Tor Messenger Beta: Chat over Tor, Easily

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Anonymous

November 01, 2015

Permalink

> Cannot malicious exit nodes eavesdrop facebook or google credentials?

>> No, because TLS is enabled for all protocols by default.

>>> The NSA has found some weak links in the algorithms used to encrypt internet traffic. It means that whatever products or enhancements Tor developers are doing are vulnerable to US government snoops.
>>>
>>> Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discrete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)
>>>
>>> If you're still interested read the following post by Bruce Schneier as well: "Why Is the NSA Moving Away from Elliptic Curve Cryptography?" (https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html)

The blog post by Matthew Green at

http://blog.cryptographyengineering.com/

was prompted by a readable paper by Koblitz and Menzies (see the link in MG's blog) which attempts to review the current status of public-key cryptosystems and the most popular candidates for PQC (post-quantum-cryptography). This topic has recently become much more urgent and contentious owing to the following developments:

o documents leaked by Snowden convinced everyone that (as some had long suspected), NSA deliberately weakened a specific part of NIST crypto standard describing a random number generator to be used as part of RSA (the algorithm), and NSA even appears to have bribed RSA (the company) to overlook the crippling of its primary product,

o on the other hand, the black budget leaked by Snowden shows NSA has only been putting tens of millions per annum into research on quantum computers, suggesting that they do not believe that a huge breakthrough is only a few years away, which suggests that PQC may not be urgently needed for some years (unless NSA is wrong about what will be possible in the near future),

o NIST had an (understandable and laudable) falling out with NSA after it learned it had been gulled by NSA operatives,

o NIST sponsored a high profile conference on PQC intended to mobilize civilian cryptographers to get cracking,

o after decades of urging adoption of ECC (elliptic-curve cryptography)--- Koblitz is one the co-inventors of ECC--- NSA suddenly withdrew support and now advocates moving from RSA directly to some PQC scheme, causing everyone to wonder WTF?,

o researchers recently showed that the older DHE schemes are much more vulnerable than previously recognized; this issue directly affects Tor users because Tor client/server pairs use public key cryptography when setting up Tor circuits--- the packets themselves are encrypted using symmetry cryptography--- current Tor prefers to set up circuits using ECDHE, a Diffie-Hellman type scheme using elliptic curves, but still allows the now deprecated DHE.

This is all very technical, but the Koblitz-Menzies paper does a pretty good job of making the key issues somewhat comprehensible to Tor users. Not to missed: the (humorous?) deduction that NSA considers information classified "Top Secret" to be 2^64 times more valuable than information classified "Secret".

I think the situation is so confusing (to non-experts) and so important for educated TBB and TM users to understand that a guest post in this blog by someone of the status of Bruce Schneier or Matthew Green or Jacob Appelbaum clarifying how these issues affect the work flow of typical endangered persons who use Tor (e.g. LUKS encrypted USB sticks as well as (a)symmetric encryption used to establish/maintain Tor circuits) would be useful.

Jacob Appelbaum, who I think has some association with the Tor Project, tweeted a response to Cyrus Farivar's story on TM in Ars Technica which I do not grok. I notice that he also provided pre-publication comments on the paper by Koblitz and Menzies.

Anonymous

November 01, 2015

Permalink

Very gratifying to see how much interest there is in TM. If we can get TM in Tails it could be very helpful for whistleblowers, human rights workers, cybersecurity researchers, reporters, medical practitioners, telecom engineeers, climate scientists, political dissidents, and other endangered people.

Could TM become the killer app that makes Tor usage mainstream?

Anonymous

November 01, 2015

Permalink

where or how uninstall the tor. don't see it in control panel or in the install dir folder.

Anonymous

November 01, 2015

Permalink

Same here as the other guy:

"Google Talk refuses the connection calling this "not a modern messaging client"

I get an email stating sign in attempt prevented

Anonymous

November 01, 2015

Permalink

I'm a bit confused by your statement "It also has an active and vibrant software developer community". The last release of Instantbird was back in 2013. That seems pretty long for an active project.

I was able to install and run Tor Messenger without issue, though.

irc don't allow hidden services (high traffic) networks like tor because of abuse.
it is usually "blocked by default" in irc when they find out. also some admins running servers on irc block for the same reason. problem with tor is that they aren't blocking any specific IP, they are blocking they nodes where all IP's goes thrue. try use a bridge and see if that helps out.

Anonymous

November 02, 2015

Permalink

Hi, Avira blocking install saying Instabirds.exe has virus "TR/ATRAPS.Gen"
Is Avira being a pussy? Is it meant to be there? Not installing until I find out, obvs.
Ta.

Anonymous

November 02, 2015

Permalink

Can't get accounts to connect on Windows 7-64 bit. Put in the correct passwords, and it keeps coming up Not Authorized.

Anonymous

November 02, 2015

Permalink

Few findings and open questions:

1. why no jitsi? I read the reply from 31st oct from sukhbir but that does not give the reasoning behind that decision. I'd love to hear more if possible.

2. IRC feedback is recommended both on the tor-project website and in this blogpost above. but attempting to join both #tor or #tor-dev results in telling me, I need to be registered (no steps provided how that is done) and for #tor-dev I'd require an invitation. All good but for new users this is very confusing. I was unable to get this solved and access the IRC channels in question.

3. adding IRC account: I was able to add several various XMPP accounts. great. but whenever I tried to add any IRC server I was unable to do so and ended up with various errors. what are the prerequisites for IRC to successfully connect?

Other than that, very excited about this! Hope this will get dev love for quite some time and will not stagnate in the future.

2) #tor is on OFTC, so you need to register with the OFTC network. Details on how to do that are probably available on their website. It's likely that they use the standard procedure with a bot named "NickServ" that most other IRC networks are also using.

3) If you're adding IRC account, make sure the network in question isn't blocking Tor usage. This is the case for most bigger networks. (Momentarily including Freenode and OFTC, it seems.) So this isn't an issue with the software, it's a policy decision by a specific network.

Only if you care about connecting to servers that explicitly ban Tor. If you care about your anonymity while using IRC servers you should probably tell the server operators of servers you'd like to use exactly that, and that they should change their policy.

Anonymous

November 02, 2015

Permalink

I cannot get Google Talk to authenticate. I keeps asking if I entered the wrong password, but I have tried a dozen times and validated that it is correct. And isn't Google Talk long gone? I should be using the same creds I use for Google "Hangouts", right?

My guess would be that rather than connecting to any website, that it connects to a chat backend, which is probably a clearnet server, and not a hidden service. Shouldn't really be an issue for you, though, as you're still using Tor.

WhatsApp compatibility is very unlikely as WA doesn't use an open protocol, which makes it unfeasible to be used by third-party applications.

Anonymous

November 02, 2015

Permalink

the contents of tor browser and tor messenger appear to be the same although they have different sizes, the messenger compressed file has 40 mbs size but whenever i extract it , it shows the same contents as tor browser contents were extracted. can you please guide me that whys that so??

The content isn't the same. They share some code, and both use XUL, but that's it. Tor Messenger is based on Instantbird, and Tor Browser is based on Firefox ESR, two different programs.

Anonymous

November 03, 2015

Permalink

I'm was using TM on 2 x MBP for Facebook Messenger. It was working using Facebook Verification Codes as the password but has now stopped working on both machines. I think Facebook may have blocked it as it did with Adium... anyone else seen this or know whether this is the case?

Anonymous

November 03, 2015

Permalink

What the difference betwen Tor Messenger and Any Chat Program (Telepathy for example) + ordinary Tor as SOCSK5 proxy (and yes, chat protocol over ssl)?

I think the point of the Tor Messenger is to be exactly that, a pre-configured Instantbird. It gives you the assurance that your use of Tor with a specific software is done correctly and that leaks are prevented by design. Of course that's theoretically also possible to do with any other open-source software, but could be hard for an average user, and would also take time.

We try to make sure that everything is sent over Tor, there are no leaks, and we ensure that safe defaults are turned on by default (like OTR, logging disabled and much more). Think of this as specially designed to work with Tor.

Anonymous

November 03, 2015

Permalink

If Firefox drops support for XUL in the coming year, what will happen to the Tor Browser?

Anonymous

November 03, 2015

Permalink

Any chance of a build for 32-bit OSX, for those who still on the old MacBooks?

Anonymous

November 03, 2015

Permalink

Hi sukhbir! this post was kinda hillarious.

was about to dig for some answers about (torbirdy) and (thunderbird).
then this post showed up like (use our chat instedt) lol.

anyway, i don't know where to ask this question so maybe someone
here could help? it is told not to install any add-on's in the tor browser bundle
what so ever for security reasons. then i slipped across the torbirdy add-on
in mozilla created by you and jacob.

now my question is how to install torbirdy in linux? since that add-on is
made for windows users i got stuck. but i would really like to try it out in
thunderbird. some guidance would be really appreciated.

will also give instantbird a try and come back with some feedback!

thank's in advance!

Anonymous

November 03, 2015

Permalink

> Get ready to be spied by NSA.

Everyone in the world is already a target of NSA surveillance. The point of TM is that we can and must fight back with every tool at our disposal. TM only addresses certain threats, but every countervailing force helps us in the struggle against global oppression.

And it's no longer just the NSA which everyone needs to worry about. Other nations have been "inspired" by Alexander's loathsome injunction to "collect it all". The result is that more and more people all over the world are also being targeted by other well funded intelligence agencies (China, Russia, France, Germany...). All the governments appear to be racing each other in an attempt to reach the final endpoint of human evolution (at least in NSA's view): the technofascist state. See

https://theintercept.com/2015/11/03/europe-still-angry-at-u-s-spying-pr…
Europe, Still Angry at U.S. Spying, Prepares to Increase Its Own
Jenna McLaughlin
3 Nov 2015

It gets worse. Most people are now spied upon not only by more than one nation, but by more than one agency from some nations. There are literally dozens of US agencies which are deeply involved in dragnet surveillance operations inside the US.

Anonymous

November 03, 2015

Permalink

Tor messenger cannot connect to my account in Yahoo.Maybe this is the reason why 'Add contact', ' New conversation', and 'Join chat' are disabled?

You need to connect successfully to an account for these buttons to make sense, yes. Try out a different account or service type. Also make sure that the service you're using is not blocking Tor usage, as that could always be the case.