Tor Messenger 0.2.0b2 is released
We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade.
This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.
OS X Profile Directory
In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys.
Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in
~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in
~/Library/Application\ Support/TorMessenger-Data (#13861). However, this should only be case when the application is placed in
/Applications. Otherwise, the profile is stored beside the application bundle.
Windows and OS X bundles are now signed
In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys.
Google Summer of Code (GSoC)
This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability.
Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated.
Before upgrading, back up your OTR keys
You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading.
Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861).
Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.
sha256sums.txt file containing hashes of the bundles is signed with the key
E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.
Here is the complete changelog since v0.1.0b6:
Tor Messenger 0.2.0b2 -- September 06, 2016
- Bug 19269: Fix OS X file permissions
- Fix OS X profile when application is not placed in /Applications
Tor Messenger 0.2.0b1 -- September 02, 2016
- All Platforms
- Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45
- Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45
- Bug 19053: Display plaintext in notifications
- Bug 17363: Remove redundant Tor Messenger folders
- Bug 14388: Secure automatic updates for Tor Messenger
- Bug 13861: Preserve user profiles after updates
- Update libgcrypt to 1.6.6 for CVE-2016-6316
- Update ctypes-otr to 0.0.2
- Bug 18634: Switch to building Tor Messenger on Debian Wheezy
I know that. And that's a ridiculous practice. Why not just SIGN the distro???