Tor Messenger session, July 3, 2014

• Most of the discussion was centred around an introduction to the project for the unfamiliar. We touched on the choice of Instantbird as a base for the client, the IM protocols it supports and some of its current deficiencies, including lack of OTR (in development) and in-band XMPP account registration.

Some other questions that came up:

• Where can I get it? At the moment, you can’t, without building it yourself. In the future, it will be provided from the downloads page on torproject.org
• How will TorMessenger and TorBrowser interoperate? Will they detect each other running and share a control port? It’s still unsure, but to start, TorMessenger will ship its own tor, listening on a different port. If someone sends you a link, where will open? Again, to start, it won’t at all and you’ll be forced to manually paste it into the browser of your choice.
• A concern was raised about how to deal with verified fingerprints after authentication in OTR being stored on disk (as well as xmpp servers retaining rosters). Having these lists of all the people a client chatted with seems undesirable for anonymity. These considerations belong in a design document.
• Will there be verifiable deterministic builds? In the long term, yes, but in the beginning an effort will only be made to setup the infrastructure for testing and building, with the hope that some nice volunteer will come along and help out.
• How much logging to we want to disable? Just flip a preference or replace the logger altogether so it’s a no-op? This led to a broader discussion about the need to work closer with the TorBrowser team who already have a good handle on these types of questions.
• Will it be possible to disable forcing all connections through tor? If so, the client can be repurposed to fetch bridges from an (not yet existing) XMPP/OTR bridge distributor. It was suggested that an extension be developed in the same vain as meek to by-pass the proxy.