Tor Messenger Beta: Chat over Tor, Easily

WARNING STARTS

As of March 2018, Tor Messenger is no longer maintained and you should NOT use it. Please see the announcement for more information.

WARNING ENDS

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
  • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Anonymous

November 24, 2015

Permalink

> Thank you for the feedback. Most of these errors should be fixed in the upcoming release.

Thanks, sukhbir! I eagerly await the next release.

Don't let James Comey intimidate you into slowing your invaluable work on Messenger!

Anonymous

November 28, 2015

Permalink

Would be awesome if you would invest the proper energy to make it work right with Google Talk!!!

Anonymous

November 30, 2015

Permalink

> The foes of encryption have been quick to exploit the mid-November attacks in Paris.

The Tor community should prepare now for our response to the renewed slander on encryption in general and software like TM in particular which will surely follow the *next* terrorist incident. One thing we can stand ready to do is to try to educate reporters about how leading lights of the US Surveillance-Industrial state were quick to jump to incorrect conclusions just after the Friday 13th attacks (and the Charlie Hebdo attacks, and...):

> NYPD Police Commissioner Bill Bratton, former FBI Deputy Director Timothy Murphy, former NCTC Director Michael Leiter, and former CIA Deputy Director Michael Morrell have all claimed within the past 24 hours that "encrypted apps" explain why the French security services did not detect and break up pre-operational planning by the attackers. Morrell has been particularly insistent in several interviews in his insistence that the US political leadership should "revisit" the recent decision by President Obama not to ban outright "unauthorized encryption".

Further evidence that John Brennan, Bill Bratton, Michael Leiter, Michael Morrell and all the other "experts" were wrong as wrong can be has now emerged. WSJ reporters have published an account of how the attackers actually proceeded:

http://www.wsj.com/articles/paris-attacks-plot-was-hatched-in-plain-sig…
Paris Attacks Plot Was Hatched in Plain Sight
Stacy Meichtry and Joshua Robinson
27 Nov 2015

> The account emerging from French officials, witnesses and those who interacted with the suspected terrorists shows how the operation hinged on Mr. Abaaoud’s ability to use the tools of everyday modern life to lay the groundwork for the massacre....The array of car rentals, cellphones and online lodging reservations allowed Mr. Abaaoud to organize his militants as separate cells to ensure the plot wouldn’t unravel if one of the teams was compromised.

https://www.techdirt.com/articles/20151127/details-how-paris-attacks-we…
Details Of How The Paris Attacks Were Carried Out Show Little Effort By Attackers To Hide Themselves
Mike Masnick
30 Nov 2015

> On Friday, the Wall Street Journal's Stacy Meichtry and Joshua Robinson published an in-depth bit of reporting on the planning and operational setup of the Paris attackers, revealing a bunch of previously unknown details. The key thing, however, isn't just the total lack of anything that looks like sophisticated encryption, but the opposite. The attackers basically did nothing to hide themselves, communicating out in the open, booking houses and cars in their real names, despite some of them being on various terrorist watch lists. It discusses how Brahim Abdeslam booked a house using an online website (Homelidays -- a French service that is similar to Airbnb, though it predates Airbnb by a lot), using his own name. So did his brother, Salah Abdeslam, who booked a hotel for a bunch of the attackers (using his real name) on Booking.com.
> ...
> The piece mentions, as we noted earlier, that the attackers appeared to communicate via unencrypted SMS.... after Abaaoud shot up a restaurant, he went back to check out the aftermath of the attacks that he had helped put together -- and kept his mobile phone with him the whole time, making it easy to track his whereabouts...

So what the true narrative appears to suggest is that a concern for privacy and use of strong encryption indicates that one is-- for instance-- a climate change activist rather than a terrorist:

http://www.theguardian.com/environment/2015/nov/27/paris-climate-activi…
Paris climate activists put under house arrest using emergency laws
French police arrest activists for flouting ban on organising protests during climate talks next week
Arthur Neslen
27 Nov 2015

> At least 24 climate activists have been put under house arrest by French police, accused of flouting a ban on organising protests during next week’s Paris climate summit, the Guardian has learned. One legal adviser to the activists said many officers raided his Paris apartment and occupied three floors and a staircase in his block. French authorities did not respond to requests for comment but lawyers said that the warrants were issued under state of emergency laws, imposed after the terror attacks that killed 130 people earlier this month. The author and climate change campaigner, Naomi Klein, accused French authorities of “a gross abuse of power that risks turning the summit into a farce”.

Hello? M. Hollande? Protest is not terrorism. Get a grip, sir!

Anonymous

December 01, 2015

Permalink

Is there any projected date for the next edition of TM yet?

It would be good if there were a HS protected site where anonymous users could paste in non-public bug reports.

We know from the Snowden leaks that NSA and GCHQ have a longstanding practice of exploiting unencrypted bug reports to

o target specific users with CNE (Computer Network Exploitation), i.e. malware attacking the unpatched flaw

o deduce information about the computer/LAN of specific users to target them with malware exploiting other unpatched flaws

Anonymous

December 13, 2015

Permalink

Hi people, how does it defer from apps like Telegram which is supposed to be encrypted? I think a comparison could be nice, to other apps

Please advise. Thanks

Anonymous

December 17, 2015

Permalink

Hi. have a trouble. when start the messenger the next error is: "The procedure entry point _vsnprintf_s could not be located in the dynamic link library msvcrt.dll". what should i do who knows? os -win XP

Anonymous

December 21, 2015

Permalink

how can i receive a picture/file from another jabber?
trying to send a picture from chatsecure on android, jabber/otr/orbot to tormessenger on linux. thanks keep doing this you are awesome people.