|
[[TOC]]
|
|
|
|
|
|
|
|
= Tor Messenger FAQ =
|
|
|
|
|
|
|
|
Please note that **Tor Messenger is still in beta**. The purpose of this release is to help test the application and provide feedback. //'''At-risk users should not be depending on it for their privacy and safety.'''//
|
|
# Tor Messenger FAQ
|
|
|
|
|
|
== Installation ==
|
|
Please note that **Tor Messenger is still in beta**. The purpose of this release is to help test the application and provide feedback. //**At-risk users should not be depending on it for their privacy and safety.**//
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
- Linux
|
|
- Linux
|
|
- Extract the bundle (`tar xf tor-messenger-linux*`) and then run `./start-tor-messenger.desktop`
|
|
- Extract the bundle (`tar xf tor-messenger-linux*`) and then run `./start-tor-messenger.desktop`
|
|
- Some other script options:
|
|
- Some other script options:
|
|
{{{
|
|
```
|
|
Tor Messenger Script Options
|
|
Tor Messenger Script Options
|
|
--verbose Display Tor and Instantbird output in the terminal
|
|
--verbose Display Tor and Instantbird output in the terminal
|
|
--log [file] Record Tor and Instantbird output in file (default: tor-messenger.log)
|
|
--log [file] Record Tor and Instantbird output in file (default: tor-messenger.log)
|
... | @@ -24,15 +24,15 @@ Please note that **Tor Messenger is still in beta**. The purpose of this release |
... | @@ -24,15 +24,15 @@ Please note that **Tor Messenger is still in beta**. The purpose of this release |
|
- Windows
|
|
- Windows
|
|
- Install Tor Messenger as you would install any other application.
|
|
- Install Tor Messenger as you would install any other application.
|
|
|
|
|
|
== Removing Tor Messenger/Uninstalling ==
|
|
## Removing Tor Messenger/Uninstalling
|
|
|
|
|
|
On all platforms (Windows, OS X, Linux), removing the Tor Messenger directory/application will uninstall Tor Messenger. (Windows users: we do not modify the Registry.)
|
|
On all platforms (Windows, OS X, Linux), removing the Tor Messenger directory/application will uninstall Tor Messenger. (Windows users: we do not modify the Registry.)
|
|
|
|
|
|
As of v0.2.0b2, OS X users will also need to remove the profile folder (`TorMessenger-Data`), which is either found next to application bundle, or in `~/Library/Application\ Support/`, depending on where the application bundle is located.
|
|
As of v0.2.0b2, OS X users will also need to remove the profile folder (`TorMessenger-Data`), which is either found next to application bundle, or in `~/Library/Application\ Support/`, depending on where the application bundle is located.
|
|
|
|
|
|
== Where are my OTR keys stored? / How can I preserve them across updates? ==
|
|
## Where are my OTR keys stored? / How can I preserve them across updates?
|
|
|
|
|
|
''Note that, as of v0.2.0b2, Tor Messenger contains a secure updater, and the following steps are no longer necessary moving forward. However, if you're migrating from a previous release, they are still relevant.''
|
|
_Note that, as of v0.2.0b2, Tor Messenger contains a secure updater, and the following steps are no longer necessary moving forward. However, if you're migrating from a previous release, they are still relevant._
|
|
|
|
|
|
1. The two files you want to look for are `otr.private_key` and `otr.fingerprints` (leave the `otr.instance_tags` file alone). They are found in the profile directory. See the table below for the profile location for your version / platform.
|
|
1. The two files you want to look for are `otr.private_key` and `otr.fingerprints` (leave the `otr.instance_tags` file alone). They are found in the profile directory. See the table below for the profile location for your version / platform.
|
|
1. Move the aforementioned files (`otr.private_key` and `otr.fingerprints`) to a temporary location
|
|
1. Move the aforementioned files (`otr.private_key` and `otr.fingerprints`) to a temporary location
|
... | @@ -42,39 +42,42 @@ As of v0.2.0b2, OS X users will also need to remove the profile folder (`TorMess |
... | @@ -42,39 +42,42 @@ As of v0.2.0b2, OS X users will also need to remove the profile folder (`TorMess |
|
|
|
|
|
Note that this only preserves your OTR keys, and authenticated fingerprints. You will still need to recreate your accounts with the account wizard.
|
|
Note that this only preserves your OTR keys, and authenticated fingerprints. You will still need to recreate your accounts with the account wizard.
|
|
|
|
|
|
==== Profile locations ====
|
|
#### Profile locations
|
|
|
|
|
|
{{{#!td rowspan=2
|
|
{{{#!td rowspan=2
|
|
Linux
|
|
Linux
|
|
}}}
|
|
```
|
|
|| v0.1.x || `tor-messenger/Messenger/TorMessenger/Data/Browser/profile.default/`
|
|
| v0.1.x | `tor-messenger/Messenger/TorMessenger/Data/Browser/profile.default/`
|
|
|| v0.2.x || `tor-messenger/Browser/TorBrowser/Data/Browser/profile.default/`
|
|
|--------|---------------------------------------------------------------------
|
|
|
|
| v0.2.x | `tor-messenger/Browser/TorBrowser/Data/Browser/profile.default/`
|
|
|-
|
|
|-
|
|
{{{#!td rowspan=2
|
|
```
|
|
Windows
|
|
Windows
|
|
}}}
|
|
```
|
|
|| v0.1.x || `Tor Messenger\Messenger\TorMessenger\Data\Browser\profile.default\`
|
|
| v0.1.x | `Tor Messenger\Messenger\TorMessenger\Data\Browser\profile.default\`
|
|
|| v0.2.x || `Tor Messenger\Browser\TorBrowser\Data\Browser\profile.default\`
|
|
|--------|---------------------------------------------------------------------
|
|
|
|
| v0.2.x | `Tor Messenger\Browser\TorBrowser\Data\Browser\profile.default\`
|
|
|-
|
|
|-
|
|
{{{#!td rowspan=2
|
|
```
|
|
macOS
|
|
macOS
|
|
}}}
|
|
```
|
|
|| v0.1.x || `Tor Messenger.app/Contents/TorMessenger/Data/Browser/[profile].default/` Note that if you're doing this in Finder, you'll need to open the context menu and choose Show Package Contents to access directories nested under the app.
|
|
| v0.1.x | `Tor Messenger.app/Contents/TorMessenger/Data/Browser/[profile].default/` Note that if you're doing this in Finder, you'll need to open the context menu and choose Show Package Contents to access directories nested under the app.
|
|
|| v0.2.x || `TorMessenger-Data/Browser/[profile].default/` The root folder (`TorMessenger-Data`), is either found next to application bundle, or in `~/Library/Application\ Support/`, depending on where the application bundle is located.
|
|
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
|
|
|
| v0.2.x | `TorMessenger-Data/Browser/[profile].default/` The root folder (`TorMessenger-Data`), is either found next to application bundle, or in `~/Library/Application\ Support/`, depending on where the application bundle is located.
|
|
|
|
|
|
== libpurple ==
|
|
## libpurple
|
|
|
|
|
|
Tor Messenger does not use `libpurple`. We do not build or ship it as part of Tor Messenger. (Even for Instantbird, the default is to build without `libpurple` and it has to be explicitly enabled during the build.) All our transport protocols -- XMPP, Google Talk, IRC, etc. -- are written in JavaScript. Please see ticket #10937 for more information.
|
|
Tor Messenger does not use `libpurple`. We do not build or ship it as part of Tor Messenger. (Even for Instantbird, the default is to build without `libpurple` and it has to be explicitly enabled during the build.) All our transport protocols -- XMPP, Google Talk, IRC, etc. -- are written in JavaScript. Please see ticket #10937 for more information.
|
|
|
|
|
|
https://trac.torproject.org/projects/tor/ticket/10937
|
|
https://trac.torproject.org/projects/tor/ticket/10937
|
|
|
|
|
|
== JavaScript ==
|
|
## JavaScript
|
|
|
|
|
|
JavaScript certainly suffers from a somewhat undeservedly bad reputation. What users may not realize is that for just about every website they visit in a browser, they are served some JavaScript which the browser must download and run on their behalf. That's the literal equivalent of downloading and running an application, in the traditional way you'd think of it, for every website you see, with the added benefit that the browser can sandbox and run it with fewer privileges. And, occasionally, that JavaScript is attacker controlled. Given those conditions, other languages have faired just as poorly. Think about Java applets or Flash (admittedly, an ECMAScript dialect).
|
|
JavaScript certainly suffers from a somewhat undeservedly bad reputation. What users may not realize is that for just about every website they visit in a browser, they are served some JavaScript which the browser must download and run on their behalf. That's the literal equivalent of downloading and running an application, in the traditional way you'd think of it, for every website you see, with the added benefit that the browser can sandbox and run it with fewer privileges. And, occasionally, that JavaScript is attacker controlled. Given those conditions, other languages have faired just as poorly. Think about Java applets or Flash (admittedly, an ECMAScript dialect).
|
|
|
|
|
|
JavaScript itself is a memory managed language, which theoretically eliminates a certain class of exploits, the common pitfalls of C and C++. Further, Mozilla's JavaScript VM has been in production for quite some time and seen plenty of battle hardening. Tor Messenger is one application and it comes signed by a trusted source.
|
|
JavaScript itself is a memory managed language, which theoretically eliminates a certain class of exploits, the common pitfalls of C and C++. Further, Mozilla's JavaScript VM has been in production for quite some time and seen plenty of battle hardening. Tor Messenger is one application and it comes signed by a trusted source.
|
|
|
|
|
|
== OTR ==
|
|
## OTR
|
|
|
|
|
|
Tor Messenger uses the reference implementation of OTR, `libotr`. In order to interact with it from JavaScript, we have written a set of liberally licensed bindings, which we have open sourced here:
|
|
Tor Messenger uses the reference implementation of OTR, `libotr`. In order to interact with it from JavaScript, we have written a set of liberally licensed bindings, which we have open sourced here:
|
|
|
|
|
... | @@ -88,7 +91,7 @@ There seems to be confusion over our decision to disable logging and what it act |
... | @@ -88,7 +91,7 @@ There seems to be confusion over our decision to disable logging and what it act |
|
|
|
|
|
In future releases, we will allow users to easily turn on logging if they desire since it seems to be a commonly requested feature.
|
|
In future releases, we will allow users to easily turn on logging if they desire since it seems to be a commonly requested feature.
|
|
|
|
|
|
== Windows XP ==
|
|
## Windows XP
|
|
|
|
|
|
We are aware of Tor Messenger not working on Windows XP. This is most likely an issue with the Windows cross-compilation. (We build Tor Messenger for Windows and OS X on Linux.) We are tracking this issue in bug #17469.
|
|
We are aware of Tor Messenger not working on Windows XP. This is most likely an issue with the Windows cross-compilation. (We build Tor Messenger for Windows and OS X on Linux.) We are tracking this issue in bug #17469.
|
|
|
|
|
... | @@ -98,47 +101,47 @@ We are aware of Tor Messenger not working on Windows XP. This is most likely an |
... | @@ -98,47 +101,47 @@ We are aware of Tor Messenger not working on Windows XP. This is most likely an |
|
|
|
|
|
Facebook's XMPP gateway was deprecated in April 2015 and, as of February 2016, does not appear to work anymore. Support for Facebook was dropped starting in Tor Messenger 0.1.0b5.
|
|
Facebook's XMPP gateway was deprecated in April 2015 and, as of February 2016, does not appear to work anymore. Support for Facebook was dropped starting in Tor Messenger 0.1.0b5.
|
|
|
|
|
|
== Google Talk ==
|
|
## Google Talk
|
|
|
|
|
|
Many Google Talk users are reporting issues connecting to their account with Tor Messenger. Using Tor with Google accounts has always been problematic and Tor Messenger is no exception. However, Google does address the issue head on (see ''How can I access my account from this computer?''):
|
|
Many Google Talk users are reporting issues connecting to their account with Tor Messenger. Using Tor with Google accounts has always been problematic and Tor Messenger is no exception. However, Google does address the issue head on (see _How can I access my account from this computer?_):
|
|
|
|
|
|
https://support.google.com/accounts/answer/1745074
|
|
https://support.google.com/accounts/answer/1745074
|
|
|
|
|
|
Summarizing the above link, here are the steps you need to undertake:
|
|
Summarizing the above link, here are the steps you need to undertake:
|
|
|
|
|
|
1. Enable two-factor authentication (2FA) on your Google account. This step unfortunately requires a phone number that can receive a voice call or text (SMS).
|
|
1. Enable two-factor authentication (2FA) on your Google account. This step unfortunately requires a phone number that can receive a voice call or text (SMS).
|
|
1. Generate an app password (see ''How to generate an App password'' on https://support.google.com/accounts/answer/185833)
|
|
1. Generate an app password (see _How to generate an App password_ on https://support.google.com/accounts/answer/185833)
|
|
1. Now use the app password you generated in step 2 to connect Tor Messenger to your Google Talk account
|
|
1. Now use the app password you generated in step 2 to connect Tor Messenger to your Google Talk account
|
|
|
|
|
|
Google Talk users should note that they can only talk to their contacts over OTR (encrypted chat) if the person they are talking with has an OTR-enabled client like Tor Messenger (or Pidgin, Adium). This is because OTR only works if the other person is also using it.
|
|
Google Talk users should note that they can only talk to their contacts over OTR (encrypted chat) if the person they are talking with has an OTR-enabled client like Tor Messenger (or Pidgin, Adium). This is because OTR only works if the other person is also using it.
|
|
|
|
|
|
== Twitter ==
|
|
## Twitter
|
|
|
|
|
|
Tor Messenger 0.1.0b5 and up supports OTR conversations over Twitter DMs (direct messages). Simply configure your Twitter account with Tor Messenger and add the Twitter account you want as a contact. Any (direct) message you send to another Twitter contact will be over OTR provided both contacts are running Tor Messenger (or another client that supports Twitter DMs and OTR).
|
|
Tor Messenger 0.1.0b5 and up supports OTR conversations over Twitter DMs (direct messages). Simply configure your Twitter account with Tor Messenger and add the Twitter account you want as a contact. Any (direct) message you send to another Twitter contact will be over OTR provided both contacts are running Tor Messenger (or another client that supports Twitter DMs and OTR).
|
|
|
|
|
|
https://trac.torproject.org/projects/tor/ticket/13312
|
|
https://trac.torproject.org/projects/tor/ticket/13312
|
|
|
|
|
|
== Yahoo! ==
|
|
## Yahoo!
|
|
|
|
|
|
On August 5, 2016, legacy versions of Yahoo! Messenger were [https://web.archive.org/web/20160730080614/https://help.yahoo.com/kb/yahoo-messenger-for-web/SLN26860.html discontinued]. Support for Yahoo! was dropped starting in Tor Messenger 0.3.0b1.
|
|
On August 5, 2016, legacy versions of Yahoo! Messenger were [discontinued](https://web.archive.org/web/20160730080614/https://help.yahoo.com/kb/yahoo-messenger-for-web/SLN26860.html). Support for Yahoo! was dropped starting in Tor Messenger 0.3.0b1.
|
|
|
|
|
|
== Cryptographic Protocols ==
|
|
## Cryptographic Protocols
|
|
|
|
|
|
As a start, we put effort into implementing OTR because it's a widely deployed protocol. However, we do recognize its shortcomings. After our 1.0, we will be exploring other protocols, including those that support the group setting, like np1sec, and those that support more modern use cases, like async, offline messaging, and multiple devices, such as OMEMO.
|
|
As a start, we put effort into implementing OTR because it's a widely deployed protocol. However, we do recognize its shortcomings. After our 1.0, we will be exploring other protocols, including those that support the group setting, like np1sec, and those that support more modern use cases, like async, offline messaging, and multiple devices, such as OMEMO.
|
|
|
|
|
|
https://trac.torproject.org/projects/tor/ticket/17457
|
|
https://trac.torproject.org/projects/tor/ticket/17457
|
|
|
|
|
|
== Mobile (Android, iOS) ==
|
|
## Mobile (Android, iOS)
|
|
|
|
|
|
We do not have plans for Tor Messenger for mobile currently but we recommend ChatSecure by the Guardian Project or Signal by Open Whisper Systems.
|
|
We do not have plans for Tor Messenger for mobile currently but we recommend ChatSecure by the Guardian Project or Signal by Open Whisper Systems.
|
|
|
|
|
|
== Using Tor Messenger with Tor Browser ==
|
|
## Using Tor Messenger with Tor Browser
|
|
|
|
|
|
Tor Messenger ships with its own instance of the Tor daemon (running on SOCKSPort 9152; ControlPort 9153) so it does not depend on Tor Browser. Since we are using different ports, you can run both applications together but do note that this starts two Tor processes (one per application). We have plans to fix this in the future, please see the discussion on [https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting/TorProcessShare Tor Process Sharing].
|
|
Tor Messenger ships with its own instance of the Tor daemon (running on SOCKSPort 9152; ControlPort 9153) so it does not depend on Tor Browser. Since we are using different ports, you can run both applications together but do note that this starts two Tor processes (one per application). We have plans to fix this in the future, please see the discussion on [Tor Process Sharing](https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting/TorProcessShare).
|
|
|
|
|
|
https://trac.torproject.org/projects/tor/ticket/10950
|
|
https://trac.torproject.org/projects/tor/ticket/10950
|
|
|
|
|
|
== How do I auto-join encrypted XMPP chats? ==
|
|
## How do I auto-join encrypted XMPP chats?
|
|
|
|
|
|
Setting this up is not very intuitive in Tor Messenger. It works just like in Instantbird:
|
|
Setting this up is not very intuitive in Tor Messenger. It works just like in Instantbird:
|
|
|
|
|
... | @@ -150,7 +153,7 @@ Setting this up is not very intuitive in Tor Messenger. It works just like in In |
... | @@ -150,7 +153,7 @@ Setting this up is not very intuitive in Tor Messenger. It works just like in In |
|
|
|
|
|
2. Add the password after the server (where it says "PASSWORD" in the example above).
|
|
2. Add the password after the server (where it says "PASSWORD" in the example above).
|
|
|
|
|
|
== How do I add root certificates? ==
|
|
## How do I add root certificates?
|
|
|
|
|
|
Importing root certificates to Tor Messenger will hide the warning that the root issuer is not trusted when connecting to an account on the server for the first time. This mostly happens when connecting to .onion servers.
|
|
Importing root certificates to Tor Messenger will hide the warning that the root issuer is not trusted when connecting to an account on the server for the first time. This mostly happens when connecting to .onion servers.
|
|
|
|
|
... | @@ -162,22 +165,22 @@ and choose `Import` to import a new certificate. |
... | @@ -162,22 +165,22 @@ and choose `Import` to import a new certificate. |
|
|
|
|
|
You should always make sure the certificate is trustworthy by comparing the fingerprints and/or GPG keys.
|
|
You should always make sure the certificate is trustworthy by comparing the fingerprints and/or GPG keys.
|
|
|
|
|
|
== How do I connect to my XMPP server with its onion address? ==
|
|
## How do I connect to my XMPP server with its onion address?
|
|
|
|
|
|
When creating the XMPP account for domain `clearweb` with onion `dotonion`, input,
|
|
When creating the XMPP account for domain `clearweb` with onion `dotonion`, input,
|
|
|
|
|
|
{{{
|
|
```
|
|
Username: username
|
|
Username: username
|
|
Domain: clearweb
|
|
Domain: clearweb
|
|
}}}
|
|
```
|
|
|
|
|
|
Then on the third screen (Advanced Options),
|
|
Then on the third screen (Advanced Options),
|
|
|
|
|
|
Click XMPP options, and scroll down a bit,
|
|
Click XMPP options, and scroll down a bit,
|
|
|
|
|
|
{{{
|
|
```
|
|
Server: dotonion
|
|
Server: dotonion
|
|
}}}
|
|
```
|
|
|
|
|
|
If you've already created the account, click
|
|
If you've already created the account, click
|
|
|
|
|
... | @@ -185,7 +188,7 @@ Properties > Advanced options |
... | @@ -185,7 +188,7 @@ Properties > Advanced options |
|
|
|
|
|
from the account menu.
|
|
from the account menu.
|
|
|
|
|
|
== How to verify the signature of Tor Messenger ==
|
|
## How to verify the signature of Tor Messenger
|
|
|
|
|
|
For Tor Messenger releases, we do not sign all the individual files, but rather just one file which has the `sha256sum` checksums. This file is called `sha256sums-signed-build.txt` (starting with version 0.3.0b2).
|
|
For Tor Messenger releases, we do not sign all the individual files, but rather just one file which has the `sha256sum` checksums. This file is called `sha256sums-signed-build.txt` (starting with version 0.3.0b2).
|
|
|
|
|
... | @@ -193,22 +196,22 @@ To verify the integrity of the package(s) you download, start by downloading thi |
... | @@ -193,22 +196,22 @@ To verify the integrity of the package(s) you download, start by downloading thi |
|
|
|
|
|
Now start by verifying this file first:
|
|
Now start by verifying this file first:
|
|
|
|
|
|
{{{
|
|
```
|
|
gpg --verify sha256sums-signed-build.txt.asc sha256sums-signed-build.txt
|
|
gpg --verify sha256sums-signed-build.txt.asc sha256sums-signed-build.txt
|
|
}}}
|
|
```
|
|
|
|
|
|
This should say:
|
|
This should say:
|
|
|
|
|
|
{{{
|
|
```
|
|
...
|
|
...
|
|
gpg: Good signature from "Sukhbir Singh ..."
|
|
gpg: Good signature from "Sukhbir Singh ..."
|
|
...
|
|
...
|
|
}}}
|
|
```
|
|
|
|
|
|
Next, run `sha256sum $FILE`, replacing `$FILE` with the file you are verifying the signature for. Assume `$FILE` to be `tor-messenger-linux64-0.3.0b2_en-US.tar.xz` in the example below:
|
|
Next, run `sha256sum $FILE`, replacing `$FILE` with the file you are verifying the signature for. Assume `$FILE` to be `tor-messenger-linux64-0.3.0b2_en-US.tar.xz` in the example below:
|
|
|
|
|
|
{{{
|
|
```
|
|
sha256sum tor-messenger-linux64-0.3.0b2_en-US.tar.xz
|
|
sha256sum tor-messenger-linux64-0.3.0b2_en-US.tar.xz
|
|
}}}
|
|
```
|
|
|
|
|
|
The output of this should match the corresponding output of the file in `sha256sums-signed-build.txt`. |
|
The output of this should match the corresponding output of the file in `sha256sums-signed-build.txt`. |
|
|
|
\ No newline at end of file |