Tor Project, the famous onion routing software that allows users to access the Internet anonymously, has released the first public beta of its cross-platform Tor Messenger service. The new messenger comes with strong built-in cryptography and a design that specifically defends against traffic analysis (by using the Tor network). These features make Tor Messenger a seriously good option for anyone who cares strongly about digital privacy.
Tor Messenger works to obscure a user’s’ physical location and routing information by using Tor’s distributed network of relays. On top of this, it anonymizes chat data with the utilization of the (open source) Off The Record Protocol (OTR). While Tor Messenger does share some similarities with similarly encrypted messenger apps such as Adium and Pidgin, Tor Messenger does have a few specific features that make it stand out from the pack.
For the privacy conscious Internet user, Tor Messenger will instantly bring a sense of increased safety because of its complete lack of chat logs. This feature means that no matter what gets said in a conversation users do not need to worry about records being available for subsequent access. This saves users from having to individually delete chat logs afterward (to make sure that they are not retrievable by somebody at a later date).
Secondly, Tor Messenger will not (by default) allow users to communicate with anyone that lacks support for the OTR cryptographic protocol (a feature that can be disabled if necessary – allowing users only to make use of the onion network’s anonymizing relay system if desired.)
Tor Messenger is easy to download and set up, and will run on whichever platform that you run on your system (Linux (32-bit), Linux (64-bit), Windows, OS X). Tor Messenger also supports most current chat protocols (Facebook, Yahoo, Google Gchat, Twitter, IRC, and all XMPP format chats) which means that you will be able to get it up and running with any of your previous accounts. One thing worth noting, is that if you are downloading Tor Messenger for OS X you will need to go in you System Preferences and explicitly allow Tor Messenger (as it is not trusted by Apple’s Gatekeeper).
If you do not have a previous account but want to use Tor Messenger, you are advised to register for an XMPP account at the Calyx Institute website. Remember that If you decide on this course of action you will need to sign up for a server – when doing so there are a vast amount of availabilities – so be sure to choose a server with an A rating such as jabber.de
Although it is true that Instantbird lacks OTR support, this particular requirement has been coded into Tor Messenger by its developers – a feature that they intend to ‘upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.’
After Tor Messenger has downloaded and installed on your system, any contacts from your previous messenger account should appear right away. However, as OTR is enabled by default, Tor Messenger will not allow you to start up a conversation with any previous contacts that lack the secure protocol – if you do wish to chat to these contacts you will need to disable OTR right away.
When you begin a conversation in Tor Messenger, you will always be asked to verify your contact’s OTR fingerprint, this is vital in order to corroborate that your contact is indeed who they claim to be. OTR fingerprints are (and should be) public and the verification process must always be done by both parties in a conversation in order to ascertain that they are indeed who they claim to be. This process allows users to be sure that there is no man-in-the-middle, affirming that the chat is secure and is not being intercepted by any unwanted third party.
Whereas, in other encrypted messenger apps, key verification is done manually and by eye, Tor Messenger gets around this laborious process with something called ‘Shared Secret’. Shared Secret allows users to set up a (pre-agreed) password that can be used to verify OTR fingerprints – thus ridding users of the tiresome procedure of having to painstakingly check a long string of random characters. Do not forget of course that to be sure of privacy, the ‘shared secret’ should be communicated via some other form of private contact – lest the entire process be compromised at that stage.