktop PC's Intel ME and proprietary BIOS, what do we have to say about much worse situation with mobile platforms?

The last point is compatibility. Now XMPP is supported by a lot of clients, it is de facto a geek standard for communication. With CoyIM you can support messaging with those geeks who are still not using specialized tools and continue to use XMPP+OTR/PGP.

If OMEMO will be really the next widespread standard, I feel CoyIM will implement it. So, CoyIM author is right saying it is not near future. However, if you really need it now, as the author said, just fork the project and implement it.

Anonymous

April 02, 2018

Permalink

Very sad, I was waiting for a stable release. Hope in a near future solution for that.
( TIP ) Also an online ( sort of ) messenger version would be nice for someone. Maybe managed by torproject.onion ??

What about Retroshare? They offer now a Tor-only version that configures Tor automatically (like Ricochet) and provides the same level of anonymity with much more features (forums, channels, chat, email, etc)

Anonymous

April 02, 2018

Permalink

What about Ricochet? https://ricochet.im/

I wish The Tor Project would endorse it, contribute heavily to it or even better hire the main devs.

Ricochet uses Tor core functionality, aka an unique onion service to connect two people together, without any metadata. It's also completely open source (on github).

I don't know any other messaging app that uses Tor as much as this one, as it's entirely based on it. I've always seen Ricochet as the only real Tor messaging app, but never understood why it doesn't have more PR or official endorsement from the community. I wish people knew more about it.

I did.
You can only add contacts by scanning the QRcode on your devices, that's a bit difficult while my contacts are not living in my neighbourhood.
Besides that, scan with a tablet does not work.

As I see there is no desktop client for briar, it can be used only from mobile platfrom. I still would suggest matrix/riot in these cases which some matrix server on onion service (at the moment, no one, but anybody can make it).

at the moment, no one, but anybody can make it

Now addition of onion mirror for matrix.org is on GitHub tickets. However, it can take forever to launch, because priority is very small. Matrix.org and other matrix servers do not allow to register account using Tor because it requires Google reCAPTCHA which blocks tor now. But if you already registered you can use it freely with tor, it works nice (though, without VoIP at the moment).

Ricochet like any other p2p-over-tor messengers makes onion service in your tor client. You become a server! If your contact is your adversary, for him it will be simpler to attack you, to DDoS you, to do a lot of network-based attacks against you. The second problem is absence of offline messages. In my opinion, ricochet can only be used with highly trusted person.

Anonymous

April 02, 2018

Permalink

This makes me sad :( I hope someone with the means & funding helps make this a possibility again. Tor is a GREAT CAUSE. The future, true democracy & freedom depends on organizations/technology like Tor.

If you need pure p2p protocol over tor, ricochet and unmessage are much better. If you also need connection to outside of tor, the total amount of modern features of riot (matrix) beats tox. Tox is very old project which most probably will not survive in this battle. Amount of features of matrix protocol as awesome in comparison with any old-style protocols including tox. It also includes modern crypto with transparent end-to-end encryption of not only messages, but also of offline messages, of group chats, of group file transfer, of group audio and of group conference VoIP. It is already close to the state of future social network. Outstanding. Matrix is under too active development now, and it will kill most of other messengers. If you need pure p2p, make your own matrix server behind onion and onion-to-onion protocol, then you will get p2p.

Anonymous

April 02, 2018

Permalink

A communication stack composed of Tox and Tor solves both the metadata and centralization problem, yet receives no mention at all in this post. So does Ricochet, which embeds a Tor client in itself (also never mentioned).

"Torification" of common XMPP clients plus decent E2E encryption solves the metadata problem as well. There is still plenty of hope for secure IM over the internet.

Anonymous

April 02, 2018

Permalink

Sad, but not unexpected (handwriting visible on wall for some time...)

Will sukhbir still be working for TP but on other projects?

Can TP share some information on the financial state of TP? If lots of people are being laid off, that's bad. Any feedback on how the US political situation might impact TP and Tor users in the next few months?

Anonymous

April 02, 2018

Permalink

Check out EFF's series about secure messaging to get up to speed on what to consider in a messenger.

I think the best thing now is something like Signal protocol, but nobody wants to implement it for some desktop secure app not requiring any phone number. Isn't it?

If you still really need XMPP, despite its centralized metadata problems, check out CoyIM.

It is not only problem, but also an advantage. Any decentralized service makes your tor client hosting some HS, i.e. lowers your anonymity and increasing surface for attacks. Also it is hard to make anything that supports offline messages and be decentralized at the same time (pond tried to do that, but support of this messenger was discontinued, and it was not really real-time messenger).

CoyIM was really improved in its last versions. I think it is mostly safe alternative. When support of offline messages with OTRv4 is added to CoyIM, it will be really fine. Now end-to-end encrypted offline messages can be sent only with traditional XMPP clients that support PGP encryption.

I think the best thing now is something like Signal protocol, but nobody wants to implement it for some desktop secure app not requiring any phone number. Isn't it?

Different desktop clients support OMEMO, the XMPP-based implementation of the Signal protocol. Most notably, Gajim and Pidgin are both multiplatform and support SOCKS proxies as well.

On Android, Conversations is i think the only client supporting both OMEMO and Tor hidden services.

Well, it is interesting. I checked OMEMO xep-0384 and its audit report.

There is a lot of criticism (though it may still be better than OTR) with 2 mainly worrying things:

  1. OMEMO is relied on MAM. It stores encrypted messages at XMPP server forever(?), which is not good for security. That is also messing with forward/future secrecy and key renewal (see report). Namely, the report says:

    The MAM was designed as a message archive, but instead it is used here as a message cache. The ciphertext messages will remain stored online after they have been downloaded, even though the keys will be discarded upon encryption. This does not affect security, but it wastes space on the server. A client should delete the message from the server after they decrypted it and deleted the message keys.

    I am not comfortable with the fact that all messages I ever received with XMPP will be stored forever at XMPP server, especially taking into account another remark from the same report:

    Users have no method for purging their own keys or otherwise marking them as compromised.

  2. Like in OTR we still have AES-128 which cannot be changed to any better algorithm (e.g. AES-256). I do not fully understand how forward secrecy holds with quantum computers, but due to Grover's algorithms we need to keep it in mind that AES-128 is something like AES-64 for quantum computer. I believe AES-128 should be strongly discouraged everywhere already now!

I was mistaken by confusing two things: signal protocol and Signal as a particular implementation. As all mobile messengers Signal doesn't want me to use it from desktop PC without revealing my phone number first. However, yes, there is an alternative implementation of Signal protocol for XMPP (OMEMO) which can be used, but which is not compatible with original Signal mobile app.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

5 + 11 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.