Tor Messenger Beta: Chat over Tor, Easily

WARNING STARTS

As of March 2018, Tor Messenger is no longer maintained and you should NOT use it. Please see the announcement for more information.

WARNING ENDS

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

I use XMPP and OTR (and Tor). But when I do, because of the XMPP design, there is a central server somewhere out there (probably more than one), which gets to know all my contacts. A bad person could break into that server, and learn the contact lists of all the users. Designs like Ricochet don't have that central server, so they don't have that particular risk.

If we could move everybody in the world over to a Ricochet-like protocol, that would be great. We should totally work towards that. But since it requires a Tor install, many people -- especially those on mobile platforms -- aren't in a position yet to do that easily.

Thanks for the informative reply, arma. I'm very excited about Ricochet too. I hope Ricochet makes it to the mobile phone platform one day also.

An even more secure solution for mobile phones would be having IM software like Ricochet run on a separate (offline) hardware device, similar to JackPair (https://www.jackpair.com). That way the mobile phone could be completely compromised and under targeted surveillance and it would not affect the user's security.

The genius of JackPair is the use of 3.5mm audio jacks as a data transmission channel between the offline hardware device and the cellphone. Virtually eliminating the possibility of a compromised cellphone infecting the offline hardware encryption device through a 3.5mm audio cable.

One step at a time I suppose ;). I believe future secure communications will rely on separate hardware devices treating cellphones as compromised dumb modems. Moving the "endpoint" off the cellphone's hardware and onto the hardware of a secure offline hardware device plugged into the cellphone via a hard to exploit data channel (3.5mm audio jack, Bluetooth maybe, but definitely not Bad USB).

I agree that using "compromised" hardware is an industry business/politic bug and speaking about cellphone or laptop/tablet is useless as long as you will buy a product without any warranty of privacy.

Encrypting the voice is a big & serious challenge.

i do not know if ricochet can be installed on data memory card.

The real challenge could be to convince the industry the necessity of a real product protecting our privacy.
In fact, it is about the contract : the contract is done from, with, for a government (20 peoples ?) nothing involving the consumer and the contract done between a client and a service do include a third unknown person.

*a compromised original product still stay it.

"And lastly, on the funding angle, actually neither project has any funding currently. We're working on helping both of them to fix that."

Can you give any more details on this? Who, where, when,...

Anonymous

October 29, 2015

Permalink

Does it launch it's own tor service or does it require to have Tor Browser opened first and will use its service?
If it starts an independent tor service, can we use it for other apps (curl, torsocks etc)?? You know as we do with tor browser for example (redirecting apps to 127.0.0.1:9150).

Thanks.

It launches its own Tor service. This is a feature, in that it simplifies everything from your perspective, but it's also sort of sad in that it would be nice for you to be able to run many applications at once, and they all use a single Tor client, and also they do it safely. We're not there yet though:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDe…

And yes, if you want to attach some other program to the Tor that Tor Messenger launches, feel free.

I managed to run the messenger part individually (debian:jessie) while my regular tor was on and configured the socks5 proxy as above. It worked fine but a way to check whether it is actually trafficking through tor or not would be nice. In the same manner it should work under tails as well.

The only account I had to try it on was twitter and it looked like an old messenger (no pics or video, just links you would have to manually transfer to a browser)

I couldn't figure out how to check a #hash channel but somehow it knew who of my followed identities were on at the time.

You can twitt just fine and you can RT but there was no way to FV something.

I can't say much about a messenger since I haven't used one for ages (!Y maybe 12-13 years ago) ..

So what's the deal with 9152 instead of 9150?

Anonymous

October 29, 2015

Permalink

It doesn't work at all, Windows 7 64bit, Windows 8.1 32bit, and Windows 10 64bit.

Faulting application name: instantbird.exe, version: 41.0.0.5729, time stamp: 0x000232e8
Faulting module name: d2d1.dll, version: 6.2.9200.16765, time stamp: 0x528bf6b2
Exception code: 0xc0000005
Fault offset: 0x002284f6
Faulting process id: 0x1728
Faulting application start time: 0x01d112c2de7b0b89
Faulting application path: Tor Messenger\Messenger\instantbird.exe
Faulting module path: C:\Windows\system32\d2d1.dll
Report Id: 26f0368d-7eb6-11e5-8e12-005056c00008

Faulting application name: tormessenger-install-0.1.0b2_en-US.exe, version: 0.0.0.0, time stamp: 0x53c50d97
Faulting module name: SyncShellExtension86_70.dll, version: 0.0.0.0, time stamp: 0x560252bd
Exception code: 0xc0000005
Fault offset: 0x0000ce6e
Faulting process id: 0x1938
Faulting application start time: 0x01d112c2bdcd2844
Faulting application path: tormessenger-install-0.1.0b2_en-US.exe
Faulting module path: BitTorrent Sync\SyncShellExtension86_70.dll
Report Id: 0c5a1308-7eb6-11e5-8e12-005056c00008

Gosh. I don't want to speak for the Tor Messenger developers here, but I wouldn't be optimistic. Skype is notoriously closed, proprietary, incompatible, etc.

(I was going to say "I hope not", but actually, I do hope there's Skype support in the future -- it would mean that Microsoft came to its senses and embraced the open source world, the world of peer-reviewable protocols, and so on. Let's not hold our breath though.)

Yes! That would be really great.

If you'd go with Javascript, here are some libraries to consider using:
https://github.com/joebandenburg/libaxolotl-javascript
https://github.com/macropodhq/axolotl
https://github.com/alax/forward-secrecy
https://github.com/alexeykudinkin/axolotl.js

But it'd be possible to use ctypes as well, like with the OTR extension added tor Tor Messenger

Good to hear. I'm really surprised there isn't a concerted effort to marry up against TextSecure. They are the only people doing it right as far as I can tell. Axolotl makes OTR actually usable for the practical user. It has to work seamlessly across a users devices, which is the critical nut that OWS have finally cracked.

I feel like interoperation with 'all the services' is a distraction, and perhaps a misguided goal. How are you layering security over these proprietary protocols? Surely just routing traffic through Tor doesn't do anything to help the fact these are mostly plaintext protocols?

Anonymous

October 30, 2015

Permalink

I've installed Tor messenger, but it dousn't start... Appcrash. Something with d2d1.dll. Windows 8.1 x64

Anonymous

October 30, 2015

Permalink

Avira wants to move instantbird to quaratine and I guess this is why the program doesn't work for me :(

But een Android/iOS/WP mobile client would properly be more useful then a desktop client, i do now 90% of my chats on my mobile, and i think that i am not the only one like that.

Anonymous

October 30, 2015

Permalink

Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

Anonymous

October 30, 2015

Permalink

This is magic... effectively got Adium back for Facebook Messenger.... brilliant job... Thanks

Anonymous

October 30, 2015

Permalink

Any suggestion to fix the problem when i click to open tor messenger but nothing appear..

Anonymous

October 30, 2015

Permalink

Is instabird being funded directly or indirectly by the Department of State? Is Department of State funding for instabird tied to Congressional legislation on sanctions against Iran? Will Tor Project release its contract (or subcontract) with Department of State for instabird? Why does Sponsor O's Trac page not say Department of State? Where is the transparency?????

"Department of state" is not the owner of internet , tor messenger is open source , Iran has its own censure policy ... for a real transparency make donations at this project, thx.

Anonymous

October 30, 2015

Permalink

I appreciate what you are doing, I wish I can run the app to try it out at least. Windows 7 64-bit. It's not starting because of this:

Problem Event Name: APPCRASH
Application Name: instantbird.exe
Application Version: 41.0.0.5729
Application Timestamp: 000232e8
Fault Module Name: d2d1.dll
Fault Module Version: 6.2.9200.16765
Fault Module Timestamp: 528bf6b2
Exception Code: c0000005
Exception Offset: 002284f6
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Anonymous

October 30, 2015

Permalink

I am unable to connect to OFTC or any other IRC network. Maybe its because tor-messenger connects to ip's (servers) that forward traffic and resulting in failed connects. Can we use tor-messenger for hidden services?

Yes, you can use Tor Messenger with hidden services. Just provide an onion address instead wherever applicable.

OFTC seems to throttle Tor connections on and off, and we are aware of this. One possible solution would be try this with a new exit and checking if that works or not. You can't currently do this from Tor Messenger but it's in our to-do list. (https://trac.torproject.org/projects/tor/ticket/10950).

Tor Messenger is based on the client-server model and builds on existing networks like IRC, XMPP, etc. TorChat was a decentralized service that is no longer active? (Also Tor Project does not develop TorChat.)

Anonymous

October 30, 2015

Permalink

i tried running it in windows 10, to no avail but windows 7, its running okay.