Tor Messenger Beta: Chat over Tor, Easily

by sukhbir | October 29, 2015

WARNING STARTS

As of March 2018, Tor Messenger is no longer maintained and you should NOT use it. Please see the announcement for more information.

WARNING ENDS

Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community.

What is it?

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Current Status

Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges.

Downloads (Updated)

Get the latest version

Instructions

  • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
  • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.

    • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.

  • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Source Code

We are doing automated builds of Tor Messenger for all platforms.

The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we are working on it.

What's to Come

Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include:

How To Help

Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review our design doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.

Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.

Thanks and we hope you enjoy Tor Messenger!

Update: For Windows 10 (and some Windows 7, 8) users who were experiencing an issue in Tor Messenger where it wouldn't start, we have updated the download links above with a newer version that fixes the problem described in bug 17453.

Comments

Please note that the comment area below has been archived.

Yes, this is on purpose because we don't want users clicking their links and opening a browser that is not Tor Browser. We will fix this in future releases by being smart about it -- by detecting Tor Browser and opening the link there, or by giving you an option of choosing what to do with the link. For now, we decided that we don't want users clicking on links by mistake so that is why they are disabled. (#13618 on Trac.)

Anonymous (not verified) said:

October 29, 2015

Permalink

That makes sense and what I assumed. Sounds like you've identified the plan forward with this as well. Thanks and great job!

Add an account first. You could for example use XMPP or an IRC network. All 1-on-1 chats will be automatically OTR-encrypted. If you want to use an XMPP server that has a hidden service, there are several to choose from, but one I tested to work well in Tor Messenger is rows.io (just check their website for information and use in-band registration to create a new account). Of course if you want to actually have a person to talk to, they also need to have an XMPP account somewhere or should be logged into the same IRC network, depending on what you end up using. There are also less privacy-friendly options like Facebook Messenger available, you can also use these depending on what your needs/wishes are into a chat service.

I am trying to get this chat waorking also...when you go to add a account irc or the other it ask what server you want to use....pick user then server ??????? I have no idea....I am running into the same problem as everyone else trying to log in to my google or facebook account......anyhelp any body ????

Don't use your Google or Facebook accounts, use a Jabber/XMPP account or connect to an IRC network that is Tor-friendly. For example OFTC or Darenet. If you don't have a Jabber account yet, just search the web for a server that sounds good to you and create an account, preferably they offer in-band registration so you can do it right from the Messenger without having to fill in any forms. There are many suitable services, dukgo.com, rows.io, and many more, you also get a free Jabber account if you're member of FSF or FSFE for example. It's really nothing particularly new, these communication protocols have been around for decades now.

Anonymous (not verified) said:

October 29, 2015

Permalink

I am unable to run it on my Windows Machine (Win 8.1 Pro 64 bit). I have tried using the compatibility mode for win7 and 8 but nothing worked. Tried running as administrator but it does not change anything. There's no error, when I click on the exe it waits for sometime and then nothing happens.

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

Anonymous (not verified) said:

October 30, 2015

Permalink

Why wasn't it checked before it was released? if you make such a major misake on one OS, what other faults are there that you haven't checked?

It was checked. It's just that this issue affects some Windows users, not all. The entire purpose of a beta release is to get feedback from users because we cannot check builds on all platforms. (We have updated the builds with the bug fixed.)

Anonymous (not verified) said:

October 29, 2015

Permalink

I had posted earlier about tor messenger not working on Win 8.1. Although it works on my Win server 2012 R2 VM.

It won't work within the Tor network. When starting the application terminal gave me this error: There seems to have been a quoting problem with your TOR_CONTROL_PASSWD environment variable. When clicking on OK, the program will start but is NOT connected through the Tor network. If you want to use the program in Tails, use it at own risk!!! No guarentees!

It looks like it works if you disable the tor launcher addon and change the proxy port to be that of the default tor proxy of the tails system. I still see the error but I am able to connect to servers on the onion network. There still could be some security issues, so I would be rather cautious about using it with servers on the clearnet.

Anonymous (not verified) said:

October 29, 2015

Permalink

How To Help:
a) i would like an audit for RICOCHET.
b) POND is not yet ready and no one can try it !
c) i would like false address -robot are ok- for testing Tor Messenger Beta.
d) i love ricochet ; will tor messenger be better or different ?
pls, add a comparison !

thx.

c). You can register accounts from within Tor Messenger for XMPP. If the server supports in-band registration, Tor Messenger will create an account for you. No email address or information required.

d). We love Ricochet! We use both products interchangeably. What Tor Messenger aims to provide is a secure way to connect with your friends over existing social networks like XMPP, IRC, Google Talk, while Ricochet is excellent if you don't want to have any metadata about whom you talk with. It depends on your use but we recommend both products.

Anonymous (not verified) said:

October 31, 2015

Permalink

your comment "d)" I think clears up the "What it isn't..." section in your main posting. the big difference between tor messenger and ricochet is:
tor sends metadata, but through tor onion routing.
ricochet sends no metadata, but doesn't send messages through onion routing.
correct?

It's not that Tor sends metadata. It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem. And Ricochet sends messages over Tor (that's how it works).

Anonymous (not verified) said:

October 31, 2015

Permalink

It's that because in a client-server model, the server knows your contacts (your metadata). This is not a Tor problem or Tor Messenger problem.

Hi sukhbir

Thanks for your effort in trying to create a product for us, Tor users.

Could you or someone else design a Tor-compatible product that is NOT based on the client-server model but instead based on a decentralized model such as, for example, Bitmessage? I understand that in Bitmessage no metadata is being transmitted across the network.

Ricochet peers (users) each have their own Tor onion service running, thereby keeping their communication private within the Tor network and without a central server to collect metadata. It uses onion routing to keep users anonymous.

Using services like Facebook Chat lets you use onion routing to connect, but then Facebook is in a position to gather metadata about who you're communicating with and when, even when concealing the content with OTR.

Security audits
i suppose it is yet done of course.

could eff , ocap or tor devs publish one ?)
i suppose that a special computer with a special program can search and research every fault (hidden or not) or error ( some aggressive tests can improve this 'app').

it is an experimental app and not recommended in hostile environment ; an audit will bring a reputation label and maybe sponsor,donation,support ...

It is possible for computer security experts and cryptographers to independently assess the robustness of privacy enhancing technology through careful examination.

i meant using the term _audit_ to go far ; a step further.

i was not speaking about development for tablet or cellphone (i have not confidence in these gadget made for social network _ ask to a lawyer what is thinking about that or look at the peoples who are taxed - or in jail - for a call or a message made a month, a week before).

it is not done yet for an hostile environment or when you are in danger ( because it should be illegal ? does it need to be approved from police,, army, government, your partner ? is it a proof of concept and nothing more ? a rewrite from an old terminal command with a modern re-looking which tor ? ).

if it is an experimental tool , we are all the beta-testers : so why do the devs or the security experts not open/organize a ricochet day where the users will be guest to communicate each others ... if it can improve the app , why not !
i prefer that the app stay in the hands of the devs than to be integrated in a tor project. i let them decide what will be the future of their creation ; i hope that they will choose to go a step further for you, for us, for our privacy, for finding maybe a free way when you are under survey ... before it was too late.

Make donations to ricochet and tor project , pls.

Thx.

Anonymous (not verified) said:

October 29, 2015

Permalink

Is this something one can use without have previously registered a chat account somewhere?

Yes, you can register XMPP accounts from Tor Messenger (in-band) if the server supports it. You don't need an existing account. (This is not true for Facebook, Google Talk or Twitter, where you do need existing accounts for Tor Messenger to work.)

Anonymous (not verified) said:

November 05, 2015

Permalink

any chance explaining what "in-band" is ? an example or list of them please

thank champs

Anonymous (not verified) said:

October 29, 2015

Permalink

It doesn't open on my machine. It gives an error: 0x0000000070C19BD5 made reference to the memory on 0x0000000000000000. The memory can't be written.

If i launch it as admin it just loads but nothing happens, won't open and won't display any error.

Does this require something else in order to work?

Anonymous (not verified) said:

October 29, 2015

Permalink

Thanks for letting me know and yes, happening in Windows 10. Will wait for some update then.

Anonymous (not verified) said:

October 30, 2015

Permalink

Heyhey, my Windows 8 /64-bit says "Insufficient system resources exist to complete the requested service."

Anonymous (not verified) said:

October 29, 2015

Permalink

Crash
Сигнатура проблемы:
Имя события проблемы: APPCRASH
Имя приложения: instantbird.exe
Версия приложения: 41.0.0.5729
Отметка времени приложения: 000232e8
Имя модуля с ошибкой: d2d1.dll
Версия модуля с ошибкой: 6.1.7601.17514
Отметка времени модуля с ошибкой: 4ce7b7aa
Код исключения: c0000005
Смещение исключения: 0001f3ba
Версия ОС: 6.1.7601.2.1.0.256.1
Код языка: 1049
Дополнительные сведения 1: 0a9e
Дополнительные сведения 2: 0a9e372d3b4ad19135b953a78882e789
Дополнительные сведения 3: 0a9e
Дополнительные сведения 4: 0a9e372d3b4ad19135b953a78882e789

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

Anonymous (not verified) said:

October 29, 2015

Permalink

I'm excited about Tor Messenger and really want to try it but downloaded .dmg twice and got the wrong sha256sum. Same number both of time different than original one.

5c0396f876101bd624d500322d7c588d85c844d1

Anonymous (not verified) said:

October 29, 2015

Permalink

installed on windows 8.1 x64 without errors, running doesn't show anything, process explorer shows tor.exe for a few secs. Tor browser runs fine on the same machine.

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

Anonymous (not verified) said:

October 29, 2015

Permalink

Any idea how to get this to jive with Google Talk? Obviously Google raises alerts when trying to connect to their services via Tor. Makes it tough to use my existing account

Thanks!

This will likely be a common problem. We have plans to allow controlling the Tor process from Tor Messenger so you can refresh your circuit and get a new exit node, but that may also not solve the problem. We had (rather, have) a similar issue with TorBirdy and Mike Hearn from Google replied on how to solve this: https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html. You can try this and it may involve giving your phone number, so be careful with that.

Anonymous (not verified) said:

October 30, 2015

Permalink

That requires you to disable tor, log into gmail to set a cookie, then reenable tor in the same browser for them to see your activity and whitelist you. How do you get the tor browser to stop using tor in order to do this?

I know it's not a proper solution by any shot. But this entire blocking behaviour by Google seems to be random and this is the only solution. In future release, you can refresh your circuit and get a new exit and that might help. But it's not a definitive solution. We know this is a huge problem and we will come up with better ways to handle this in the next release.

Anonymous (not verified) said:

November 03, 2015

Permalink

It is not a solution. You cannot solve this issue. Google raises an alert every time somebody tries to log into an account from an "unusual place". Google keeps track of where the account owner normally resides and throws a hissy fit every time s/he tries to log in from somewhere else, as determined by geoip location.

The issue is not limited to Tor. It happens when you use a VPN, too. Heck, it happens when you travel abroad, too!

In fact, the issue isn't limited to Google, either. Yahoo does the same. I don't use Facebook, but I suspect that they do the same, too.

There is not much point in supporting these chat protocols in a Tor-dependent messenger. I suggest that you remove them at least until Google, Yahoo, and all the other snoopers decide to become more Tor-friendly.

Anonymous (not verified) said:

October 29, 2015

Permalink

Not working on windows 7 - 64 bit.
It starts and shutdowns in half a second.
Is there a fix ?

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

Anonymous (not verified) said:

October 29, 2015

Permalink

No, because TLS is enabled for all protocols by default.

The NSA has found some weak links in the algorithms used to encrypt internet traffic. It means that whatever products or enhancements Tor developers are doing are vulnerable to US government snoops.

Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discreete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)

If you're still interested read the following post by Bruce Schneier as well: "Why Is the NSA Moving Away from Elliptic Curve Cryptography?" (https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html)

Anonymous (not verified) said:

October 30, 2015

Permalink

Cannot they do a man-in-the-middle attack?

Cannot they do a man-in-the-middle attack?

No need to do man-in-the-middle attack no more. Direct attack is quicker and saves on resources and manpower.

Anonymous (not verified) said:

October 29, 2015

Permalink

If I want to uninstall Tor Messenger, is it enough to delete the program's folder? I can't find the program on Control Panel (Windows). Thanks

Deleting the folder should be enough since we do not write outside the folder. (Even the profile is in the folder.) If you find Tor Messenger is creating files outside its installation directory that are leaking information, please file a bug.

That site does not include the latest or previously existing features in Telegram, such as encryption of cloud chats, the password layer on top of 2FA, etc.

And essentially that boils down to hacking into one secret chat with one trillion dollars, which is pretty much not worth it. And supposedly you'd notice, as it could take over a day for the keys to exchange. In which you would know that the chat has been compromised. I can post more info.

Here is Telegram's response. https://core.telegram.org/articles/DH_Hash_Collision

Other stuff from customer support: http://i.imgur.com/gTEbbAx.png

Anonymous (not verified) said:

October 29, 2015

Permalink

Throws the error "Your Instantbird profile cannot be loaded. It may be missing or inaccessible." after runninf .dmg on Mac !!

Anonymous (not verified) said:

October 29, 2015

Permalink

Problem signature:
Problem Event Name: APPCRASH
Application Name: instantbird.exe
Application Version: 41.0.0.5729
Application Timestamp: 000232e8
Fault Module Name: d2d1.dll
Fault Module Version: 6.1.7601.17514
Fault Module Timestamp: 4ce7b7aa
Exception Code: c0000005
Exception Offset: 0001f3ba
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

arlo

arlo said:

October 30, 2015

Permalink

See the update above, there's a new release. This issue should now be fixed.

Anonymous (not verified) said:

October 29, 2015

Permalink

Hi sukhbir:

its transport protocols are written in a memory-safe language (JavaScript)

I'm shocked and puzzled as to why Tor developers would consider JavaScript to be safe.

Since its conception and rollout by Netscape till today, hundreds of security holes have been discovered in JavaScript.

Tor developers are a diverse group and I'm sure among them are many who hold the same beliefs as you.

The point was that JavaScript is a memory managed language, which theoretically eliminates a certain class of exploits. Further, as you said, Mozilla's JS VM has been in production for quite some time and seen some battle hardening.

Anonymous (not verified) said:

October 29, 2015

Permalink

I'm curious why you're not interested in integrating Ricochet's concept of secure, anonymous, server-less communications entirely inside the Tor network into Tor Messenger. It seems to align perfectly with the Tor Project's aims, especially as Tor Browser's functioning (accessing both the outside web and hidden services) is so analogous to Tor Messenger (accessing both outside third party IM servers and a Ricochet-style system of hidden service IM nodes).

Is it just a lack of resources (since you're so busy getting the baseline messaging client up and running)? Do you not like the Ricochet concept enough to integrate it? Do you think there aren't enough people who'd use it to be worth the development effort? Are there other important reasons?

I'm sure the Ricochet developers do good work, but the Tor Project would provide a better implementation, better support, and better auditing simply due to having more funding, better familiarity with Tor, and the sheer number of people focused on your products both inside and outside of the organization.

Are you planning on integrating the Ricochet concept into Tor Messenger in the future (near, medium, or distant/wishlist), or will that never occur?

Thanks for all your hard work.

We love Ricochet. That's why we made sure to point to it in the blog post. Many of us use both Ricochet and Tor Messenger.

The goal for Tor Messenger is to meet people where they are -- so you can have more safety on your side, while still interacting with your friends who e.g. use XMPP and OTR but haven't seen the light yet. While the goal of Ricochet (ok, one of the goals) is to give people a chat approach where there's no "middle", and thus no central point for the adversary to break in and snoop on things.

(In fact, we spent a while over the past few weeks trying to sort out whether the name 'Tor Messenger' would confuse people into thinking that we think this is the one true way, and we think approaches like Pond and Ricochet are not the one true way. We don't think that. We like both approaches.)

Whether one day the Tor Messenger client adds support for the Ricochet protocol is still a matter under discussion by the Tor Messenger folks and the Ricochet developer. One reason against is actually because the Ricochet person wants Ricochet to be an experience (i.e. including a client with good usability), not just a standardized protocol that all sorts of apps can implement and present to the user however they want. One argument on the other side though is that Ricochet is going to have a tough time being its own self-contained network, while also still using Qt (and thus not working well on mobile). More thinking to be done there for sure.

As for the "doing it inside Tor Messenger would provide better familiarity with Tor" angle, we've actually brought the main Ricochet person under our umbrella and we're happy to call him a Tor person now. So we help him, and he helps us, just as much as in the Tor Messenger case.

And lastly, on the funding angle, actually neither project has any funding currently. We're working on helping both of them to fix that.

Anonymous (not verified) said:

October 30, 2015

Permalink

Thanks for your response.

Please keep in mind that you're not necessarily restricted to only using Ricochet's protocol for hidden service IM nodes, so if you are interested in the concept but can't come to an agreement with the Ricochet devs or for whatever reason can't integrate it into Tor Messenger, you could always develop your own standardized protocol (e.g. based on TorChat; though the benefits of not having to reinvent the wheel are obvious).

I hope it's possible to integrate Ricochet (or something similar) into Tor Messenger in the future, as they seem like a perfect fit, and I tend to favor single programs that do everything instead of multiple programs that do one thing each (more dev eyes/interest in a larger project, and it's harder to get non-tech users interested in using multiple programs for the same function). It's understandable, though, that the Ricochet developer may not want to lose control of his project (which might occur if it gets submerged into Tor Messenger).

Keep up the good work.

Anonymous (not verified) said:

October 30, 2015

Permalink

> your friends who e.g. use XMPP and OTR but haven't seen the light yet.

By seeing the light, do you mean using Tor or that there is something wrong with using XMPP with OTR?

I use XMPP and OTR (and Tor). But when I do, because of the XMPP design, there is a central server somewhere out there (probably more than one), which gets to know all my contacts. A bad person could break into that server, and learn the contact lists of all the users. Designs like Ricochet don't have that central server, so they don't have that particular risk.

If we could move everybody in the world over to a Ricochet-like protocol, that would be great. We should totally work towards that. But since it requires a Tor install, many people -- especially those on mobile platforms -- aren't in a position yet to do that easily.

Anonymous (not verified) said:

October 31, 2015

Permalink

Thanks for the informative reply, arma. I'm very excited about Ricochet too. I hope Ricochet makes it to the mobile phone platform one day also.

An even more secure solution for mobile phones would be having IM software like Ricochet run on a separate (offline) hardware device, similar to JackPair (https://www.jackpair.com). That way the mobile phone could be completely compromised and under targeted surveillance and it would not affect the user's security.

The genius of JackPair is the use of 3.5mm audio jacks as a data transmission channel between the offline hardware device and the cellphone. Virtually eliminating the possibility of a compromised cellphone infecting the offline hardware encryption device through a 3.5mm audio cable.

One step at a time I suppose ;). I believe future secure communications will rely on separate hardware devices treating cellphones as compromised dumb modems. Moving the "endpoint" off the cellphone's hardware and onto the hardware of a secure offline hardware device plugged into the cellphone via a hard to exploit data channel (3.5mm audio jack, Bluetooth maybe, but definitely not Bad USB).

I agree that using "compromised" hardware is an industry business/politic bug and speaking about cellphone or laptop/tablet is useless as long as you will buy a product without any warranty of privacy.

Encrypting the voice is a big & serious challenge.

i do not know if ricochet can be installed on data memory card.

The real challenge could be to convince the industry the necessity of a real product protecting our privacy.
In fact, it is about the contract : the contract is done from, with, for a government (20 peoples ?) nothing involving the consumer and the contract done between a client and a service do include a third unknown person.

*a compromised original product still stay it.

Anonymous (not verified) said:

November 08, 2015

Permalink

"And lastly, on the funding angle, actually neither project has any funding currently. We're working on helping both of them to fix that."

Can you give any more details on this? Who, where, when,...

Anonymous (not verified) said:

October 29, 2015

Permalink

Does it launch it's own tor service or does it require to have Tor Browser opened first and will use its service?
If it starts an independent tor service, can we use it for other apps (curl, torsocks etc)?? You know as we do with tor browser for example (redirecting apps to 127.0.0.1:9150).

Thanks.

It launches its own Tor service. This is a feature, in that it simplifies everything from your perspective, but it's also sort of sad in that it would be nice for you to be able to run many applications at once, and they all use a single Tor client, and also they do it safely. We're not there yet though:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDe…

And yes, if you want to attach some other program to the Tor that Tor Messenger launches, feel free.

I managed to run the messenger part individually (debian:jessie) while my regular tor was on and configured the socks5 proxy as above. It worked fine but a way to check whether it is actually trafficking through tor or not would be nice. In the same manner it should work under tails as well.

The only account I had to try it on was twitter and it looked like an old messenger (no pics or video, just links you would have to manually transfer to a browser)

I couldn't figure out how to check a #hash channel but somehow it knew who of my followed identities were on at the time.

You can twitt just fine and you can RT but there was no way to FV something.

I can't say much about a messenger since I haven't used one for ages (!Y maybe 12-13 years ago) ..

So what's the deal with 9152 instead of 9150?

Anonymous (not verified) said:

October 29, 2015

Permalink

It doesn't work at all, Windows 7 64bit, Windows 8.1 32bit, and Windows 10 64bit.

Faulting application name: instantbird.exe, version: 41.0.0.5729, time stamp: 0x000232e8
Faulting module name: d2d1.dll, version: 6.2.9200.16765, time stamp: 0x528bf6b2
Exception code: 0xc0000005
Fault offset: 0x002284f6
Faulting process id: 0x1728
Faulting application start time: 0x01d112c2de7b0b89
Faulting application path: Tor Messenger\Messenger\instantbird.exe
Faulting module path: C:\Windows\system32\d2d1.dll
Report Id: 26f0368d-7eb6-11e5-8e12-005056c00008

Faulting application name: tormessenger-install-0.1.0b2_en-US.exe, version: 0.0.0.0, time stamp: 0x53c50d97
Faulting module name: SyncShellExtension86_70.dll, version: 0.0.0.0, time stamp: 0x560252bd
Exception code: 0xc0000005
Fault offset: 0x0000ce6e
Faulting process id: 0x1938
Faulting application start time: 0x01d112c2bdcd2844
Faulting application path: tormessenger-install-0.1.0b2_en-US.exe
Faulting module path: BitTorrent Sync\SyncShellExtension86_70.dll
Report Id: 0c5a1308-7eb6-11e5-8e12-005056c00008

Gosh. I don't want to speak for the Tor Messenger developers here, but I wouldn't be optimistic. Skype is notoriously closed, proprietary, incompatible, etc.

(I was going to say "I hope not", but actually, I do hope there's Skype support in the future -- it would mean that Microsoft came to its senses and embraced the open source world, the world of peer-reviewable protocols, and so on. Let's not hold our breath though.)

Yes! That would be really great.

If you'd go with Javascript, here are some libraries to consider using:
https://github.com/joebandenburg/libaxolotl-javascript
https://github.com/macropodhq/axolotl
https://github.com/alax/forward-secrecy
https://github.com/alexeykudinkin/axolotl.js

But it'd be possible to use ctypes as well, like with the OTR extension added tor Tor Messenger

Anonymous (not verified) said:

November 02, 2015

Permalink

Good to hear. I'm really surprised there isn't a concerted effort to marry up against TextSecure. They are the only people doing it right as far as I can tell. Axolotl makes OTR actually usable for the practical user. It has to work seamlessly across a users devices, which is the critical nut that OWS have finally cracked.

I feel like interoperation with 'all the services' is a distraction, and perhaps a misguided goal. How are you layering security over these proprietary protocols? Surely just routing traffic through Tor doesn't do anything to help the fact these are mostly plaintext protocols?

Anonymous (not verified) said:

October 30, 2015

Permalink

I've installed Tor messenger, but it dousn't start... Appcrash. Something with d2d1.dll. Windows 8.1 x64

Anonymous (not verified) said:

October 30, 2015

Permalink

Avira wants to move instantbird to quaratine and I guess this is why the program doesn't work for me :(

Anonymous (not verified) said:

November 01, 2015

Permalink

But een Android/iOS/WP mobile client would properly be more useful then a desktop client, i do now 90% of my chats on my mobile, and i think that i am not the only one like that.

Anonymous (not verified) said:

October 30, 2015

Permalink

Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

Anonymous (not verified) said:

October 30, 2015

Permalink

Any suggestion to fix the problem when i click to open tor messenger but nothing appear..

Anonymous (not verified) said:

October 30, 2015

Permalink

Is instabird being funded directly or indirectly by the Department of State? Is Department of State funding for instabird tied to Congressional legislation on sanctions against Iran? Will Tor Project release its contract (or subcontract) with Department of State for instabird? Why does Sponsor O's Trac page not say Department of State? Where is the transparency?????

"Department of state" is not the owner of internet , tor messenger is open source , Iran has its own censure policy ... for a real transparency make donations at this project, thx.

Anonymous (not verified) said:

October 30, 2015

Permalink

I appreciate what you are doing, I wish I can run the app to try it out at least. Windows 7 64-bit. It's not starting because of this:

Problem Event Name: APPCRASH
Application Name: instantbird.exe
Application Version: 41.0.0.5729
Application Timestamp: 000232e8
Fault Module Name: d2d1.dll
Fault Module Version: 6.2.9200.16765
Fault Module Timestamp: 528bf6b2
Exception Code: c0000005
Exception Offset: 002284f6
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Anonymous (not verified) said:

October 30, 2015

Permalink

I am unable to connect to OFTC or any other IRC network. Maybe its because tor-messenger connects to ip's (servers) that forward traffic and resulting in failed connects. Can we use tor-messenger for hidden services?

Yes, you can use Tor Messenger with hidden services. Just provide an onion address instead wherever applicable.

OFTC seems to throttle Tor connections on and off, and we are aware of this. One possible solution would be try this with a new exit and checking if that works or not. You can't currently do this from Tor Messenger but it's in our to-do list. (https://trac.torproject.org/projects/tor/ticket/10950).

Tor Messenger is based on the client-server model and builds on existing networks like IRC, XMPP, etc. TorChat was a decentralized service that is no longer active? (Also Tor Project does not develop TorChat.)

Anonymous (not verified) said:

October 30, 2015

Permalink

i tried running it in windows 10, to no avail but windows 7, its running okay.

Anonymous (not verified) said:

October 30, 2015

Permalink

Downloaded the client, installed it and when I try to run it says:
Instandbird has stopped working

Unfortunately :(
I'm on Windows 7 Ultimate 64 bit

Anonymous (not verified) said:

October 30, 2015

Permalink

Tried with 2 Gmail accounts.. on 1, no problems. The other failed, and I got a gmail message saying "someone has your password" - access was blocked due to "unsafe app"

Anonymous (not verified) said:

October 30, 2015

Permalink

Win 7 64bit here. Tor Messenger is not working for me. It is just not starting after executing the exe. Compatibility mode (e.g. Win Vista) is not helping either.
In the taskmanager I can see that the Instantbird process is starting (even with ~78MB of RAM usage) and closing after around three seconds. There is no error whatsoever, it is just closing the process and never opening any window.

Anonymous (not verified) said:

October 30, 2015

Permalink

Signature du problème :
Nom d’événement de problème: APPCRASH
Nom de l’application: instantbird.exe
Version de l’application: 41.0.0.5729
Horodatage de l’application: 000232e8
Nom du module par défaut: d2d1.dll
Version du module par défaut: 6.2.9200.16765
Horodateur du module par défaut: 528bf6b2
Code de l’exception: c0000005
Décalage de l’exception: 002284f6
Version du système: 6.1.7601.2.1.0.256.48
Identificateur de paramètres régionaux: 1036
Information supplémentaire n° 1: 0a9e
Information supplémentaire n° 2: 0a9e372d3b4ad19135b953a78882e789
Information supplémentaire n° 3: 0a9e
Information supplémentaire n° 4: 0a9e372d3b4ad19135b953a78882e789

Anonymous (not verified) said:

October 30, 2015

Permalink

I was able to connect to my Google Apps (for Work) gTalk account, but when I try to connect to a regular gmail gChat account it says Not Authorized and won't connect.

Anonymous (not verified) said:

October 30, 2015

Permalink

Hi, thanks for the nice work! I will test it soon.

Are you sure this really supports Facebook chat? I think Facebook dropped its XMPP support sometime earlier this year (see https://developers.facebook.com/docs/chat ) and as far as I can see Instantbird uses XMPP for the Facebook chat.

Anonymous (not verified) said:

October 30, 2015

Permalink

You mention in the release notes that it works wit gtalk and facebook, but does this assume thay they have their XMMP endpoints open? Facebook closed theirs a couple of months ago and gtalk only works if the user has not migrated to hangout. Is it sitll valid in those cases?

Anonymous (not verified) said:

October 30, 2015

Permalink

My Facebook account doesn't allow me to log in because it is from an unknown location. But this is going to happen all the time, right? What can I do about it?

Anonymous (not verified) said:

October 30, 2015

Permalink

LOL, does not accept any username for facebook.

Seriously, why are you pushing out a broken product? Are you developing pc games in your free time?

Jesus.

Works for me but is timing out on "Downloading Contact List..."
Make sure you use your "User Name". NOT the same as what you use to log in. You can find it by going to your profile and grabbing the text after facebook.com/

Anonymous (not verified) said:

October 30, 2015

Permalink

The reason why I switched from pidgin to gain as XMPP-Client was that there openpgp plugin allows to send offline-messages to your contacts -- something that doesn't work with OTR. An other tool that allows to send encrypted offline messages is retroshare and at least I think that an messanger that's not capable to send offline messages is quite useless. Personally, I prefer OpenPGP solutions over OTR, mostly because I have to share my public just once and not at every single contact (on the down-side their is no deniability).

Anonymous (not verified) said:

October 30, 2015

Permalink

I doubt this is a good idea. With this you basically send the message that it is OK to log via Tor to your personal gmail or facebook account - which obviously defeats the purpose of connecting via Tor on the first place.

The identity of most people is linked to their "normal" accounts, especially on Facebook which enforces a strict "real names" policy.

Furthermore, both gmail or facebook will kick you out if you try to connect via Tor, and that is going to be confusing and furstrating for the vast majority of uninformed users.

Summing up:

- not user friendly
- it encourages super bad OPSEC.

This is not just for Google Talk or Facebook. This is for IRC and Jabber as well, both of which work fine without associating any real identity. Not to mention, like we said in the blog post, a lot of people use Google Talk or Facebook because they have their existing networks there -- we are just providing a secure way for them to use it without revealing their location or the content of their chats, which Tor and OTR take care of quite nicely.

"Not user friendly". We know we can do better. It will help to know the specific concerns.

Anonymous (not verified) said:

October 30, 2015

Permalink

Why doesnt TOR work with Jitsi.org I think its the best encrypted chat platform because it also handles end to end encrypted VOIP and video calls, and is open source

Thoughts?

Anonymous (not verified) said:

October 30, 2015

Permalink

Is SILC still relevant? At one time there were some SILC servers operating as hidden services. I didn't see an Instantbird add-on for the SILC protocol. Pidgin works and is recommended on the main SILC website.

SILC - Secure Internet Live Conferencing
http://silcnet.org/

Anonymous (not verified) said:

October 30, 2015

Permalink

Feedback/Bugreport
The error message you get when running it right from the .dmg on OS X 10.11.1 is not correct: "Profile Missing Your Instantbird profile cannot be loaded. It may be missing or inaccessible."

Expected behaviour: Dialog:"Tor Messenger can not run from the disk image, pls copy to applications folder"

also the window for the "Tor Network Settings" stays ontop of all other windows

Anonymous (not verified) said:

October 30, 2015

Permalink

Current version of todays date when connecting to irc networks that have ssl v2/v3 disabled and allow only TLSv1 to v1.2 and high ciphers such as aes256-gcm-sha384
please fix it.

Anonymous (not verified) said:

October 30, 2015

Permalink

The messenger tor works, but when you get using the Facebook "message", he warns that the password may be wrong, but is not! everything is right, the other features are OK, but when using the facebook does not work ... I'm on windows 8 64bit ... help!

I had this and it was because I was using Authentication on Facebook. I used the Code Generator on the Facebook App on my iPhone and got a 6 digit code to use as the password.... could it be that causing it for you?

Anonymous (not verified) said:

October 30, 2015

Permalink

When attempting to connect via Google Talk, it fails during authentication even though the correct password is presented. I figure this has to do with 2-step verification. Any way around this?

Anonymous (not verified) said:

October 30, 2015

Permalink

When logged into gmail through Tor browser, I am getting the following warning. Logging in again does not solve it:
"Gmail is having authentication problems. Some features will not work. Try logging in to fix the problem"

The 2 options provided here don't resolve both that error nor the ability to login to Tor Messenger.

If you change your security settings, by turning "access to less secure apps" to on and allow access from new devices/locations, it might connect. This worked for me, hopefully it will for you too.

This is a big issue for usability! Most people do not notice this option exists because they only ever use gtalk through the web interface, but if you try to use pidgin it's a big problem. Tor Messenger already special-cases gmail accounts; it should handle gtalk auth errors with a link to a page with current screenshots of exactly how to do it.

Another usability issue is that Gmail and Facebook use geolocation to detect suspicious activity, and might lock you out if you start coming in through tor; Tor Messenger should at least give a warning about this.

Anonymous (not verified) said:

October 30, 2015

Permalink

The press has taken notice of the debut of TM:

http://www.theregister.co.uk/2015/10/30/tor_messenger_a_death_knell_for…
Tor Messenger beta debuts, promises unlogged Jabber for all
Instant messages with onion breath to scare away the spooks
30 Oct 2015
Darren Pauli

For US persons who dare to attend political events, or to reside in cities where Things Happen, ACLU has obtained further evidence that FBI's spy planes do indeed collect electronic evidence:

http://arstechnica.com/tech-policy/2015/10/fbi-planes-gathered-days-of-…
FBI planes gathered days of video, electronic surveillance over Baltimore
Sean Gallagher
30 Oct 2015

Occupy organizers have previously reported interference with their cell phones when a particular police vehicle equipped with a directional roof aerial similar in appearance to military versions of IMSI catchers passed near their locations.

This is a good illustration of why ordinary people need TM.

Anti-war activists, environmentalists, Occupy people: watch out for electronic surveillance of personal communication devices from drones designed for military/police use, such as ScanEagle (made by Insitu), NOVA (made by Altavian), and Qube (made by AeroVironment), which according to FAA are all now operating domestically in "anti-poaching" and "environmental surveillance" [telecom environment?] roles for various US police agencies. Recall that emails leaked from the Italian malware-as-a-service company Hacking Team show that Insitu was interested in serving malware from its drones. NSA has for many years served malware from military drones, apparently including Scan Eagles operating in Africa. See

https://theintercept.com/drone-papers

According to FAA, Dow Chemical and BNSF are among the mega-corporations operating Chinese manufactured "patrol drones", and these could conceivably be re-purposed to attack demonstrators. There are preliminary indications that dozens of US drone start ups are marketing activist-surveillance-as-a-service to companies associated with the big banks.

Oppression everywhere, and it is very quickly getting much worse. The appropriate response: redouble our determination to oppose oppression of dissidents and to expose state-sponsored human rights violations and other criminality. In particular, we must bring to justice the baby-killing hospital bombing drone assassins and those who enable CIA-sponsored kidnapping/torture.

> Does this run on Tails? If not, is there a way to set it up?

Plus one.

Could one disable javascript in Tor Browser but still use TM? (It seems that Javascript can be exploited by bad guys attacking the browser. And can't TBB people fix that bug where latest FireFox ignores the default image loading setting?).

> you can register XMPP accounts from Tor Messenger (in-band) if the server supports it. You don't need an existing account. (This is not true for Facebook, Google Talk or Twitter, where you do need existing accounts for Tor Messenger to work.)

Can one do that safely? Can you work with riseup.net to provide a TM-friendly chat server? Note that leaked emails from Hacking Team show that Czech police targeted the riseup mail server, so the threat model must at a minimum include companies like Gamma and Hacking Team. For this reason, please seek an outside audit of TM.

Anonymous (not verified) said:

October 30, 2015

Permalink

> Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discreete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)

Second that. This is a very important issue for Tor people to track.

> Since its conception and rollout by Netscape till today, hundreds of security holes have been discovered in JavaScript.

That was my first thought too.

> The point was that JavaScript is a memory managed language, which theoretically eliminates a certain class of exploits. Further, as you said, Mozilla's JS VM has been in production for quite some time and seen some battle hardening.

More details might help encourage the doubters. And obtaining an independent security audit of TM, especially as part of a future edition of Tails, should be an important goal.

Look, it isn't that Javascript is particularly bad as a language. Other than that it has some issues from being designed in an era where security wasn't at the forefront as much, it isn't really any worse than any other language with a similar sized library. For example, it isn't particularly worse than Java. The problem isn't the language itself, it's that the primary (original) use of the language was to allow code on a foreign computer to execute on yours, and it has a larger attack surface than HTML and CSS (possibly by orders of magnitude.)
That means that Javascript has gotten a bad reputation in some parts of the security community, but that reputation is only really relevant for Javascript on a webpage that isn't fully trusted by the user. Javascript potentially allows websites to run harmful code on your computer, but if you're running a program on your computer it doesn't matter that it uses Javascript because it's already running on your computer.

Anonymous (not verified) said:

October 30, 2015

Permalink

> Yes, this is on purpose because we don't want users clicking their links and opening a browser that is not Tor Browser. We will fix this in future releases by being smart about it -- by detecting Tor Browser and opening the link there, or by giving you an option of choosing what to do with the link. For now, we decided that we don't want users clicking on links by mistake so that is why they are disabled. (#13618 on Trac.)

I think that is a good design decision, sukhbir. Glad to see you are thinking about things like potential user Epic Fail, because our enemies certainly are.

Anonymous (not verified) said:

October 30, 2015

Permalink

I'm having the same problem! While trying to connect to Facebook and Gmail like 3 or 4 times I get the not correct password message. Both are on 2-step verification and I'm on Ubuntu 15.10! I'll check out the site you posted above!

Anonymous (not verified) said:

October 30, 2015

Permalink

Tried to log to my Facebook account and Tor Messenger wouldn't let me, asking me if I did any mistakes on my password. As I switched back to my regular Facebook page, it read it was blocked as "Someone intended to log in from an "unusual" place, showing me a Map with a pin somewhere between Myanmar and India. I don't know how this might help you guys, but this is definitely not working smoothly on FB.

Anonymous (not verified) said:

October 30, 2015

Permalink

Heii, this post sounds interstin, but i don't own a PC
Is it possible to get a Android-Version of it ?

Many greetings
Basti

Anonymous (not verified) said:

November 02, 2015

Permalink

Chatsecure has tor support. But only with the "orbot" app installed beside it: https://guardianproject.info/apps/orbot/

(You have to tick the "Connect via Tor" option in the account settings or at account setup.)

Just remember. If you're creating new accounts. You must ALWAYS connect with the "use tor" option. Connect just once without tor, and that connection will be logged and your anonymity likely compromised.

Anonymous (not verified) said:

October 30, 2015

Permalink

Google blocked my sign-on because if it coming from a non-standard country (in this case it was Paris, France). I think it will likely be difficult to use Google Talk through this without dealing with these issues. The other downside is that even if you do train Google to allow logins globally, you've now weakened the protection Google provides regarding account security.

Anonymous (not verified) said:

October 30, 2015

Permalink

I don't know what the issue is but I cannot log into Facebook. Correct username and password. Could it be the Facebook login verification?

Anonymous (not verified) said:

October 30, 2015

Permalink

How on earth does Facebook chat get encrypted? I don't understand?

I also try to configure it, put in my username and password, but it continually tells me my password is incorrect ..... and it's not incorrect. I've changed it to a new one, same result.

Facebook chat will get encrypted if the person you are talking with is using Tor Messenger, or another OTR-enabled client. When you start a conversation, it will be encrypted. Facebook can't see the content of the conversation. It will just see that you are talking with the person, but not what you are talking about.

If you are having problem using FB, please see https://trac.torproject.org/projects/tor/ticket/17464. Let us know if it works for you.

Anonymous (not verified) said:

October 30, 2015

Permalink

Ugh every time I open up preferences, the whole application locks up and freezes and I have to force quit it. Quality.

Anonymous (not verified) said:

October 30, 2015

Permalink

tor messenger is not working for me with my google account, it says I entered in the wrong password, but all the info, both email and password are correct for logging in with "google talk"

Anonymous (not verified) said:

October 30, 2015

Permalink

I'd love to see mobile apps, which for many of the people I communicate with, are critical to have a hope of achieving a network effect. Signal/TextSecure/RedPhone somehow interoperating with much of this codebase would be my dream. It's kind of a bummer that you have many of the same goals as OWS but don't appear to be working together. For many users, secure messaging choices will be an even tougher call once the Signal chrome extension (hopefully FF too) becomes available.

Great work!

Anonymous (not verified) said:

October 30, 2015

Permalink

My feedback & experience:

How to use it with system Tor, if clearnet connections are forbidden by iptables? To do that for Tor Browser Bundle I just remove tor-launcher xpi file (64 bit version). Otherwise, I even would not get firefox started. Here, in Tor Messanger, we have no such file, but directory Messenger/extensions/tor-launcher@torproject.org instead. I deleted it. After that my Tor Messanger got started. I also changed port in network preferences to proper one.

I wanted to test it with XMPP server which has a mirror in onion. I specified onion address as host and finally got it working (account was registered in advance). And now many troubles started...

I added tor messanger XMPP account to the roster of my another XMPP IM client (mcabber). Then, Tor Messagnger asked me to "allow" that contact, and I allowed it. However, after this authorization "allowed" account did not get listed in tor messagnger's contact list (roster), which is strange. It means I cannot see contacts I authorized to see my status. Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported. I was very surprized. Why it is not enabled by default? I found it in preferences and enabled. However, OTR does not work. Neither my Tor messanger contact nor IM contact can start OTR session. I run Tor Messanger with command: ./start-tor-messenger --verbose (it allows me to see warnings). I noticed that each time I click on "start private conversation" I see in log "TypeError: muc is undefined". I opened error console in Tor Messanger, and see an error "Error: __NoSuchMethod__ is depricated; resource:///modules/xmpp.jsm" and then many error messages "muc is undefined; resource:///modules/xmpp.jsm".

If I disable OTR, then messages are passed successfully to both sides. But I failed to get it working with OTR despite (according to prereferences) everything is OK (key was generated, fingerprint was seen).

Another problem are preferences of crtypes-otr extension: sometimes to get button "preferences" working I need to click on "disable", and then on "enable". Otherwise, the window with preferences is not opened.

> Only when I manually added this contact in tor messanger too, it appearaed in my roster. Now both XMPP contacts authorized each other.

This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

> When I connected from my IM (mcabber) to tor messanger, the latter complained that OTR plugin is not supported.

This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations.

Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

Anonymous (not verified) said:

November 04, 2015

Permalink

> This is how XMPP works: both of you have to authorize each other before you can see the status. You can still start chatting, you can only see the availability of the other person if they have accepted your invitation.

You didn't understand what I say. I don't complain about that I cannot see the status. I complain about that I cannot see this contact in my contact list! In normal XMPP clients when I authorize somebody, I can see him in my list despite I cannot see his status(!). In tor messenger I see absolutely nothing. It means if I forgot which contact I authorized, there is no any simple way to find it.

> This does not make sense. What are you trying to do here? Just use Tor Messenger -- it supports IRC and OTR is automatically enabled for one-to-one conversations. Try using Tor Messenger without Mcabber (I am not sure why you are doing this) and you will see most of your problems fixed.

OMG, somebody of us does not understand the idea of tor messenger. Is it multiprotocol client? If yes, it must be in compliance with XMPP protocol. Does tor messenger support standard OTR protocol for XMPP? If yes, it must be compatible with all XMPP clients and their OTR implementation. The idea of tor messanger is to be compatible with standard IM protocols, so I can chat with anybody who is not yet using tor messanger, isn't it? So if somebody is using standard XMPP client such as mcabber, which supports OTR, why I cannot use OTR from tor messanger? Is its OTR implementation incompatible with the standard?

Experienced people use convenient IM clients (such as mcabber), which are properly customized to work with Tor and end2end encryption. Then, ordinary people could use tor messanger (XMPP+OTR) to anonymously chat with that IM client. It is only possible, when OTR is compatible on both sides, which, as I see, is not the case.

I think I am pretty clear...

P.S. If we don't bother about compatibility with standard protocols and standrad implementation of OTR, why to use tor messenger? It is better to use ricochet.

OK sorry, I misread this comment. Let's address the issues one by one.

1. You have to enable "show offline contacts". Is this what you meant? If yes, right-click on the empty space in the contacts window and enable this option.

2. I actually misread this part badly but anyways, this was an error that we just fixed. Mcabber should now work (tested). See https://trac.torproject.org/projects/tor/ticket/17552. This was due to an XMPP issue, not the OTR code.

(And yes, our OTR implementation is compatible with other clients, that's the point.)

Anonymous (not verified) said:

November 26, 2015

Permalink

Thanks a lot for your comment! Indeed, in newer version everything works fine.

1. Yes, thanks, it works.
2. Yes, in 0.1.0b4 it is fixed.

I have just minor comment on script start-tor-messenger, which I run in my terminal as "./start-tor-messenger --debug". It works, but it writes:

  1. <br />
  2. ./start-tor-messenger: line 268: [: 64: unary operator expected<br />

Probably, you may want to fix this minor warning.

Anonymous (not verified) said:

October 30, 2015

Permalink

This is more of a suggestion: I don't know much about how Tor works but amongst the list of messengers, i notice theres no "Wickr". I suggest you take a look at Wickr if you haven't and look at how it works as it's a pretty amazing system. Maybe some of the ideas from that may translate well over to TorMessenger or future Tor products?

Anonymous (not verified) said:

October 30, 2015

Permalink

You can't use a Facebook account if you have account security on full lock down with two factor authentication.

Anonymous (not verified) said:

October 31, 2015

Permalink

So, first of all : great work and thanks!

unfortunately I can't get it to run with facebook cause the buffoons at facebook don't want me to use it :)

Any updates on this issue, is there anything I can do to make it work?

Anonymous (not verified) said:

November 01, 2015

Permalink

Sorry, but the instructions are unclear. What to put as "app-name"? "Tor messenger" or something else?

What to use as login name, my "facebook username" or the newly created appname?

I have the same problem. I tried by putting "Tor Messenger" and "TorMessenger" in the app name field, with no results.

I have used my username (the one after facebook.com when you go in yuor Facebook profile) and not my email. I have also followed the instructions for generating an app password.

Is Facebook blocking Tor Messenger somehow?

Anonymous (not verified) said:

October 31, 2015

Permalink

Why run Tor on any commercially closed operating system possibly acting like a trojan horse?

Is it safe against trojan horses? How?

Is it safe against spy-chips installed on commercial hardware? How?

Is it using iRL kryptokeys or is it sending kryptokeys over the internet? Why is that considered safe?

Is Tor downloading javascript when it is being run? Why?

The imagination of safety on the internet might be the very thing that makes it unsafe. I suggest awareness and openness in all communication until people themselves create "dedicated trusted computer communication and voting devices".

Swing your thing on the youtube and they will not be able to pull down your pants! ;-)

/Martin Gustavsson
Scientific party of Sweden

Anonymous (not verified) said:

October 31, 2015

Permalink

Torchat is not opening after successful installation can someone tell me what to do?

am running it on host windows 10

Anonymous (not verified) said:

October 31, 2015

Permalink

why there is no usual uninstall tool? and does it make keys in the registry?

Everything is contained in a single folder. To uninstall, just remove the folder and Tor Messenger will be uninstalled. And no, we don't touch the registry.

Anonymous (not verified) said:

October 31, 2015

Permalink

what if the other using it's not using tor-messenger , we still have an encrypted conversation ? if not
why we use tor-messenger
-----------------------------------
and when i want start a conversation using facebook it's shown that's it's not an privat conversation , "2:24:56 PM - Attempting to start a private conversation with […]"

If the other person is not using Tor Messenger or another OTR-enabled client, you cannot talk with them as Tor Messenger does not allow sending of unencrypted communication. This is by design. Also, if the other person is using OTR, it will still say "Attempting to start..." but if it the conversation actually starts, it will tell you that the conversation is private. If all it says is "Attempting to start..." and nothing after it, then that conversation is not secure.

Anonymous (not verified) said:

November 01, 2015

Permalink

How can you say this when I have spent the past 12 hours trying to get Google Talk to work and it denies it every time?

Anonymous (not verified) said:

October 31, 2015

Permalink

Wow what a simply brilliant project.

it would be nice to see android & ios versions of this as many current apps do not support key encryption/decryption.

<

Anonymous (not verified) said:

November 01, 2015

Permalink

You may enjoy ChatSecure on Android.

sukhbir:

Could you do a feature-by-feature comparison of ChatSecure and this creation of yours? We would like to see a list of pros and cons in using your product over ChatSecure. Thanks in advance.

Anonymous (not verified) said:

October 31, 2015

Permalink

sha256 match but verification with .asc file raise an error !

I successfully imported key with command:
$ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x6887935AB297B391

but then got an error "BAD sign" with
$ gpg --keyid-format long --verify sha256sums.txt.asc tor-messenger-linux64-0.1.0b3_en-US.tar.xz
>gpg: Signature faite le ven. 30 oct. 2015 20:52:30 CET
>gpg: avec la clef RSA 6887935AB297B391
>gpg: MAUVAISE signature de « Sukhbir Singh  »

Anonymous (not verified) said:

October 31, 2015

Permalink

my apologies, verification of sha256sum.txt with .asc file is ok finally
it was a error of my command ;)

Anonymous (not verified) said:

October 31, 2015

Permalink

Is there a trustworthy test server where a clueless newbie to chat can try out Tor Messenger without needing to create an account?

If this question seems odd, that is because I have hardly ever used any chat program.

You can create an XMPP account on any of the servers out there which support in-band account registration (meaning you can create an account without leaving Tor Messenger). You can choose from: jabber.ccc.de, jabber.otr.im, jabber.calyxinstitute.org. You do not need to give a name or email address.

Anonymous (not verified) said:

November 04, 2015

Permalink

> jabber.ccc.de, jabber.otr.im, jabber.calyxinstitute.org

All of these servers have some problems.

  • jabber.calyxinstitute.org and jabber.otr.im do not send unencrypted messages.
  • jabber.ccc.de does not allow to register an account. The error:
    There was an error registering the account. Reason: Forbidden. The requesting entity does not possess the required permissions to perform the action.

I would recommend other servers, which are well tested and work nice as both clearnet and onion servers:

If somebody doesn't care about connections with other XMPP servers, this onion XMPP server is also good: http://cyjabr4pfzupo7pg.onion

That's odd. jabber.ccc.de registration should work -- we have done it all the time and so have other users (just verified again). Perhaps try again as it may have been a temporary issue?

The other issue is that right now we don't recommend any servers. We will have a list for the users and that is one of the improvements we have to make.

Anonymous (not verified) said:

November 26, 2015

Permalink

Yes, you are right. Now jabber.ccc.de (okj7xc6j2szr2y75.onion) works fine (I tested it again). Thanks for this notice!

However, sadly jabber web page web.jabber.ccc.de no longer works. It would be good if they provide also onion web page and web page for registering/unregistering jabber accounts (not all jabber clients can do this work).

Anonymous (not verified) said:

October 31, 2015

Permalink

More enthusiastic press coverage:

http://arstechnica.com/security/2015/10/how-to-use-tor-messenger-the-mo…
Take 5 minutes and up your opsec game with Tor Messenger
Sending chat traffic via Tor and requiring OTR is a big win for privacy.
Cyrus Farivar
31 Oct 2015

> On Thursday, the Tor Project released its first public beta of Tor Messenger, an easy-to-use, unified chat app that has security and cryptography baked in. If you care about digital security, you should ditch whatever chat program you're using and switch to it right now.

CF answers an important question not covered in the announcement:

> If you want to sign up for a new XMPP account, you can quickly register one with the Calyx Institute. All you have to do within Tor Messenger, is make up a user name and password, and use the server: jabber.calyxinstitute.org and you’re all set.

Anonymous (not verified) said:

November 03, 2015

Permalink

VirusTotal can't do squat about it. You should be working with the producers of the two anti-virus products that are causing the false positives. Good luck with that - you're gonna need it, given who these two producers are.

Anonymous (not verified) said:

October 31, 2015

Permalink

After downloading, verifying, un-xz-tar, the 32 bit Linux version of the TM application opens in Tails 1.6, but apparently is unable to connect to the Calyx Institute server to create an account as per the instructions in

http://arstechnica.com/security/2015/10/how-to-use-tor-messenger-the-mo…
Take 5 minutes and up your opsec game with Tor Messenger
Sending chat traffic via Tor and requiring OTR is a big win for privacy.
Cyrus Farivar
31 Oct 2015

I guess the problem may be the Tails firewall blocks the default port?

Thanks to CF for volunteering to help chat n00bs test TM!

Anonymous (not verified) said:

October 31, 2015

Permalink

App refused to start with the message 'You cannot use this version of the application Tor Messenger with this version of Mac OS X. Running 10.5.8 on a dual-core G5. Could you compile a version that isn't restricted to rich people please?

While we would love to support all version on all platforms, building, testing and debugging is difficult as it's a time- and resource-intensive task. Unfortunately we have to stick with the most commonly used platforms. You can open a ticket about this and if a lot of people request, we can look at it.

Anonymous (not verified) said:

October 31, 2015

Permalink

Again... Why not Jitsi messenger???????? You dont want audio calls over TOR, is that why?

Anonymous (not verified) said:

November 01, 2015

Permalink

Please don't support Webrtc. That defeats the entire purpose of chatting anonymously.

can Jitsi be configured to nnot use start-tls? we have more trust in 'obsolet' tls with can't be invariantly connected to im activity. right now we prefer psi as it has 'obsolet' tls and socks4a and not overloaded with multiprotocol support and unverifyed add-ons.

Anonymous (not verified) said:

October 31, 2015

Permalink

Google Talk refuses the connection calling this "not a modern messaging client"

Anonymous (not verified) said:

October 31, 2015

Permalink

Unable to open the DMG image on OSX 10.11. The sha256 on the downloaded image checks out, as does the signature on the checksum file. However, I get an "Operation timed out" error when trying to open/mount the DMG. No other DMGs have this problem. Is it corrupt?

Anonymous (not verified) said:

October 31, 2015

Permalink

When we use the twitter protocol, will it show whatever Tor node we're using or the IP from Instantbird?

Will this be like group accounts where the admin of a twitter account can see all IPs of others in the Instantbird twitter dm group? Because twitter's user data shows IPs of contributors.

Anonymous (not verified) said:

October 31, 2015

Permalink

This does not seem to work for services with Two Factor authentication, like Facebook or Yahoo!

Anonymous (not verified) said:

November 01, 2015

Permalink

If we have our Jabber accounts, facebook and twitter all included in Tor messenger, can anyone we chat with ever see all our accounts we have connected to Tor messenger?

The Jabber server you use can see who you are talking with but not what you are talking about. This is also true for Facebook and Google Talk for conversations with a single person (one-to-one conversations) since everything is encrypted with OTR.

Anonymous (not verified) said:

November 26, 2015

Permalink

I think he/she asked you about another thing. Let me phrase it more clearly. Suppose, I attached two different XMPP contacts to my tor messenger: user1@server1 and user2@server2. Can people in my contact list from user1@server1 learn that I also have contact user2@server2 in tor messenger?

(To my knowledge, the answer is 'no'. It should not be possible.)

Anonymous (not verified) said:

November 01, 2015

Permalink

The workaround works on win 10 x64 (assuming everything else functions as it was supposed to).

Anonymous (not verified) said:

November 01, 2015

Permalink

Instandbird is like Firefox, Thunderbird and SeaMonkey and i use it long time. You can make an Add-on for use TOR and i think, this is the better way! If i use your Bundle i must be configure all my connections that i have in Instandbird, thats very bad!

Anonymous (not verified) said:

November 01, 2015

Permalink

You can chat through other chat messengers, such as CryptoCat and various others. I do not know how Tor Messenger competes or outperforms any other ones. What is the unique feature of Tor Messenger versus others?

Anonymous (not verified) said:

November 20, 2015

Permalink

Isn't any iistant messenger which support socks4a proxy & otp can work across tor network? btw is there any specific recommendations for xmpp server with small footprint to be used in hidden service installation for smaal group of people? thanks

Anonymous (not verified) said:

November 01, 2015

Permalink

Windows Vista pc

Tools > Addons > Extensions > ctypes-otr > Options

Next to where it says 'Key For Account', I have one Jabber account and one Twitter account listed. The Jabber has its keys and shows the fingerprint. For my twitter, it didn't show anything and asked me to generate them. I generated keys for my Twitter and it shows the fingerprint now. Would it make any difference if keys/fingerprint for my Twitter are made or not since they were not automatically generated when I added the Instantbird app to my Twitter account? Would generating keys/fingerprint uniquely identify me on Twitter if I had more than one Twitter account?

Twitter OTR keys are somewhat irrelevant as we don't support direct messages yet (Instantbird doesn't), so we can't do OTR. We have plans to implement direct messaging support and that will be an awesome thing to have. Thanks for the feedback though, since you can't use Twitter for OTR, we shouldn't ask you to generate keys or allow that.

Anonymous (not verified) said:

November 01, 2015

Permalink

not able to run on my windows xp system showing error " The procedure entry point _vsnprintf_s could not be located in the dynamic link library msvcrt.dll "

Anonymous (not verified) said:

November 01, 2015

Permalink

On current stable Ubuntu:

$ ./start-tor-messenger.desktop
Launching '/Messenger/start-tor-messenger --detach'...
$

But nothing else happens and no processes spawned related to tor-messenger?
Are there dependencies to run?

Anonymous (not verified) said:

November 01, 2015

Permalink

A small question: How am I able to choose an account picture?

- Linux 64-bit
- created XMPP account successfully
- when clicking on the placeholder avatar in the TM main window nothing happens

Thank you!

Choosing an account picture is disabled. Access to the webcam is also disabled. Maybe in future we will allow that but right now you can't set the picture (this was on purpose).

Anonymous (not verified) said:

November 01, 2015

Permalink

You don't need to approve this comment because it's essentially worthless, but kudos to whoever from the Tor Project writes responses to these comments. About 80% of them are completely bullshit, and you still manage to write level-headed responses.

Anonymous (not verified) said:

November 01, 2015

Permalink

XP-SP-2 has error:
Windows XP, instantbird.exe - entry point not found:
"the procedure entry point _vsnprintf_s could not be located in the dynamic library msvcrt.dll"

Anonymous (not verified) said:

November 01, 2015

Permalink

Would love it if you fixed Google Talk support. Google denies the login no matter what I do, loggin in with Tor Browser multiple ways does absolutely nothing to fix it.

Anonymous (not verified) said:

November 01, 2015

Permalink

> You should follow the great work the Tails people are doing to get Tor Messenger working: https://labs.riseup.net/code/issues/8577

Where one anonym wrote:

> Please don't report issues to the Tor Messenger developers unless you can reproduce it outside of Tails too!

Ugh, usual complaints about lack of encrypted/anonymous bug reports (except at this blog, sort of). And the issue is labeled "low priority".

If I understand, my guess was wrong and TM won't yet work in Tails, the Tails people need to make (minor) changes to the code. ("Work" is not the same thing as "work securely", of course.)

Thanks to Tor Messenger team for your work so far. TM appears promising but in future I strongly encourage you to try to bring TM into Tails. I'd like to see a credible security audit of TM as part of Tails specifically. Some of the desiderata listed in replies above also appeal.

Anonymous (not verified) said:

November 01, 2015

Permalink

Someone criticized Tor Messenger (over at Ars Technica):

> Given how every other week there's news of a latest TOR weakness that's been exploited, it's not THAT secure. Nor it's that anonymous given how flaws have been exploited so people got raided after such flaws and weaknesses were used by Big Gov,,, You've got a messenger on TOR (a network that's regularly in the news for the latest successful takedown)

I believe this comment refers to several highly publicized raids in the past few years conducted by EU and US police agencies on people who were suspected of visiting specific Tor hidden services, not on Tor users generally. From my understanding, the techniques the LEAs are thought to have exploited to obtain the true IP addresses of those people do not directly affect intended TM use cases (someone correct me if I am wrong!).

The poster added that the Tor network

> is attracting more than its fair share of snoopers (and where your traffic will be a bigger chunk of total traffic than a commercial network)

That may be the weirdest argument against using Tor to improve your anonymity against at least some actors that I've seen yet.

Security and anonymity are valid concerns when Beta testing any application intended to enhance anonymity, but it's important to try to have a correct understanding fo the most likely hazards.

Anonymous (not verified) said:

November 01, 2015

Permalink

> Cannot malicious exit nodes eavesdrop facebook or google credentials?

>> No, because TLS is enabled for all protocols by default.

>>> The NSA has found some weak links in the algorithms used to encrypt internet traffic. It means that whatever products or enhancements Tor developers are doing are vulnerable to US government snoops.
>>>
>>> Matthew Green, one of the people who audited Truecrypt, postulated the NSA has solved some of the issues surrounding ECDLP (Elliptic Curve Discrete Logarithm Problem). "A riddle wrapped in a curve" (http://blog.cryptographyengineering.com/)
>>>
>>> If you're still interested read the following post by Bruce Schneier as well: "Why Is the NSA Moving Away from Elliptic Curve Cryptography?" (https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html)

The blog post by Matthew Green at

http://blog.cryptographyengineering.com/

was prompted by a readable paper by Koblitz and Menzies (see the link in MG's blog) which attempts to review the current status of public-key cryptosystems and the most popular candidates for PQC (post-quantum-cryptography). This topic has recently become much more urgent and contentious owing to the following developments:

o documents leaked by Snowden convinced everyone that (as some had long suspected), NSA deliberately weakened a specific part of NIST crypto standard describing a random number generator to be used as part of RSA (the algorithm), and NSA even appears to have bribed RSA (the company) to overlook the crippling of its primary product,

o on the other hand, the black budget leaked by Snowden shows NSA has only been putting tens of millions per annum into research on quantum computers, suggesting that they do not believe that a huge breakthrough is only a few years away, which suggests that PQC may not be urgently needed for some years (unless NSA is wrong about what will be possible in the near future),

o NIST had an (understandable and laudable) falling out with NSA after it learned it had been gulled by NSA operatives,

o NIST sponsored a high profile conference on PQC intended to mobilize civilian cryptographers to get cracking,

o after decades of urging adoption of ECC (elliptic-curve cryptography)--- Koblitz is one the co-inventors of ECC--- NSA suddenly withdrew support and now advocates moving from RSA directly to some PQC scheme, causing everyone to wonder WTF?,

o researchers recently showed that the older DHE schemes are much more vulnerable than previously recognized; this issue directly affects Tor users because Tor client/server pairs use public key cryptography when setting up Tor circuits--- the packets themselves are encrypted using symmetry cryptography--- current Tor prefers to set up circuits using ECDHE, a Diffie-Hellman type scheme using elliptic curves, but still allows the now deprecated DHE.

This is all very technical, but the Koblitz-Menzies paper does a pretty good job of making the key issues somewhat comprehensible to Tor users. Not to missed: the (humorous?) deduction that NSA considers information classified "Top Secret" to be 2^64 times more valuable than information classified "Secret".

I think the situation is so confusing (to non-experts) and so important for educated TBB and TM users to understand that a guest post in this blog by someone of the status of Bruce Schneier or Matthew Green or Jacob Appelbaum clarifying how these issues affect the work flow of typical endangered persons who use Tor (e.g. LUKS encrypted USB sticks as well as (a)symmetric encryption used to establish/maintain Tor circuits) would be useful.

Jacob Appelbaum, who I think has some association with the Tor Project, tweeted a response to Cyrus Farivar's story on TM in Ars Technica which I do not grok. I notice that he also provided pre-publication comments on the paper by Koblitz and Menzies.

Anonymous (not verified) said:

November 01, 2015

Permalink

Very gratifying to see how much interest there is in TM. If we can get TM in Tails it could be very helpful for whistleblowers, human rights workers, cybersecurity researchers, reporters, medical practitioners, telecom engineeers, climate scientists, political dissidents, and other endangered people.

Could TM become the killer app that makes Tor usage mainstream?

Anonymous (not verified) said:

November 01, 2015

Permalink

where or how uninstall the tor. don't see it in control panel or in the install dir folder.

Anonymous (not verified) said:

November 01, 2015

Permalink

Same here as the other guy:

"Google Talk refuses the connection calling this "not a modern messaging client"

I get an email stating sign in attempt prevented

Anonymous (not verified) said:

November 01, 2015

Permalink

I'm a bit confused by your statement "It also has an active and vibrant software developer community". The last release of Instantbird was back in 2013. That seems pretty long for an active project.

I was able to install and run Tor Messenger without issue, though.

irc don't allow hidden services (high traffic) networks like tor because of abuse.
it is usually "blocked by default" in irc when they find out. also some admins running servers on irc block for the same reason. problem with tor is that they aren't blocking any specific IP, they are blocking they nodes where all IP's goes thrue. try use a bridge and see if that helps out.

Anonymous (not verified) said:

November 02, 2015

Permalink

Hi, Avira blocking install saying Instabirds.exe has virus "TR/ATRAPS.Gen"
Is Avira being a pussy? Is it meant to be there? Not installing until I find out, obvs.
Ta.

Anonymous (not verified) said:

November 02, 2015

Permalink

Can't get accounts to connect on Windows 7-64 bit. Put in the correct passwords, and it keeps coming up Not Authorized.

Anonymous (not verified) said:

November 02, 2015

Permalink

Few findings and open questions:

1. why no jitsi? I read the reply from 31st oct from sukhbir but that does not give the reasoning behind that decision. I'd love to hear more if possible.

2. IRC feedback is recommended both on the tor-project website and in this blogpost above. but attempting to join both #tor or #tor-dev results in telling me, I need to be registered (no steps provided how that is done) and for #tor-dev I'd require an invitation. All good but for new users this is very confusing. I was unable to get this solved and access the IRC channels in question.

3. adding IRC account: I was able to add several various XMPP accounts. great. but whenever I tried to add any IRC server I was unable to do so and ended up with various errors. what are the prerequisites for IRC to successfully connect?

Other than that, very excited about this! Hope this will get dev love for quite some time and will not stagnate in the future.

2) #tor is on OFTC, so you need to register with the OFTC network. Details on how to do that are probably available on their website. It's likely that they use the standard procedure with a bot named "NickServ" that most other IRC networks are also using.

3) If you're adding IRC account, make sure the network in question isn't blocking Tor usage. This is the case for most bigger networks. (Momentarily including Freenode and OFTC, it seems.) So this isn't an issue with the software, it's a policy decision by a specific network.

Only if you care about connecting to servers that explicitly ban Tor. If you care about your anonymity while using IRC servers you should probably tell the server operators of servers you'd like to use exactly that, and that they should change their policy.

Anonymous (not verified) said:

November 02, 2015

Permalink

I cannot get Google Talk to authenticate. I keeps asking if I entered the wrong password, but I have tried a dozen times and validated that it is correct. And isn't Google Talk long gone? I should be using the same creds I use for Google "Hangouts", right?

My guess would be that rather than connecting to any website, that it connects to a chat backend, which is probably a clearnet server, and not a hidden service. Shouldn't really be an issue for you, though, as you're still using Tor.

We connect to chat.facebook.com. No onion since Facebook doesn't provide one yet for the chat. We asked them if they would.

Anonymous (not verified) said:

November 02, 2015

Permalink

the contents of tor browser and tor messenger appear to be the same although they have different sizes, the messenger compressed file has 40 mbs size but whenever i extract it , it shows the same contents as tor browser contents were extracted. can you please guide me that whys that so??

The content isn't the same. They share some code, and both use XUL, but that's it. Tor Messenger is based on Instantbird, and Tor Browser is based on Firefox ESR, two different programs.

Anonymous (not verified) said:

November 03, 2015

Permalink

I'm was using TM on 2 x MBP for Facebook Messenger. It was working using Facebook Verification Codes as the password but has now stopped working on both machines. I think Facebook may have blocked it as it did with Adium... anyone else seen this or know whether this is the case?

Anonymous (not verified) said:

November 03, 2015

Permalink

What the difference betwen Tor Messenger and Any Chat Program (Telepathy for example) + ordinary Tor as SOCSK5 proxy (and yes, chat protocol over ssl)?

I think the point of the Tor Messenger is to be exactly that, a pre-configured Instantbird. It gives you the assurance that your use of Tor with a specific software is done correctly and that leaks are prevented by design. Of course that's theoretically also possible to do with any other open-source software, but could be hard for an average user, and would also take time.

We try to make sure that everything is sent over Tor, there are no leaks, and we ensure that safe defaults are turned on by default (like OTR, logging disabled and much more). Think of this as specially designed to work with Tor.

Anonymous (not verified) said:

November 03, 2015

Permalink

Hi sukhbir! this post was kinda hillarious.

was about to dig for some answers about (torbirdy) and (thunderbird).
then this post showed up like (use our chat instedt) lol.

anyway, i don't know where to ask this question so maybe someone
here could help? it is told not to install any add-on's in the tor browser bundle
what so ever for security reasons. then i slipped across the torbirdy add-on
in mozilla created by you and jacob.

now my question is how to install torbirdy in linux? since that add-on is
made for windows users i got stuck. but i would really like to try it out in
thunderbird. some guidance would be really appreciated.

will also give instantbird a try and come back with some feedback!

thank's in advance!

Anonymous (not verified) said:

November 03, 2015

Permalink

> Get ready to be spied by NSA.

Everyone in the world is already a target of NSA surveillance. The point of TM is that we can and must fight back with every tool at our disposal. TM only addresses certain threats, but every countervailing force helps us in the struggle against global oppression.

And it's no longer just the NSA which everyone needs to worry about. Other nations have been "inspired" by Alexander's loathsome injunction to "collect it all". The result is that more and more people all over the world are also being targeted by other well funded intelligence agencies (China, Russia, France, Germany...). All the governments appear to be racing each other in an attempt to reach the final endpoint of human evolution (at least in NSA's view): the technofascist state. See

https://theintercept.com/2015/11/03/europe-still-angry-at-u-s-spying-pr…
Europe, Still Angry at U.S. Spying, Prepares to Increase Its Own
Jenna McLaughlin
3 Nov 2015

It gets worse. Most people are now spied upon not only by more than one nation, but by more than one agency from some nations. There are literally dozens of US agencies which are deeply involved in dragnet surveillance operations inside the US.

Anonymous (not verified) said:

November 03, 2015

Permalink

Tor messenger cannot connect to my account in Yahoo.Maybe this is the reason why 'Add contact', ' New conversation', and 'Join chat' are disabled?

You need to connect successfully to an account for these buttons to make sense, yes. Try out a different account or service type. Also make sure that the service you're using is not blocking Tor usage, as that could always be the case.

Anonymous (not verified) said:

November 07, 2015

Permalink

Should the OP have specified "timing" side channels? Or are high-level languages (as I assume was the point, not specifically JS) especially vulnerable to other kinds of side channels?

Thanks.

Anonymous (not verified) said:

November 04, 2015

Permalink

I use Torchat....it is flaky and unsupported but works. I like how it is self contained with no need for an external service. Please implement something like that.. cause going into another account like Gtalk or FB messenger doesn't really seem like it is solving anything big picture wise.

totaly agree! torchat is user friendly, no complications. create a nickname, add someone into the chat and you're done. no personal info needed.

however torchat is NOT maintained by the torproject team. but would really like something similar like that from the tor developers!

We understand that and we address that in the post itself. There are many users who use IRC, XMPP or Facebook and that is unlikely to change. Tor Messenger is meant to provide security to those users. We recommend Pond and Ricochet for these issues (see post for links).

Anonymous (not verified) said:

November 04, 2015

Permalink

can anyone help ?? when I go to add a account irc or the other xxmp what server are you suppose to use ? I tryed the goggle thing and facebook and it dont wok.

You can use any IRC or XMPP server that allow the usage of Tor (that should be any that don't explicitly disallow it). I would recommend you search the web yourself to get a good overview, but for convenience here are some you could check out. IRC: Darenet, OFTC (the latter sometimes blocks specific exits) --- Jabber/XMPP: Rows.io, Dukgo.com, otr.im

Of course, as is the nature of the protocol, if you use IRC your chat partner needs to connect to the same network. With XMPP the servers normally federate between each other, so that this isn't required. If you're still unsure, I would recommend to look up tutorials and introductions to IRC and/or XMPP on the web. If you find a good one, it'll maybe be useful to teach your chat partner about these services, should they have the same questions as you have.

Anonymous (not verified) said:

November 05, 2015

Permalink

greetings all

any idea how one would set up an personal xmpp server/tor hidden service on a raspberrypi ?

I would imagine that most standard XMPP servers should run just fine on a Raspberry Pi device. I have no personal experience with them, but I heard that Prosody is supposed to relatively lightweight, so maybe check that one out.

Anonymous (not verified) said:

November 05, 2015

Permalink

First time chat user reports following experience:

32-bit application opens on Laptop running Debian stable.
Could connect to Tor network using a bridge.
Apparently was able to create an account at calyxinstitute.org as per Cyrus Fahrivar article.

Lightly edited error messages:

Warning: Error: __noSuchMethod__ is deprecated
Source File: resource:///modules/xmpp.jsm
Line: 1645

Error: Could not create conversation as jid is broken: jabber.calyxinstitute.org
Source File: resource:///modules/xmpp.jsm
Line: 1685
Source Code:
prpl-jabber: XMPPAccountPrototype.createConversation

Warning: Unhandled IQ result stanza.
Source File: resource:///modules/xmpp.jsm
Line: 1225
Source Code:
prpl-jabber: XMPPAccountPrototype.onIQStanza

Error: uncaught exception: Some required fields are empty!
Source File: chrome://instantbird/content/menus.js
Line: 133

Error: uncaught exception: Some required fields are empty!
Source File: chrome://instantbird/content/menus.js
Line: 133

Error: uncaught exception: ***
Source File: resource://gre/components/ibConvStatsService.js
Line: 378

Anonymous (not verified) said:

November 05, 2015

Permalink

> I would recommend other servers, which are well tested and work nice as both clearnet and onion servers:

What is required to register an account? Email? A working chat account elsewhere? Credit card? What is the most secure/anonymous way to register an account with these servers?

Anonymous (not verified) said:

November 05, 2015

Permalink

Can Tor Project please post step by step instructions written for someone who has never used a chat client explaining step by step

1. how to use TM to register an account at a server such as jabber.calyxinstitute.org which does not require email or money to register

2. how to use TM to enter a chat room (how to find the available rooms at calyx?)

3. how to use TM to specify another party (what user name should one enter for Farivar?) and to attempt to start a private OTR protected chat

4. how to recognize that a non-response is due to your party (e.g. Favrivar) not being logged into the same chat server

Anonymous (not verified) said:

November 06, 2015

Permalink

I'm looking for someone who understands this np1sec protocol to clear this up: For the duration of the chat at least (if not longer), the server is a trusted party, right? The server must know the room name, and the room name is all that's needed to join the chat. Once someone joins they are relayed the chat history. If the server is adversarial or compelled by some adversary to provide chat room names, that adversary could join the multi-party chat and get the whole history, yes? Those in the room would see this unknown party join, but the history has already been compromised. Is this correct?

Also is there any console/raw message feature that I could use to verify whether the messages are really encrypted?

Anonymous (not verified) said:

November 07, 2015

Permalink

Is it ok to run Tor Browser Bundle and Tor Messenger concurrently? Does this mean there will be two Tor processes, or a single shared one?

I may have missed the link if there is one, but some basic doc to get users up and running would be helpful, judging from the questions above as well.

I haven't tried it yet, but some basic points are unclear to me. For example, does your conversation partner need to be running Tor Messenger as well?

There are also stumbling-blocks to do with accessing Jabber servers or IRC while using Tor (or creating accounts on them), that I can imagine could cause a lot of frustration for people trying this for the first time. And security aspects: who can see the Jabber or IRC room you chat in? All this will be obvious to experienced users, but the rest of us could use a little help with the learning curve.

Does this mean there will be two Tor processes, or a single shared one?

Two different Tor node processes (different programs, in fact, not just two instances).

For example, does your conversation partner need to be running Tor Messenger as well?

No, not strictly.

And security aspects: who can see the Jabber or IRC room you chat in?

I don't know about the details of the protocol, but I assume the server (apart from your interlocutors) has to know what room you are in. Your messages, though, should be OTR-encrypted.

Disclaimer: not a torproject developer.

That's true. Right now if you are running Tor Browser and Tor Messenger, you have two Tor processes. We have plans to fix this later by sharing the Tor process (if it is already running). And the server sees who you are talking to (metadata) but not what you are talking about (content). And the other side can have Pidgin or Adium, but we recommend Tor Messenger.

Anonymous (not verified) said:

November 08, 2015

Permalink

Before trying to open/install instantbird make sure that you save and open the download file in a home/desktop enviroment! this will NOT work if you try install it from an external harddriver/flash drive or some other weird place.

however you could save a copy of the dl file somewhere else, but it has to run on a desktop enviroment. (C:) (x86) / program in windows and (file/home) in linux!

also keep in mind you will need a channel and/or account for the place that you are trying to connect too.

Anonymous (not verified) said:

November 09, 2015

Permalink

I attempted to connect TOR Messenger to both by Facebook and Google Accounts. In both cases, it claimed that I was not authorized as I might have entered the wrong password, however, I know with absolute certainty that this is not the case. Is there a work around for this particular issue or is it something regarding the settings on those accounts? Any help would be appreciated and keep up the good work...I greatly appreciate everything you guys do to help those of us less technical folks defend our privacy.

Start by noting that the username field in Tor Messenger is your Facebook username, not your email address. Your username is the text after facebook.com on your profile page. (If the link to your profile is facebook.com/johndoe, then your username is johndoe.) If you still can't find it, go to "Settings", under "General", see "Username". And then add the account from Tor Messenger.

Anonymous (not verified) said:

November 09, 2015

Permalink

Wanted to try Tor Messenger and tried to connect to Quakenet. But I do receive only:

[08.11.2015 23:01:00] ERROR (@ prpl-irc: ircSocket.prototype.onBadCertificate jar:file:///D:/Tools/Tor%20Messenger/Messenger/omni.ja!/components/irc.js:737)
Bad certificate or SSL connection for XXXXXXXX@irc.quakenet.org:
SSL received a record that exceeded the maximum permissible length.

Error

Is there a workaround for this?

Anonymous (not verified) said:

November 09, 2015

Permalink

Was the chat logging option from the base code just disabled, or removed entirely? I enabled what seems to be the right option (purple.logging.log_chats) but I can't find any files created.

Anonymous (not verified) said:

November 10, 2015

Permalink

I set all those things, and it created a json file deep inside the application's directory. So that much works (for admin users, which nearly everyone on osx is and an entirely different topic.)

Unfortunately the results are not usable, the ability to quickly search old chats is a major reason I'm still using Apple's client. I appreciate the reply, but it looks like I'm still stuck where I am because of this. Thanks.

Anonymous (not verified) said:

November 11, 2015

Permalink

any future tutorial/documentation created can you please add an created date then user have an idea whether the information is current or older

keep up the good work people.

Anonymous (not verified) said:

November 11, 2015

Permalink

Very great tool,intuitive,fast and simple,better than pidgin for easy use with tor,keep it up!!!

Anonymous (not verified) said:

November 11, 2015

Permalink

Same thoughts here. Never tried Instantbird before, only Pidgin, and am very pleased. Some IRC-related functionality is missing but only small stuff, not keeping me from using it at all.

Anonymous (not verified) said:

November 15, 2015

Permalink

The foes of encryption have been quick to exploit the mid-November attacks in Paris. NYPD Police Commissioner Bill Bratton, former FBI Deputy Director Timothy Murphy, former NCTC Director Michael Leiter, and former CIA Deputy Director Michael Morrell have all claimed within the past 24 hours that "encrypted apps" explain why the French security services did not detect and break up pre-operational planning by the attackers. Morrell has been particularly insistent in several interviews in his insistence that the US political leadership should "revisit" the recent decision by President Obama not to ban outright "unauthorized encryption".

We need to organize a robust response to this slander from the tech community. I hope such leaders as Bruce Schneier, Matthew Green, ACLU, EFF, EPIC, Tim Cook of Apple, will step up to try to explain in suitably simplified terms comprehensible to panicked legislators why mandating backdoors in civilian encryption, or banning all "encrypted apps", is the very last thing we want to do if we are concerned about computer security, or want to preserve traditional Western notions of political/religious freedom, civil liberties, property rights (who owns our personal electronic devices?), freedom of expression, and freedom of movement.

Anonymous (not verified) said:

November 16, 2015

Permalink

When i setup the facebook account it denies me with error that you entered wrong password please tell me which password it required

Anonymous (not verified) said:

November 18, 2015

Permalink

The enemies of privacy were quick to blame the Friday 13th Paris attacks on Snowden and "encrypted apps". Suspected war criminal and CIA Director John Brennan was particularly harsh.:

http://thehill.com/policy/national-security/260573-cia-director-attacks…
CIA director assails Snowden
Julian Hattem
18 Nov 2015

http://www.nytimes.com/2015/11/17/us/after-paris-attacks-cia-director-r…
After Paris Attacks, C.I.A. Director Rekindles Debate Over Surveillance
Scott Shane
16 Nov 2015

Editorialists from Glenn Greenwald to the Editorial Board of the NYT responded by debunking his unsubstantiated claims:

http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-an…
Mass Surveillance Isn’t the Answer to Fighting Terrorism
THE EDITORIAL BOARD
17 Nov 2015

https://theintercept.com/2015/11/15/exploiting-emotions-about-paris-to-…
Exploiting Emotions About Paris to Blame Snowden, Distract from Actual Culprits Who Empowered ISIS
Glenn Greenwald
15 Nov 2015

https://theintercept.com/2015/11/18/nyt-editorial-slams-disgraceful-cia…
NYT Editorial Slams “Disgraceful” CIA Exploitation of Paris Attacks, But Submissive Media Role Is Key
Glenn Greenwald
18 Nov 2015

Reporters pointed out that the credibility of CIA/NSA officials is crap, cast doubt upon the claims about encrypted terrorist communications, and highlighted the evidence that intelligence failures are due, not to encryption, but to agencies like CIA which time and time again have failed to use the information they already have:

https://theintercept.com/2015/11/17/u-s-mass-surveillance-has-no-record…
U.S. Mass Surveillance Has No Record of Thwarting Large Terror Attacks, Regardless of Snowden Leaks
Jenna McLaughlin
17 Nov 2015

Our enemies claimed, specifically, that the Paris attackers used encrypted chat features in Apple phones and/or Playstation gaming consoles:

http://arstechnica.com/gaming/2015/11/despite-what-the-papers-say-there…
There’s no evidence ISIS used PS4 to plan Paris attacks
Reporting is at best misinformed, at worst purposefully sensationalist.
Mark Walton (UK)
17 Nov 2015

The most recent reports from France describing a cell phone found at the scene and used by the alleged attackers, and the actual facts of the case appear to completely contradict John Brennan's claims, and to support what I just said about intelligence failures:

http://thehill.com/policy/cybersecurity/260596-report-paris-attackers-m…
Report: Paris attackers may have used unencrypted devices
Katie Bo Williams
18 Nov 2015

> Some unconfirmed reports indicate that one of the Paris terrorists’ mobile phone, recovered from a trash can near the site of the deadliest strike, appears to have been unencrypted. French media report that the phone contained a map of the concert hall where so many were victimized in the attacks and a chilling text message sent shortly after the first gunman entered the venue: “Let’s go, we’re starting.” According to Le Monde, the message was an SMS — a traditional text message sent over a wireless voice network.

Anonymous (not verified) said:

November 18, 2015

Permalink

when i try to connect to 'facebook chat' it says 'error not authorized' when i haven't even set a password? what should i do?

Anonymous (not verified) said:

November 19, 2015

Permalink

It wants me to pick from facebook messenger/gmail/yahoo etc.? I know that can't be right...

Anonymous (not verified) said:

November 22, 2015

Permalink

Hey Sukhbir,

Checked Tor application over PC, the project has good potential but there is more to be worked on. Currently I am working with an app development company I have delivered some good chat applications and would recommend you to look after user experience.
Also, would love to see Tor app over mobile platform in coming time.

Jeffrey
Mobiloitte

Anonymous (not verified) said:

November 23, 2015

Permalink

Crashes on Linux 32bit when main window is clicked on.
How can I see a log or output to see an error message?

Anonymous (not verified) said:

November 24, 2015

Permalink

> Thank you for the feedback. Most of these errors should be fixed in the upcoming release.

Thanks, sukhbir! I eagerly await the next release.

Don't let James Comey intimidate you into slowing your invaluable work on Messenger!

Anonymous (not verified) said:

November 28, 2015

Permalink

Would be awesome if you would invest the proper energy to make it work right with Google Talk!!!

Anonymous (not verified) said:

November 30, 2015

Permalink

> The foes of encryption have been quick to exploit the mid-November attacks in Paris.

The Tor community should prepare now for our response to the renewed slander on encryption in general and software like TM in particular which will surely follow the *next* terrorist incident. One thing we can stand ready to do is to try to educate reporters about how leading lights of the US Surveillance-Industrial state were quick to jump to incorrect conclusions just after the Friday 13th attacks (and the Charlie Hebdo attacks, and...):

> NYPD Police Commissioner Bill Bratton, former FBI Deputy Director Timothy Murphy, former NCTC Director Michael Leiter, and former CIA Deputy Director Michael Morrell have all claimed within the past 24 hours that "encrypted apps" explain why the French security services did not detect and break up pre-operational planning by the attackers. Morrell has been particularly insistent in several interviews in his insistence that the US political leadership should "revisit" the recent decision by President Obama not to ban outright "unauthorized encryption".

Further evidence that John Brennan, Bill Bratton, Michael Leiter, Michael Morrell and all the other "experts" were wrong as wrong can be has now emerged. WSJ reporters have published an account of how the attackers actually proceeded:

http://www.wsj.com/articles/paris-attacks-plot-was-hatched-in-plain-sig…
Paris Attacks Plot Was Hatched in Plain Sight
Stacy Meichtry and Joshua Robinson
27 Nov 2015

> The account emerging from French officials, witnesses and those who interacted with the suspected terrorists shows how the operation hinged on Mr. Abaaoud’s ability to use the tools of everyday modern life to lay the groundwork for the massacre....The array of car rentals, cellphones and online lodging reservations allowed Mr. Abaaoud to organize his militants as separate cells to ensure the plot wouldn’t unravel if one of the teams was compromised.

https://www.techdirt.com/articles/20151127/details-how-paris-attacks-we…
Details Of How The Paris Attacks Were Carried Out Show Little Effort By Attackers To Hide Themselves
Mike Masnick
30 Nov 2015

> On Friday, the Wall Street Journal's Stacy Meichtry and Joshua Robinson published an in-depth bit of reporting on the planning and operational setup of the Paris attackers, revealing a bunch of previously unknown details. The key thing, however, isn't just the total lack of anything that looks like sophisticated encryption, but the opposite. The attackers basically did nothing to hide themselves, communicating out in the open, booking houses and cars in their real names, despite some of them being on various terrorist watch lists. It discusses how Brahim Abdeslam booked a house using an online website (Homelidays -- a French service that is similar to Airbnb, though it predates Airbnb by a lot), using his own name. So did his brother, Salah Abdeslam, who booked a hotel for a bunch of the attackers (using his real name) on Booking.com.
> ...
> The piece mentions, as we noted earlier, that the attackers appeared to communicate via unencrypted SMS.... after Abaaoud shot up a restaurant, he went back to check out the aftermath of the attacks that he had helped put together -- and kept his mobile phone with him the whole time, making it easy to track his whereabouts...

So what the true narrative appears to suggest is that a concern for privacy and use of strong encryption indicates that one is-- for instance-- a climate change activist rather than a terrorist:

http://www.theguardian.com/environment/2015/nov/27/paris-climate-activi…
Paris climate activists put under house arrest using emergency laws
French police arrest activists for flouting ban on organising protests during climate talks next week
Arthur Neslen
27 Nov 2015

> At least 24 climate activists have been put under house arrest by French police, accused of flouting a ban on organising protests during next week’s Paris climate summit, the Guardian has learned. One legal adviser to the activists said many officers raided his Paris apartment and occupied three floors and a staircase in his block. French authorities did not respond to requests for comment but lawyers said that the warrants were issued under state of emergency laws, imposed after the terror attacks that killed 130 people earlier this month. The author and climate change campaigner, Naomi Klein, accused French authorities of “a gross abuse of power that risks turning the summit into a farce”.

Hello? M. Hollande? Protest is not terrorism. Get a grip, sir!

Anonymous (not verified) said:

December 01, 2015

Permalink

Is there any projected date for the next edition of TM yet?

It would be good if there were a HS protected site where anonymous users could paste in non-public bug reports.

We know from the Snowden leaks that NSA and GCHQ have a longstanding practice of exploiting unencrypted bug reports to

o target specific users with CNE (Computer Network Exploitation), i.e. malware attacking the unpatched flaw

o deduce information about the computer/LAN of specific users to target them with malware exploiting other unpatched flaws

Anonymous (not verified) said:

December 13, 2015

Permalink

Hi people, how does it defer from apps like Telegram which is supposed to be encrypted? I think a comparison could be nice, to other apps

Please advise. Thanks

Anonymous (not verified) said:

December 17, 2015

Permalink

Hi. have a trouble. when start the messenger the next error is: "The procedure entry point _vsnprintf_s could not be located in the dynamic link library msvcrt.dll". what should i do who knows? os -win XP

Anonymous (not verified) said:

December 21, 2015

Permalink

how can i receive a picture/file from another jabber?
trying to send a picture from chatsecure on android, jabber/otr/orbot to tormessenger on linux. thanks keep doing this you are awesome people.