Tor Messenger 0.2.0b2 is released

We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade.

Secure Updater

This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.

OS X Profile Directory

In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys.

Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in ~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in ~/Library/Application\ Support/TorMessenger-Data (#13861). However, this should only be case when the application is placed in /Applications. Otherwise, the profile is stored beside the application bundle.

Windows and OS X bundles are now signed

In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys.

Google Summer of Code (GSoC)

This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability.

Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated.

Before upgrading, back up your OTR keys

You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading.

Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861).

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Here is the complete changelog since v0.1.0b6:

Tor Messenger 0.2.0b2 -- September 06, 2016

  • Mac
    • Bug 19269: Fix OS X file permissions
    • Fix OS X profile when application is not placed in /Applications

Tor Messenger 0.2.0b1 -- September 02, 2016

  • All Platforms
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45
    • Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45
    • Bug 19053: Display plaintext in notifications
    • Bug 17363: Remove redundant Tor Messenger folders
    • Bug 14388: Secure automatic updates for Tor Messenger
    • Bug 13861: Preserve user profiles after updates
    • Update libgcrypt to 1.6.6 for CVE-2016-6316
    • Update ctypes-otr to 0.0.2
  • Linux
    • Bug 18634: Switch to building Tor Messenger on Debian Wheezy
  • Mac
    • Bug 13861: Profile directory stored in ~/Library/Application\ Support/TorMessenger-Data
    • Bug 17460: Add graphics for OS X drag and drop to Applications
    • Bug 17648: Fix update service error in error console

Given the fact that NSA has much expertise in finding and exploiting hash collisions, it is a bit worrying that instead of cryptographically signing the tarballs you cryptographically sign the file stating the (possibly exploitable) SHA-256 hashes.

The key, signature of the statement, and the hashes themselves all seem to check out in the versions I downloaded. The worry is that NSA might just be capable of substituting a malicously modified version of the current TM without changing the hash.

Anonymous

September 11, 2016

Permalink

Re : Ricochet. Dnloaded & tried the (portable) on Windows XP. It does NOT start, even as administrator (bombs out immediately, stop c0000145 iirc) :=(

Is this expected ? Hint : CPU was an Athlon XP - does the Windows build of ricochet require SSE2 ? I'm mentioning it because too many programs now seem to (often pointlessly) /require/ SSE2 /without even testing/ its avalilability. Yes, including the official tor.exe !

If it's not SSE2 related, nor something previously known or expected, please s/o report problem to the Ricochet team.

TIA

lol : windows xp anyway privacy&security&anonymity are not the goal of windows (even on linux you need tweak & cheat a bit).
i am waiting the next version -2.00 i suppose- where all the recommended "update" will be applied ... audit : January 2016 ...

Anonymous

September 14, 2016

Permalink

I'm using the latest version of Ubuntu, would "sudo apt-get install tor-messenger" automatically install for me this version? Thanks

No, that will not work as Tor Messenger is not packaged for Debian/Ubuntu. You have to download it from the Tor Project website; see the "Download" section in the blog post above. Tor Messenger will also automatically update starting with the current version.

Anonymous

September 14, 2016

Permalink

1. Can tormesserschmit comunicate with old versions of it?
2. Can it comunicate with other clients like Pidgin OTR? And Tox?
3. Does it send noise? If not they can analyze when message is sent and how big it is.
4. Does it show when are you online?
5. Does it use different account / node / ID with each different "friend"?
6. Is it bloatware like torbrowser? How much MB is executable and in RAM?
7. Does it use native GUI or use shit QT that look like shit on Microsoft Windows?
8. Why TorProject boycotts Microsoft Windows XP and not support it in tormesserschmit?
9. Does it have message history or is it broken like torbrowser?

Anonymous

September 17, 2016

Permalink

why not contribute to existing projects like pidgin and pidgin-otr? there is no need to reinvent the wheel.

Anonymous

September 27, 2016

Permalink

You're doing great work and I am very grateful for it. As a lay person, could you please keep the https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger page updated? It helps me know at what level of completion this currently beta software is in. As it stands now (with 0.2.0b2) you've clearly finished the updater patch, yet it's not crossed off the list. This makes it hard for me to know if the two "Severity: Very High" tickets (#17833, #18973) or even the other couple of simply 'High' risk tickets have been patched as well, or if they're still open and the software's still has established vulnerabilities.

I'd really like to start using Tor Messenger as soon as possible, as it's the best IM development (for IRC/XMPP) around, but I'm also taking your "At-risk users should not depend on it for their privacy and safety"-warning into account. For you to simply keep the wiki up-to-date would help people like me to track the beta-developments and weigh them with the urgency of need for the software.

Again, thank you.

Thanks for prodding me to update the project page!

Any ticket that's still open has yet to be resolved (tautologically), so please consider those high severity issues when deciding whether to use beta software.

I archived the roadmap since it was only ever drafted as an exercise and doesn't necessarily reflect our current thinking. At present, we're focussing on fixing bugs and making security releases. We're still gathering our thoughts for future features.

Anonymous

October 12, 2016

Permalink

What about localization in Tor Messenger? Can I add a new language to this messenger? I don't want english, I want my own language!