Tor Messenger beta debuts, promises unlogged Jabber for all

Instant messages with onion breath to scare away the spooks


The Tor Project has launched what some say is the easiest-to-use encrypted chat tool for the truely paranoid.

The beta version of Tor Messenger, which routes conversations through the global Tor network, is the culmination of about two years work and follows the launch of an Alpha version last February.

Tor Messenger is different from rival TorChat in that it works with Jabber and Adium IM protocols used by the likes Facebook, Google, and Yahoo! but hides the Off-the-Record protocol and Tor routing complexity behind a simple GUI that won't boil the blood of regular net users.

Logging is switched off by default, which will frustrate law enforcement who often find a trove of evidence in digital chat trails.

"Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do," developer Sukhbir Sing proudly blogs.

"This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server, however, your route to the server will be hidden because you are communicating over Tor.

"Our current focus is security, robustness and user experience - we will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release cycle."

The software is in Beta mode still requires comprehensive auditing. On the cards for future work is automatic updating, encrypted file transfer, and Off-the-Record support for Twitter direct messaging.

The client is available Windows, 32-and-64-bit Linux and Mac OS X.

Privacy wonks are urged to get in touch with the non-profit group with suggestions and any bug finds. One has already emerged and inflicted pain when your correspondent tried the tool under Windows 10. ®


Other stories you might like

  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022