Tor Messenger 0.2.0b2 is released

We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade.

Secure Updater

This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.

OS X Profile Directory

In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys.

Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in ~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in ~/Library/Application\ Support/TorMessenger-Data (#13861). However, this should only be case when the application is placed in /Applications. Otherwise, the profile is stored beside the application bundle.

Windows and OS X bundles are now signed

In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys.

Google Summer of Code (GSoC)

This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability.

Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated.

Before upgrading, back up your OTR keys

You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading.

Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861).

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Here is the complete changelog since v0.1.0b6:

Tor Messenger 0.2.0b2 -- September 06, 2016

  • Mac
    • Bug 19269: Fix OS X file permissions
    • Fix OS X profile when application is not placed in /Applications

Tor Messenger 0.2.0b1 -- September 02, 2016

  • All Platforms
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45
    • Bug 19053: Display plaintext in notifications
    • Bug 17363: Remove redundant Tor Messenger folders
    • Bug 14388: Secure automatic updates for Tor Messenger
    • Bug 13861: Preserve user profiles after updates
    • Update libgcrypt to 1.6.6 for CVE-2016-6316
    • Update ctypes-otr to 0.0.2
  • Linux
    • Bug 18634: Switch to building Tor Messenger on Debian Wheezy
  • Mac
    • Bug 13861: Profile directory stored in ~/Library/Application\ Support/TorMessenger-Data
    • Bug 17460: Add graphics for OS X drag and drop to Applications
    • Bug 17648: Fix update service error in error console
Anonymous

September 07, 2016

Permalink

1. How secure is Tor Messenger?
2. What's the difference between Tox(tox.chat) and Tor Messenger?
3. Why there is no dedicated webpage in www.torproject.org?
4. Screenshot please.
5. Does this software is portable?
6. Can I use other Tor proxy on network, rather install Tor on this localhost PC?

The official story is that when the server was rebooted, a mysterious bug accidentally deleted all the comments to recent posts.

However, the deleted posts included quite a few which were embarrassing to the USG (governments hate to see verifiable truth being openly discussed by their citizens), so I don't think very many people are fooled.

Two possibilities:

1. USG pressure on TP leadership became so fearsome that someone deleted them because they were threatened with extremely dire consequences for failure to comply with a deletion demand. (Ruinous lawsuit? Mass arrests of TP employees and volunteers? Sinkholing the TP website? Drone strike on Cambridge, MA?)

2. Current or former NSA/TAO or GCHQ/JTRIG operatives intruded into the server and deleted the posts, making sure to time the deletion to encourage attribution to a "mystery bug" rather than to enemy action.

The third possibility is that there really was a mystery bug which popped up during the reboot, but I find that hard to believe. The deleted posts were just too embarrassing to USG, and the same thing happened previously at the Tails blog (even before the Snowden leaks!).

The good news is that we know we're getting to the Bad Guys, when they start breaking into servers and deleting posts. Even better, they handed TP an opportunity to investigate how state-sponsored hackers attack blogs they dislike. I hope CitizenLab is doing some forensics on the server in question.

1. Tor Messenger is still in beta. At-risk users should not depend on it for their privacy and safety. An audit is in planning.

2. Tox seems to be its own protocol / network (I don't know anything about it). Tor Messenger is for the transports you're already familiar with, like XMPP and IRC.

3. https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger

4. https://www.wired.com/wp-content/uploads/2015/10/Screen-Shot-2015-10-29…

5. I believe so, but see above about the profile directory on OS X.

6. Tor Messenger reuses the tor-launcher code from Tor Browser. If you're familiar with configuring Tor Browser for your network conditions, the procedure should be identical.

What the HELL are you PLAYING AT, NSA!? How in TARNATION did you let the above post get THROUGH!!1!?

More seriously, I don't think the above post is stupid or unreasonable, but its subject matter will only linger like a conspiracy theory without hard evidence to counter it. The bug tracked by https://trac.torproject.org/projects/tor/ticket/20158 says:

We can still see them in the admin interface, under the list of published comments, so they are not completely lost, but they don't appear anymore under the blog posts.

So, if the missing posts re-appear, then we have the hard evidence that counters the conspiracy theory.

This is work for someone, though, on top of the regular manual spam filtering.

Fair enough, but I again urge TP to ask CitizenLab (yes, they are also overworked) to take a look at the situation.

Possibly the "deletion" resulted from a bungled state-sponsored intrusion, eh?

You would presumably agree that NSA/TAO operatives are not infallible. They can be defeated, if we have enough courage and resolve, and get enough help from our friends.

Well, the comments that disappeared from many blogs are back, unchanged, except several are now in the wrong order.

   https://blog.torproject.org/blog/tor-messenger-020b2-released#comment-2…

should come in reply to the comment at:

   https://blog.torproject.org/blog/tor-messenger-020b2-released#comment-2….

Instead, it stands as an original post with a reply at

   https://blog.torproject.org/blog/tor-messenger-020b2-released#comment-2…

that precedes it by 8 days,* which suggests the above is off-topic (which maybe it is, but then which other comment is actually being considered off-topic)?

Yup, it's work to fix it, and is it going to be done when there's so much else to do?

Meantime, will those who immediately denounced TP for censoring pipe up with their apologies now?

* Precognition, yet another sooperpower displayed by Tor Project coders ...

Anonymous

September 07, 2016

Permalink

1. I suggest making all TP signing public keys available via an onion address owned by TP, and permaposting instructions for verifying them. Note that an onion page is not authenticated by the badly broken CA system, so we hope it would be much harder for a hostile government to misdirect your Tor Browser to a fake page with fake keys.

2. I suggest that the Tor Media team consider creating accounts at

jabber.calyxinstitute.org

and publishing their TM contact information with "office hours" (times when people can try to reach them at their Calyx accounts for a brief chat). I do not know whether they would be over or underwhelmed by either spam or genuine user contacts, but it seems worth trying.

For example, I'd like to contact them to privately nominate a number of reporters who do good work and who I think should have Riseup and Calyx accounts and use GPG and TM, and I am hoping people like Alison M can try to convince them to be available via TM. The general idea could be to meet up via TM to authenticate GPG keys and to get in email contact at Riseup (emails should not even leave the Riseup mail server if both parties have Riseup accounts, which obviously should make things much harder for the Prismatics.)

Despite the warning about not trusting your life to TM, there is nothing else which is anywhere near as usable for people who need to contact a reporter as safely as currently possible. In any case, there is still much ground between a tip based upon open source intelligence (OSI) a tip to something like the FSB sponsored doping of Russian athletes or the Panama Papers, which could result in murder, or a tip to something like harassment of BLM activists by "garbage police", which (so far) seems more likely to result "only" in your home being raided by local criminal police.

Or maybe not; a leading BLM activist was just found shot to death:

http://myinforms.com/en-us/a/40655536-ferguson-activist-darren-seals-fo…

In the event the Saint Louis County Police improbably rule that this death was a suicide, I suggest that fearless reporters direct some tough questions to Dana La Fon (adjunct professor of Psychology at the University of Maryland who teaches courses on using psychology in USG "effects" operations, but actually an NSA employee with a suggestive academic specialty in how to make murder look like suicide). But of course that is the kind of suggestion which quite possibly can get you killed by USG. Zowie! What a world.

Anonymous

September 08, 2016

In reply to by arlo

Permalink

Excellent, thank you!

@ Shari:

Did you axe the Media Team? I hope not, we desperately need full time attention to ensuring that conscientious reporters can get assistance in order to write balanced stories on Tor, for example by correcting common misconceptions about vulnerabilities and emphasizing how Tor is used by vulnerable people living under oppressive governments around the world (a rapidly broadening category, unfortunately) in order to obtain information they need and to communicate safely.

Anonymous

September 08, 2016

In reply to by arlo

Permalink

Out of date, contradicts what you said above about TM signing keys and also says

> Other developers include Peter Palfrader (0xC82E0039, or its subkey 0xE1DEC577) and Jacob Appelbaum (0xFA7F0E44D487F03F).

My mistake (multi-tasking). The files with the SHA-256 hashes for the current release of TM are indeed signed with key 0xB01C8B006DA77FAA. I was confused because that is not one of the keys in a TP public key stash I had at hand.

But listing JA as a current Tor developer is an obvious mistake, yes?

Anonymous

September 20, 2016

Permalink

This is work for someone, though, on top of the regular manual spam filtering.

Personally, I think these blogs also creak under the weight of posts by Windows users and their complaints about Tor being reported as a virus or Tor not working because Flash doesn't work or, or, or a million other irrelevancies that would be solved if only Windows users would realise using TBB on Windows is like putting a steel five-lever front door on a house built of straw.

The two problems with Windows OSs, are:
1. They are proprietary software, a "trade secret" and so not peer reviewable. They could use 'security by obscurity' without you ever knowing.
2. Windows OSs are distributed with backdoors as standard: have any Windows users ever wondered what and where the Administrator password is? It's with and set by Microsoft itself. There was also that analysis of symbolic debugging data in 1999 (https://en.wikipedia.org/wiki/NSAKEY), which showed three backdoor keys, one for Microsoft, one for the NSA, and a third, unattributed.

I must admit that I noted GRSec's Brad Spengler thinks Windows kernels are very secure (e.g., https://slo-tech.com/clanki/10001en, when Brad Spengler rather used Windows 7, not Linux). My issue here is what is meant by 'secure'. You can have the most 'secure' house in the world, and still forget to lock the door on the way out. Yet, even if you totally secure the OS, or at least use QubesOS (https://qubes-os.org), then you might worry about what Joanna Rutkowska herself says about the need for stateless hardware (as opposed to e.g., Intel's Management Engine, AMD's Secure Processor, or Trusted Platform Modules).

This is all very important, but I think before getting to that stage, we need to worry about the general pattern of most people comsuming pre-installed proprietary OSs like Microsoft Windows, Google Android or Apple iOS without the slightest technical ability to question whether these OSs respect their privacy, that is whether the OS is already pwned by its producer or on behalf of some other organisation. These OSs and the corporations that produce them want consumers not to think about privacy and security issues, because they worry it'll put consumers off their products. Yet, letting people carry on believing that they don't have to think about this at all because the OS will take care of anything and everything maintains this hopeless status quo.

If we can't make progress on that front, then as Quinn Norton once tweeted "we might as well all go home!" (https://medium.com/message/everything-is-broken-81e5f33a24e1 for a fuller argument).

Tor and the Tor project are a good part of the antidote - if used wisely. When Tor makes people start to wonder what privacy really entails, that's good. When Tor just gets plugged into a standard proprietary OS like Windows 10 in the expectation that it'll magically bullet-proof all your secrets, that's bad.

So, Windows users reporting about Flash missing, Tor being a virus, or whatever, when are you going to wake up and start thinking about what you are really doing with your MS Windows OS? Or what your Windows is really doing with you?

I use TAILS. It includes Tor via TBB. Please give it a try, just to show yourself there is an alternative: https://tails.boum.org/. Tails 2.6 will be due out from Wed 21 Sep.*

* You will need to budget 1.2GB of download every six weeks or so for the regular update cycle. By the way, Tails' Tor Browser does not have automatic update checks enabled for TBB or add-ons, so it was not vulnerable to the recently discovered certificate pinning attack.

Anonymous

September 07, 2016

Permalink

hello ! iranian government claims the internet has been nationalized and all the users are being supervised. In other words all the internet communications would be through nationalized channels.
How do you think we need to react?using tor is still safe ?

I also would like to hear expert advice on this issue.

A related issue: now that the Obama admin has decided to bribe the current regime in Iran, and has restored relations with Cuba, rather than trying to destabilize those nations by providing a connection the outside world via Tor, the USG is likely to see no further use for funding TP. Just one more reason for the extreme urgency to find new funding sources.

I'm not an expert. However, I would say that it is not whether Tor is safe in terms of encryption - likely it continues to be the case - but the fact that using Tor in the usual way is not 'stealthy'. I think the issue in Iran is that Tor users will be easily noticed by this 'nationalised' Iranian internet.

You need to learn about bridges and pluggable transports. Read the recent post by Nima Fatemi (@mrphs, he speaks Farsi) to get started: https://blog.torproject.org/blog/breaking-through-censorship-barriers-e….

Just a crazy experiment here:

بزنيد تا @get_tor به اكانت DM براى دريافت آخرين بسته مرورگر تور، كافيه يه
لينكهاى دانلود براتون ارسال شهه. #فيلترنت

This message is copied from the retweet of Nima Fatemi on @torproject today. I can't read/write Farsi myself, but I think it says something like "Is TorProject website blocked for you? Send a DM to @get_tor to download Tor Browser! Try it!"

... which makes the message a bit pointless here, but if someone can post one in Farsi about how to get bridges and pluggable transports, maybe it'll help the n00b Iranians asking here before they drop themselves in it.

Sorry, I've got no justification tag for Farsi!

Given the current situation it is more urgent than ever to bring Tor to people in Iran. So clearly, TP needs more people who speak Farsi!

Just don't hire anyone whose language experience was obtained while working (under cover or not) for USIC-tied entities or US military (or other spooks/govts).

Anonymous

September 08, 2016

Permalink

Which files need to be moved to backup accounts from the old version to the new version? All the other stuff in profile.default? (using linux)

If you want to preserve everything, then yes, copy the profile.default from the old version to the new one. (This step won't be necessary in the future as the automatic update will preserve all profile information.)

Anonymous

September 21, 2016

Permalink

I think the way to make Tor Messenger really explode with it's stable release would be to integrate OMEMO with it from the get-go.

It would be the perfect time too, since you could get some collaborative help from the ChatSecure people who are right now working on implementing OMEMO for their secure mobile platform. Tor Messenger would then rationally fill the role of providing this protocol for a secure desktop platform.

Anonymous

September 08, 2016

Permalink

Hi,
thanks for the great work for working on an xmpp messenger that provides 'privacy by default' (unfortunately most xmpp/jabber messenger that support socks5 leak dns-request, save the history etc.).
Either way, is there any chance that tormessenger could support the OMEMO encryption protocol? (I guess we all agree that OTR has some downsides like that's impossible to receive offline messages (what's one reason for using a server based xmpp messenger in comparison to 'fully' decentralist messengers like ricochet))

Anonymous

September 08, 2016

Permalink

What was the reason to use highly outdated Instantbird instead of Thunderbird as a base for TM?

Thunderbird and Instantbird share the same codebase. Both use the core chat files in https://hg.mozilla.org/releases/comm-esr45/file/f4a50139b69d/chat

You'll notice above, it says that we use the tag THUNDERBIRD_45_3_0_RELEASE from comm-esr45, which is the latest Thunderbird release.

Although Instantbird hasn't put out an official release in quite some time, the UI is still actively developed and trunk is quite up-to-date.

The benefit of the Instantbird UI is the focus on instant messaging.

From your link:
+ Thunderbird can be used as combined secure Chat+Email communications software.
+ One piece of software for all secure communications is a usability win
Thunderbird does support these locales and can also be used as a chat client
---
Please, think about it in addition to Instantbird-based releases.

Anonymous

September 08, 2016

Permalink

i am using ricochet and i am waiting the first release of tor_messenger : could you compare it quickly with serenity ?

Can you clarify what you mean by "with serenity"?

Please see the section "What it isn't..." from our initial blog post,
https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

We also have this open ticket to summarize the protocol from a metadata point of view, which would be nice to resolve sometime soon,
https://trac.torproject.org/projects/tor/ticket/17528

as long as pgp & encryption will not be a real right (it is an e.u opinion from u.s.a point of view and a terrorist tool from e.u point of view and a spy / activist tool for a lot of countries) it will be difficult and even impossible to make a step further for defending privacy or security. stallman asked it (that pgp so encryption too (the usage of) ) to the e.u parliament officially but ; in the real life ; it is not even tolerated , accepted or used ... (bestvpn -such dishonest they are- should have not write the opposite). tor messenger & similar app help us to circumvent these false arguments.
behind these app (tor messenger & others); there are a lot of struggles , i am using ricochet with serenity , without any fear or worrying thought.

If I may interject ...

OK, so "serenity" is not some new unheard of encrypted messenger tool. When you wrote "could you compare it quickly with serenity?" I think it almost caused a confusion above.

Instead, you meant "without any fear or worrying thought." In British English (at least), the phrase we use is "peace of mind." (I 'detect' English might not be your first language.)

he (she) means using the term serenity (not peace in mind _ it will mean using the software/program ), explaining slowly the difference with calm i suppose _ the links explain yet perfectly it) [ If I may interject ... i "detect" your native language is not English ... and so what ? lol ]
ricochet vs tor_messenger = both are running over tor
Tor Messenger supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically.
Ricochet allows 2 users a private room_chat (you give your id to you correspondent).
Tor messenger sounds better for social network (unknown contact/everybody) & ricochet for a discreet contact between friends.
tor messenger is in alpha stage & ricochet is not yet audited.
try both and choose that it suits you.
https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

[ ... and so what ? lol ]

And so confusion, to wit, arlo: "Can you clarify what you mean by "with serenity"?" So what is this software called 'Serenity'? Neither of the links given by arlo mention anything called 'Serenity'. In fact, there is no 'Serenity' (a search of Ricochet with serenity finds no related software.

One who asks for clarification best not ask confusedly.

And perhaps read properly too:

peace in mind

Peace of mind.

Anonymous

September 10, 2016

Permalink

Why do you provide hashes of the installer and not a digital signature (like for TorBrowser installers)???