Tor Messenger 0.3.0b1 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Instantbird. All users are highly encouraged to upgrade.

Tor Browser Build

Starting with this release, Tor Messenger will be built on top of Tor Browser instead of Mozilla ESR. This will help us in improving the security of Tor Messenger by making use of Tor Browser's patches. We will also try to keep in sync with the Tor Browser stable release cycle.

Secure Updates

Tor Messenger 0.2.0b2 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-unsigned-build.txt
sha256sums-unsigned-build.txt.asc

The sha256sums-unsigned-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.3.0b1 -- 22 November 2016

  • All Platforms
    • Use the tor-browser-45.5.0esr-6.0-1 branch (e5dafab8) on tor-browser
    • Use the THUNDERBIRD_45_4_0_RELEASE tag on comm-esr45
    • Update ctypes-otr to 0.0.3
    • Trac 16489: Only show "close" button on Windows
    • Trac 16491: Contact list entries don't adapt to the actual font size
    • Trac 16536: Investigate Tor Browser patches relevant to Tor Messenger
    • Trac 17471: Investigate Tor Browser preferences relevant to Tor Messenger
    • Trac 17480: Make url linkification toggleable
    • Trac 19816: Build process should generate mar files
    • Trac 20205: Support SASL ECDSA-NIST256P-CHALLENGE
    • Trac 20208: Put conversations on hold by default
    • Trac 20231: Remove incomplete translations
    • Trac 20276: Fix toggling sounds
    • Trac 20608: Use Instantbird app version
    • Bugzilla 1246431: Properly handle incoming xmpp server messages
    • Bugzilla 1313137: Fix irc "msg is not defined" error
    • Bugzilla 1316000: Remove old Yahoo! Messenger support
  • Mac
    • Trac 20204: Windows don't drag on macOS Sierra
    • Trac 20206: Avoid prompting to download font "Osaka" on macOS Sierra
    • Trac 20207: IB and Tor Messenger still share a notification key
  • Windows
    • Trac 20062: Make stripping signatures reproducible on TM .exe files
Anonymous

November 22, 2016

Permalink

Would it make sense to enforce harder tls/ssl settings for TorMessenger by default?

like tls v 1.2, as suggested on https://privacy-handbuch.de/handbuch_24s2.htm
---
security.tls.version.min = 3

security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 true
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 true
security.ssl3.* false

security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true

That page also says,

> Wenn mit diesen Einstellungen keine Verbindung zum Jabber-Server mehr möglich ist, dann sollte man sich einen Account auf einem anderen Server erstellen.

which Google is translating as,

> If you can not connect to the Jabber server with these settings, you should create an account on another server.

I like the idea, but it probably belongs in a Tor Browser-like security slider, since it'll impact some usability.

We plan on working on this in,
https://trac.torproject.org/projects/tor/ticket/16494

I'll make note of it there.

Plus one.

In Tor Browser, the lines

security.ssl3.dhe_rsa_aes_128_sha
security_ssl3.dhe_rsa_aes_256_sha

should be regarded as enabling a dangerous encryption downgrade attack, agreed?

You should change the config of the tbb otherwise you might get tracked but changing (and there are still a whole lot of sites using outdated crypto).

But's a different matter for you xmpp or email account because your email/xmpp provider already "knows" you and gets all your meta data anyway (Either way if you use an onion service, ssl is less of an issue).

viz. security.ssl3.* false
//just guess what the asterisk might stand for;) , the last RFC regarding TLS/SSL clear states what ciphers are recommended for use.

But at least for the web (tbb) it makes no sense to turn them off by default (at least not yet, it's like with javascript there a good reasons to turn it off by default but unfortunately you would break too many sites).

But If you have a separate Firefox Profile that you just use for let's say online banking it's a different matter.

Anonymous

November 22, 2016

Permalink

Since Tor Messenger is now built on Tor Browser, do you have any plans to merge the two products so that they come combined in one package (with separate shortcuts/.desktop files) once Tor Messenger is stable? I don't really have a preference either way at this point, but I'm curious about your thoughts.

A few quick notes:
- It would get more people aware of and using Tor Messenger.
- It would be nice to have a single package that we could give to non-techies for secure, anonymous internet access (since most of them don't do more than browsing websites, webmail, and instant messaging). However, having to download one package instead of two that are on the same download page isn't a huge benefit.
- For those who would use both Tor Browser and Tor Messenger, it would reduce the amount of your server bandwidth (and Tor network traffic) required to download and update both programs (it would have the opposite effect for those who would only use one of them). The savings (costs) may be neglible depending on how much code is shared.
- For those who would use both Tor Browser and Tor Messenger, there's some minor benefit in having to only update one program and using a bit less hard drive space for duplicated functionality.
- You should be able to force links in Tor Messenger chats to open in Tor Browser (instead of the computer's default browser) to prevent IP leakage.
- You'd have to come up with a separate name for the combined package to avoid confusion (e.g. "Tor Internet Bundle," or just the bland "Tor Browser and Messenger"), which would involve renaming the package on the website and in the download file names.

In case there's any misconception, by "built on" we mean they share a common source tree, not that it somehow uses the compiled Tor Browser. These are still two entirely separate executables.

In the past, Tor did distribute a combined Tor Instant Messaging Bundle (TIMB), which I believe contained a Pidgin along w/ the usual Tor Browser stuff. I'm not sure there're any plans to reinstate that, but it's probably worth considering.

We have been thinking about how these applications can work better together, like make use of a shared tor process. That's in https://trac.torproject.org/projects/tor/ticket/10950

As for forcing links to open in TB, the messaging windows currently filters out anchors by default. If you manage to change that setting, it should prompt you to choose a browser to use, rather than the system default. We're still working on a safer way to handle links.

yeah or even as an firefox plugin, so we can have an option to have it or not... am non-programming tor user, so no idea if this firefoxplug-in/add-on has legs or a good or bad idea.

either way super work by all involved.

Even more important: folding TM into Tails, with the cooperation of the Tails Project, of course.

I realize that one problem there is that TM regards the current version as still "beta", and Tails probably prefers something which has passed some kind of audit, but Tails has long included pidgen support, which also has imperfect security I believe.

Whether it ends up in TAILS or not please let it have an official build in Debian.
This will let it benefit many more activists and regular netizens as well as making its traffic blend in more. It will also of course make it more likely for TAILS to include it.
With the quality of Tor project software, even a beta version might be good enough to be included in Debian, since there is a drastically higher standard for things like GPG and Tor than say for Super Tux Cart or Facebook Mobile.

Anonymous

November 22, 2016

Permalink

Well, if you look at RFC standard regarding TLS (RFC 7525) is says:


4.2. Recommended Cipher Suites

Given the foregoing considerations, implementation and deployment of
the following cipher suites is RECOMMENDED:

o TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
o TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

These cipher suites are supported only in TLS 1.2 because they are
authenticated encryption (AEAD) algorithms [RFC5116].

Ie to follow the recommendations of the RFCs and to use the recommanded ciphers tls version 1.2 has to be used and most XMPP servers support it (i don't know of any exception)(tls v1.1 was published in 2006, maybe it's time to move on;)), IMHO tls v 1.2 should be enforced by any xmpp messenger and only if the user decides (for example cos this particular sever doesn't support tls v 1.2) it should be downgraded (like it's possible to turn logging on but at least its disabled by default by Tor Messenger)

btw, the tls issue might be relevant for torbirdy, too. Torbirdy allows weaker ssl/tls setings as the RFC standard recommends, too (https://privacy-handbuch.de/handbuch_31k.htm - Thunderbird).If most email provider support tls v. 1.2 why not making it the standard in torbirdy and tormessenger (and if something doesn't work, the user at least knows that his email provider might no be the best choice)?

What I'm trying to say is, this option should be standard setting and not something that a user has to set through a slider (it should be hidden and the user should be warrant to change it, like the other options in torbidy;) )

//It's not like with the tbb where one might visit dozens of page an hour, most people just have one xmpp account anyway and therefore enforcing the recommendated standards isn't really a blow to usage (IMHO)

Ok, I was going to say that current settings are based on what Mozilla has enabled in ESR 45, and what the Tor Browser team has further narrowed down.

You make a fair point though that perhaps this isn't a setting in the purview of a slider. We'll consider it for the next release.

> Can you please provide some more details?

Yes, windows xp I get this error:

instantbird.exe - Entry Point Not Found --- [x]

____________________________________

(X) The procedure entry point_vsnprintf_s could not be located in the dynamic link library msvcrt.dll.

[OK]

_____________________________________

Note that instantbird works for me on same machine

Please consider replacing your end-of-life'd Windows XP with the free, and legal, QubesOS(qubes-os.org/downloads/) rather than getting a pirated(and likely infected) copy of some newer version of Windows.
QubesOS doesn't have all the scary things you hear about Linux. For example, you don't have to do any wizardry in a "terminal" or "command line" for basic things like connecting to your WiFi, checking your email and so on. You can do everything with a simple, color coded, point and click GUI.
What makes it better is it was designed from day 1 to be safe from hackers and identity thieves.
Linux was not made with that in mind and it takes very complicated technical configuration to make it safe. Windows can't even be made safe.
If you aren't worried about your own computer, then worry about other people's computers being infected by some shady Windows infection on yours.

QubesOS is the only safe, responsible OS for every-day normal people.
God bless you.

You should check if yio need some special feature like support for otr, omeo or push notifications (eg is XEP-0357 and might be important for mobile use) etc. (XMPP is a federated standard and not all Servers support everything)

Additionally, check their tls/ssl encryption (by using https://xmpp.net or maybe https://tls.imirhil.fr/ (choose xmpp instead of https))

Further more it's important to release that if you don't have to pay you should make a donation too them.

mailbox.org / kqiafglit242fygz.onion includes email and costs 1 Euro per month (https://support-en.mailbox.org/knowledge-base/article/the-tor-exit-node…) and the support dane

or maybe jabber.calyxinstitute.org / ijeeynrc6x2uy5ob.onion but their servers doesn't support omeo but neither does tormessenger

riseup.net might be interesting, too (at least think about a donation!)
---

For the tor people, their's already a database (ie page in the tor wiki) of mail-provider that work with tor -- maybe someone could start something similar for xmpp servers and than just put in some key points - like tls v 1.2 supported, otr enforced, omeo support, onion address

Regarding the database: The CoyIM suggests the use of the tor hidden service if someone puts in a xmpp address that's also available via an onion address (I think that might be interesting feature for a later release).

Anonymous

November 23, 2016

Permalink

> Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

In some places, the situation is too desperate for citizens to heed such warnings.

Reporters: TM is the only thing some of us can use! Please get an account at jabber.calyxinstitute.org and familiarize yourselves with authentication methods. There are important stories which are not being told, and you need to tell them.

Calyxinstitute.org is US[1] based and could be forced by various US agencies to hand over meta-data (ips, user-id, loging times, possibly contact lists etc) or even to start to save those data if they don't exist with out that Calyx Institute is allowed to speak about it (as could Open Whispers System/Signal). Just because they say they don't, doesn't mean that they won't be forced to do so.

Ie if your thread model includes thee-letter US agencies etc. a US-based central server (either xmpp, email etc) might not be the best choice in the first place. (It might be better to look for something less centralized -- and for just daily use the OMEMO protocol, which allows to send encrypted messages to contacts that are offline, seems the better way to go -- unfortunately, there are less than a handful of clients supporting it right now(it doesn't even have an official XEP jet), eg Gajim, Conversations and Chatsecure (beta) [2])

[1]
https://calyxinstitute.org/support-us/donate-via-mail
The Calyx Institute
Attn: Development
287 Spring Street
New York, NY 10013

[2]https://twitter.com/ChatSecure/status/800849050559856640

Calyx Institute with TM is the only thing I was ever able to get to work, one reason why I think TM is so promising. All the other things people suggest are unworkable for most people.

An analogy might help: think of observing a six year old who is constantly asking questions about everything, because they simply don't know how do things adults take for granted: how to dress oneself, how to open various kinds of doors, how to clamber onto the school bus, the function of "walk signs" at crosswalks, etc. I think many people here mean well, but they have forgotten how complicated using these protocols really are. Try writing down a complete--- and I mean *complete*--- flow chart listing *every* step, not assuming anything such as that someone has a credit card or bitcoins or hundreds of US dollars handy.

TM is something you can download, unpack and start using if you have a jabber account anywhere, and Calyx has been helpful in making it easy to get one of those gratis.

Also, as a lifelong anti-fascist, I have no desire to live in a fascist country, but I can't leave, so... to some extent I am past caring.

Anonymous

November 23, 2016

Permalink

> Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Good advice, except that really the same could be said about Linux itself, the OS underlying the "least unsafe" ways to use Tor Browser and Tor Messenger.

It is great that memory address randomization recently came to TB, but a recent development shows that this is not enough:

http://arstechnica.com/security/2016/11/elegant-0day-unicorn-underscore…
Elegant 0-day unicorn underscores “serious concerns” about Linux security
Scriptless exploit bypasses state-of-the-art protections baked into the OS.
Dan Goodin
22 Nov 2016

> Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.
>
> One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.

We are in an arms race, for sure.

The promoted comments hint at the fact that while this appears very dangerous (the underlying flaw is in the Linux kernel, not the GStreamer application), attackers may have a hard time exploiting the bug against wary Linux users.

An arms race is USA and Russia trying to make more ICBMs than the other.
ASLR and NX/DEP are the equivalent of a race to make better helmets. They're not something that you can arm yourself with and cause damage with. The NSA does nothing but damage computers, mostly American ones.

QubesOS has good enough helmets to stop this attack even with an unpatched, vulnerable Linux running on it.
It has an easy to use GUI requiring no technical knowledge to run your browser in a "DispVM" which is like automatically making a new computer and disposing it for you when you close the browser or when a hacker crashes your browser.
It's vaguely comparable to running TAILS from a read-only CD but a million million times easier.
It only takes a second to remake the "disposable VM" and NO COMPLICATED TERMINAL WIZARDRY NEEDED.

Anonymous

November 23, 2016

Permalink

Mac mini, 16GB, macOS Sierra.

This beta did the tor connection ok, and connecting to Twitter works. But it seems to be unable to connect via GTalk. It fails with the message - "Error: Received unexpected data".

Anonymous

November 23, 2016

Permalink

what advantages is TM over pidgin ? why not make advice for pidgin and help libpurple ? reivinent wheel , no ?

Anonymous

November 24, 2016

Permalink

Is in future plan to add hidden services to reach your contacts without relying on messaging servers (like ricochet)?