Tor Messenger Beta: Chat over Tor, Easily

WARNING STARTS

As of March 2018, Tor Messenger is no longer maintained and you should NOT use it. Please see the announcement for more information.

WARNING ENDS

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Yes, this is on purpose because we don't want users clicking their links and opening a browser that is not Tor Browser. We will fix this in future releases by being smart about it -- by detecting Tor Browser and opening the link there, or by giving you an option of choosing what to do with the link. For now, we decided that we don't want users clicking on links by mistake so that is why they are disabled. (#13618 on Trac.)

Add an account first. You could for example use XMPP or an IRC network. All 1-on-1 chats will be automatically OTR-encrypted. If you want to use an XMPP server that has a hidden service, there are several to choose from, but one I tested to work well in Tor Messenger is rows.io (just check their website for information and use in-band registration to create a new account). Of course if you want to actually have a person to talk to, they also need to have an XMPP account somewhere or should be logged into the same IRC network, depending on what you end up using. There are also less privacy-friendly options like Facebook Messenger available, you can also use these depending on what your needs/wishes are into a chat service.

I am trying to get this chat waorking also...when you go to add a account irc or the other it ask what server you want to use....pick user then server ??????? I have no idea....I am running into the same problem as everyone else trying to log in to my google or facebook account......anyhelp any body ????

Don't use your Google or Facebook accounts, use a Jabber/XMPP account or connect to an IRC network that is Tor-friendly. For example OFTC or Darenet. If you don't have a Jabber account yet, just search the web for a server that sounds good to you and create an account, preferably they offer in-band registration so you can do it right from the Messenger without having to fill in any forms. There are many suitable services, dukgo.com, rows.io, and many more, you also get a free Jabber account if you're member of FSF or FSFE for example. It's really nothing particularly new, these communication protocols have been around for decades now.

Anonymous

October 29, 2015

Permalink

I am unable to run it on my Windows Machine (Win 8.1 Pro 64 bit). I have tried using the compatibility mode for win7 and 8 but nothing worked. Tried running as administrator but it does not change anything. There's no error, when I click on the exe it waits for sometime and then nothing happens.

It was checked. It's just that this issue affects some Windows users, not all. The entire purpose of a beta release is to get feedback from users because we cannot check builds on all platforms. (We have updated the builds with the bug fixed.)

Anonymous

October 29, 2015

Permalink

I had posted earlier about tor messenger not working on Win 8.1. Although it works on my Win server 2012 R2 VM.

It won't work within the Tor network. When starting the application terminal gave me this error: There seems to have been a quoting problem with your TOR_CONTROL_PASSWD environment variable. When clicking on OK, the program will start but is NOT connected through the Tor network. If you want to use the program in Tails, use it at own risk!!! No guarentees!

It looks like it works if you disable the tor launcher addon and change the proxy port to be that of the default tor proxy of the tails system. I still see the error but I am able to connect to servers on the onion network. There still could be some security issues, so I would be rather cautious about using it with servers on the clearnet.

Anonymous

October 29, 2015

Permalink

How To Help:
a) i would like an audit for RICOCHET.
b) POND is not yet ready and no one can try it !
c) i would like false address -robot are ok- for testing Tor Messenger Beta.
d) i love ricochet ; will tor messenger be better or different ?
pls, add a comparison !

thx.

c). You can register accounts from within Tor Messenger for XMPP. If the server supports in-band registration, Tor Messenger will create an account for you. No email address or information required.

d). We love Ricochet! We use both products interchangeably. What Tor Messenger aims to provide is a secure way to connect with your friends over existing social networks like XMPP, IRC, Google Talk, while Ricochet is excellent if you don't want to have any metadata about whom you talk with. It depends on your use but we recommend both products.

your comment "d)" I think clears up the "What it isn't..." section in your main posting. the big difference between tor messenger and ricochet is:
tor sends metadata, but through tor onion routing.
ricochet sends no metadata, but doesn't send messages through onion routing.
correct?

It's not that Tor sends metadata. It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem. And Ricochet sends messages over Tor (that's how it works).

It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem.

Hi sukhbir

Thanks for your effort in trying to create a product for us, Tor users.

Could you or someone else design a Tor-compatible product that is NOT based on the client-server model but instead based on a decentralized model such as, for example, Bitmessage? I understand that in Bitmessage no metadata is being transmitted across the network.

Ricochet peers (users) each have their own Tor onion service running, thereby keeping their communication private within the Tor network and without a central server to collect metadata. It uses onion routing to keep users anonymous.

Using services like Facebook Chat lets you use onion routing to connect, but then Facebook is in a position to gather metadata about who you're communicating with and when, even when concealing the content with OTR.

Security audits
i suppose it is yet done of course.

could eff , ocap or tor devs publish one ?)
i suppose that a special computer with a special program can search and research every fault (hidden or not) or error ( some aggressive tests can improve this 'app').

it is an experimental app and not recommended in hostile environment ; an audit will bring a reputation label and maybe sponsor,donation,support ...

It is possible for computer security experts and cryptographers to independently assess the robustness of privacy enhancing technology through careful examination.

i meant using the term _audit_ to go far ; a step further.

i was not speaking about development for tablet or cellphone (i have not confidence in these gadget made for social network _ ask to a lawyer what is thinking about that or look at the peoples who are taxed - or in jail - for a call or a message made a month, a week before).

it is not done yet for an hostile environment or when you are in danger ( because it should be illegal ? does it need to be approved from police,, army, government, your partner ? is it a proof of concept and nothing more ? a rewrite from an old terminal command with a modern re-looking which tor ? ).

if it is an experimental tool , we are all the beta-testers : so why do the devs or the security experts not open/organize a ricochet day where the users will be guest to communicate each others ... if it can improve the app , why not !
i prefer that the app stay in the hands of the devs than to be integrated in a tor project. i let them decide what will be the future of their creation ; i hope that they will choose to go a step further for you, for us, for our privacy, for finding maybe a free way when you are under survey ... before it was too late.

Make donations to ricochet and tor project , pls.

Thx.

Anonymous

October 29, 2015

Permalink

Is this something one can use without have previously registered a chat account somewhere?

Yes, you can register XMPP accounts from Tor Messenger (in-band) if the server supports it. You don't need an existing account. (This is not true for Facebook, Google Talk or Twitter, where you do need existing accounts for Tor Messenger to work.)

Anonymous

October 29, 2015

Permalink

It doesn't open on my machine. It gives an error: 0x0000000070C19BD5 made reference to the memory on 0x0000000000000000. The memory can't be written.

If i launch it as admin it just loads but nothing happens, won't open and won't display any error.

Does this require something else in order to work?