Tor Messenger Beta: Chat over Tor, Easily

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Anonymous

November 04, 2015

Permalink

I use Torchat....it is flaky and unsupported but works. I like how it is self contained with no need for an external service. Please implement something like that.. cause going into another account like Gtalk or FB messenger doesn't really seem like it is solving anything big picture wise.

totaly agree! torchat is user friendly, no complications. create a nickname, add someone into the chat and you're done. no personal info needed.

however torchat is NOT maintained by the torproject team. but would really like something similar like that from the tor developers!

We understand that and we address that in the post itself. There are many users who use IRC, XMPP or Facebook and that is unlikely to change. Tor Messenger is meant to provide security to those users. We recommend Pond and Ricochet for these issues (see post for links).

Anonymous

November 04, 2015

Permalink

can anyone help ?? when I go to add a account irc or the other xxmp what server are you suppose to use ? I tryed the goggle thing and facebook and it dont wok.

You can use any IRC or XMPP server that allow the usage of Tor (that should be any that don't explicitly disallow it). I would recommend you search the web yourself to get a good overview, but for convenience here are some you could check out. IRC: Darenet, OFTC (the latter sometimes blocks specific exits) --- Jabber/XMPP: Rows.io, Dukgo.com, otr.im

Of course, as is the nature of the protocol, if you use IRC your chat partner needs to connect to the same network. With XMPP the servers normally federate between each other, so that this isn't required. If you're still unsure, I would recommend to look up tutorials and introductions to IRC and/or XMPP on the web. If you find a good one, it'll maybe be useful to teach your chat partner about these services, should they have the same questions as you have.

Anonymous

November 05, 2015

Permalink

there is sommedody who speak french. or there is french darknet. if yes how to access

Anonymous

November 05, 2015

Permalink

greetings all

any idea how one would set up an personal xmpp server/tor hidden service on a raspberrypi ?

I would imagine that most standard XMPP servers should run just fine on a Raspberry Pi device. I have no personal experience with them, but I heard that Prosody is supposed to relatively lightweight, so maybe check that one out.

Anonymous

November 05, 2015

Permalink

I am trying to download it on Mac but it is giving me that the file is not complete !

Anonymous

November 05, 2015

Permalink

First time chat user reports following experience:

32-bit application opens on Laptop running Debian stable.
Could connect to Tor network using a bridge.
Apparently was able to create an account at calyxinstitute.org as per Cyrus Fahrivar article.

Lightly edited error messages:

Warning: Error: __noSuchMethod__ is deprecated
Source File: resource:///modules/xmpp.jsm
Line: 1645

Error: Could not create conversation as jid is broken: jabber.calyxinstitute.org
Source File: resource:///modules/xmpp.jsm
Line: 1685
Source Code:
prpl-jabber: XMPPAccountPrototype.createConversation

Warning: Unhandled IQ result stanza.
Source File: resource:///modules/xmpp.jsm
Line: 1225
Source Code:
prpl-jabber: XMPPAccountPrototype.onIQStanza

Error: uncaught exception: Some required fields are empty!
Source File: chrome://instantbird/content/menus.js
Line: 133

Error: uncaught exception: Some required fields are empty!
Source File: chrome://instantbird/content/menus.js
Line: 133

Error: uncaught exception: ***
Source File: resource://gre/components/ibConvStatsService.js
Line: 378

Anonymous

November 05, 2015

Permalink

> I would recommend other servers, which are well tested and work nice as both clearnet and onion servers:

What is required to register an account? Email? A working chat account elsewhere? Credit card? What is the most secure/anonymous way to register an account with these servers?

Anonymous

November 05, 2015

Permalink

Can Tor Project please post step by step instructions written for someone who has never used a chat client explaining step by step

1. how to use TM to register an account at a server such as jabber.calyxinstitute.org which does not require email or money to register

2. how to use TM to enter a chat room (how to find the available rooms at calyx?)

3. how to use TM to specify another party (what user name should one enter for Farivar?) and to attempt to start a private OTR protected chat

4. how to recognize that a non-response is due to your party (e.g. Favrivar) not being logged into the same chat server

Anonymous

November 06, 2015

Permalink

I'm looking for someone who understands this np1sec protocol to clear this up: For the duration of the chat at least (if not longer), the server is a trusted party, right? The server must know the room name, and the room name is all that's needed to join the chat. Once someone joins they are relayed the chat history. If the server is adversarial or compelled by some adversary to provide chat room names, that adversary could join the multi-party chat and get the whole history, yes? Those in the room would see this unknown party join, but the history has already been compromised. Is this correct?

Also is there any console/raw message feature that I could use to verify whether the messages are really encrypted?

Anonymous

November 07, 2015

Permalink

Is it ok to run Tor Browser Bundle and Tor Messenger concurrently? Does this mean there will be two Tor processes, or a single shared one?

I may have missed the link if there is one, but some basic doc to get users up and running would be helpful, judging from the questions above as well.

I haven't tried it yet, but some basic points are unclear to me. For example, does your conversation partner need to be running Tor Messenger as well?

There are also stumbling-blocks to do with accessing Jabber servers or IRC while using Tor (or creating accounts on them), that I can imagine could cause a lot of frustration for people trying this for the first time. And security aspects: who can see the Jabber or IRC room you chat in? All this will be obvious to experienced users, but the rest of us could use a little help with the learning curve.

Does this mean there will be two Tor processes, or a single shared one?

Two different Tor node processes (different programs, in fact, not just two instances).

For example, does your conversation partner need to be running Tor Messenger as well?

No, not strictly.

And security aspects: who can see the Jabber or IRC room you chat in?

I don't know about the details of the protocol, but I assume the server (apart from your interlocutors) has to know what room you are in. Your messages, though, should be OTR-encrypted.

Disclaimer: not a torproject developer.

That's true. Right now if you are running Tor Browser and Tor Messenger, you have two Tor processes. We have plans to fix this later by sharing the Tor process (if it is already running). And the server sees who you are talking to (metadata) but not what you are talking about (content). And the other side can have Pidgin or Adium, but we recommend Tor Messenger.

Anonymous

November 08, 2015

Permalink

Before trying to open/install instantbird make sure that you save and open the download file in a home/desktop enviroment! this will NOT work if you try install it from an external harddriver/flash drive or some other weird place.

however you could save a copy of the dl file somewhere else, but it has to run on a desktop enviroment. (C:) (x86) / program in windows and (file/home) in linux!

also keep in mind you will need a channel and/or account for the place that you are trying to connect too.

Anonymous

November 09, 2015

Permalink

I attempted to connect TOR Messenger to both by Facebook and Google Accounts. In both cases, it claimed that I was not authorized as I might have entered the wrong password, however, I know with absolute certainty that this is not the case. Is there a work around for this particular issue or is it something regarding the settings on those accounts? Any help would be appreciated and keep up the good work...I greatly appreciate everything you guys do to help those of us less technical folks defend our privacy.

Start by noting that the username field in Tor Messenger is your Facebook username, not your email address. Your username is the text after facebook.com on your profile page. (If the link to your profile is facebook.com/johndoe, then your username is johndoe.) If you still can't find it, go to "Settings", under "General", see "Username". And then add the account from Tor Messenger.

Anonymous

November 09, 2015

Permalink

Wanted to try Tor Messenger and tried to connect to Quakenet. But I do receive only:

[08.11.2015 23:01:00] ERROR (@ prpl-irc: ircSocket.prototype.onBadCertificate jar:file:///D:/Tools/Tor%20Messenger/Messenger/omni.ja!/components/irc.js:737)
Bad certificate or SSL connection for XXXXXXXX@irc.quakenet.org:
SSL received a record that exceeded the maximum permissible length.

Error

Is there a workaround for this?

Anonymous

November 09, 2015

Permalink

Was the chat logging option from the base code just disabled, or removed entirely? I enabled what seems to be the right option (purple.logging.log_chats) but I can't find any files created.

I set all those things, and it created a json file deep inside the application's directory. So that much works (for admin users, which nearly everyone on osx is and an entirely different topic.)

Unfortunately the results are not usable, the ability to quickly search old chats is a major reason I'm still using Apple's client. I appreciate the reply, but it looks like I'm still stuck where I am because of this. Thanks.

Anonymous

November 11, 2015

Permalink

any future tutorial/documentation created can you please add an created date then user have an idea whether the information is current or older

keep up the good work people.

Anonymous

November 11, 2015

Permalink

Very great tool,intuitive,fast and simple,better than pidgin for easy use with tor,keep it up!!!

Anonymous

November 11, 2015

In reply to by Anonymous (not verified)

Permalink

Same thoughts here. Never tried Instantbird before, only Pidgin, and am very pleased. Some IRC-related functionality is missing but only small stuff, not keeping me from using it at all.

Anonymous

November 15, 2015

Permalink

The foes of encryption have been quick to exploit the mid-November attacks in Paris. NYPD Police Commissioner Bill Bratton, former FBI Deputy Director Timothy Murphy, former NCTC Director Michael Leiter, and former CIA Deputy Director Michael Morrell have all claimed within the past 24 hours that "encrypted apps" explain why the French security services did not detect and break up pre-operational planning by the attackers. Morrell has been particularly insistent in several interviews in his insistence that the US political leadership should "revisit" the recent decision by President Obama not to ban outright "unauthorized encryption".

We need to organize a robust response to this slander from the tech community. I hope such leaders as Bruce Schneier, Matthew Green, ACLU, EFF, EPIC, Tim Cook of Apple, will step up to try to explain in suitably simplified terms comprehensible to panicked legislators why mandating backdoors in civilian encryption, or banning all "encrypted apps", is the very last thing we want to do if we are concerned about computer security, or want to preserve traditional Western notions of political/religious freedom, civil liberties, property rights (who owns our personal electronic devices?), freedom of expression, and freedom of movement.

Anonymous

November 16, 2015

Permalink

When i setup the facebook account it denies me with error that you entered wrong password please tell me which password it required

Anonymous

November 18, 2015

Permalink

The enemies of privacy were quick to blame the Friday 13th Paris attacks on Snowden and "encrypted apps". Suspected war criminal and CIA Director John Brennan was particularly harsh.:

http://thehill.com/policy/national-security/260573-cia-director-attacks…
CIA director assails Snowden
Julian Hattem
18 Nov 2015

http://www.nytimes.com/2015/11/17/us/after-paris-attacks-cia-director-r…
After Paris Attacks, C.I.A. Director Rekindles Debate Over Surveillance
Scott Shane
16 Nov 2015

Editorialists from Glenn Greenwald to the Editorial Board of the NYT responded by debunking his unsubstantiated claims:

http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-an…
Mass Surveillance Isn’t the Answer to Fighting Terrorism
THE EDITORIAL BOARD
17 Nov 2015

https://theintercept.com/2015/11/15/exploiting-emotions-about-paris-to-…
Exploiting Emotions About Paris to Blame Snowden, Distract from Actual Culprits Who Empowered ISIS
Glenn Greenwald
15 Nov 2015

https://theintercept.com/2015/11/18/nyt-editorial-slams-disgraceful-cia…
NYT Editorial Slams “Disgraceful” CIA Exploitation of Paris Attacks, But Submissive Media Role Is Key
Glenn Greenwald
18 Nov 2015

Reporters pointed out that the credibility of CIA/NSA officials is crap, cast doubt upon the claims about encrypted terrorist communications, and highlighted the evidence that intelligence failures are due, not to encryption, but to agencies like CIA which time and time again have failed to use the information they already have:

https://theintercept.com/2015/11/17/u-s-mass-surveillance-has-no-record…
U.S. Mass Surveillance Has No Record of Thwarting Large Terror Attacks, Regardless of Snowden Leaks
Jenna McLaughlin
17 Nov 2015

Our enemies claimed, specifically, that the Paris attackers used encrypted chat features in Apple phones and/or Playstation gaming consoles:

http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-there…
There’s no evidence ISIS used PS4 to plan Paris attacks
Reporting is at best misinformed, at worst purposefully sensationalist.
Mark Walton (UK)
17 Nov 2015

The most recent reports from France describing a cell phone found at the scene and used by the alleged attackers, and the actual facts of the case appear to completely contradict John Brennan's claims, and to support what I just said about intelligence failures:

http://thehill.com/policy/cybersecurity/260596-report-paris-attackers-m…
Report: Paris attackers may have used unencrypted devices
Katie Bo Williams
18 Nov 2015

> Some unconfirmed reports indicate that one of the Paris terrorists’ mobile phone, recovered from a trash can near the site of the deadliest strike, appears to have been unencrypted. French media report that the phone contained a map of the concert hall where so many were victimized in the attacks and a chilling text message sent shortly after the first gunman entered the venue: “Let’s go, we’re starting.” According to Le Monde, the message was an SMS — a traditional text message sent over a wireless voice network.

Anonymous

November 18, 2015

Permalink

when i try to connect to 'facebook chat' it says 'error not authorized' when i haven't even set a password? what should i do?

Anonymous

November 19, 2015

Permalink

It wants me to pick from facebook messenger/gmail/yahoo etc.? I know that can't be right...

Anonymous

November 20, 2015

Permalink

Is it safe to run Tor Browser & Tor Messenger at the same time?

Anonymous

November 22, 2015

Permalink

Hey Sukhbir,

Checked Tor application over PC, the project has good potential but there is more to be worked on. Currently I am working with an app development company I have delivered some good chat applications and would recommend you to look after user experience.
Also, would love to see Tor app over mobile platform in coming time.

Jeffrey
Mobiloitte

Anonymous

November 23, 2015

Permalink

Crashes on Linux 32bit when main window is clicked on.
How can I see a log or output to see an error message?