Tor Winds Down Its Encrypted Messenger App 3 Years After Launch

The Tor Project has announced that it's winding down its privacy-focused Tor Messenger chat program, nearly three years after its beta debut. From a report: Tor, an acronym of "The Onion Router," is better known for its privacy-focused browser that directs traffic through a volunteer-run network of relays to prevent any untoward eavesdropping on users' online activity. Indeed, the Tor Browser is often used by activists, whistleblowers, and anyone wishing to remain anonymous, and major companies -- such as Facebook -- have embraced Tor over the years.

The people behind the anonymity network started working on Tor Messenger in early 2014, launched it in alpha a year later, before rolling out the beta version in October 2015, where it has remained since -- though there have been more than 10 separate beta releases. [...] In terms of why Tor Messenger is being sunsetted, well, there are a number of reasons. Arguably the most important of the reasons is that uptake wasn't quite where Tor wanted it to be at to justify working on it, while it also realized that it wasn't the perfect private messaging client due to its metadata problem.

metadata?

What is the "metadata problem"? The article has no info about it.

Re:metadata?

I'd imagine the full download of the blockchain to get started would be a pretty big problem for any mobile use. I tried to use it, but it took a couple of days over my (then) slow connection.

Re:metadata?

[Kjella]

What is the "metadata problem"? The article has no info about it.

Well it said:

although the sender's IP address was concealed, some metadata could still be logged by the server, including contacts and details around when and how often two people communicated.

Sounds like the classic issues if you have all the clients connect to a server to find each other. The alternative though is that every user has to run their own hidden service, which has a whole lot of other threats even if there's no centralized metadata storage.

I'm thinking there should probably be some way to avoid that using a rolling shared secret. Like say my "permanent" identity is "Kjella", but my rolling identity is sha256("Kjella" + date + secret) which is shared with my contacts but not the server. At server it looks like every day a new identity goes online, with a new message history. That would stop any meaningful metadata collection pretty much dead in its tracks.

Re:metadata?

The alternative though is that every user has to run their own hidden service, which has a whole lot of other threats

You imply here threats not equally applicable to the central phonebook server configuration. Please elaborate.

Re:metadata?

[Kjella]

You imply here threats not equally applicable to the central phonebook server configuration. Please elaborate.

You're running a service, unless it's got a 24x7 uptime it starts revealing metadata on when you're online. This could potentially also be used maliciously, drop/delay traffic to your IP and see what TOR service stops/responds slowly. And then there's the whole announcement mechanism to say here I am, which they recently upgraded from v2 to v3. There's a lot of effort made on trying to unmask hidden services. A client polling a server would be more like using TorBrowser, if you can compromise that you've essentially broken all of Tor, while hidden services is just one little bit that many people don't use and most certainly don't run.

vs tor+gpg+smtp+customdns?

I wonder if anyone can differentiate the security fundamentals difference between whatever this was, and using gpg encrypted emails over tor? Own smtp/imap/dns servers/services running on every peer?

Re:Tor went pro-woman, lost male developers

If those "male" developpers were bitter, angry, pathetic, misogynistic pigs like you, then nothing of value was lost.

Are the alternatives already good enough?

[Mean+Variance]

Is this a loss of a person to person messaging platform that was more secure or anonymous than current options like Signal, Telegram, Cyph or something else?

Mostly out of curiosity I have tried to make sense of the pros and cons of these and don't see a clear winner. For some reason, Cyph looks like the most secure and anonymous from the endpoints of where the encryption occurs (at the browser), but I'm admittedly naive.

Re:Are the alternatives already good enough?

Tox, although it's bandwidth intensive relatively speaking.

It was based on a Standalone Mozilla Engine...

So the metadata leakage was likely as much due to the browser engine it was based off as the XMPP platform it was using.

Having said that: You are just as well off using Pidgin, Conversations, Ekiga, etc as you were using the TorBirdy Messenger platform.

Honeypot not metadata

Tor was compromized a long time ago, the exit nodes are run by governments, and the organization itself made design decisions that indicated a compromised company.

e.g. the entry nodes are publicly listed, and 'obsfucation nodes' are sent via Gmail... so people were supposed to purposely route their tor traffic to a fixed IP 'obsfucation' address provided by an email provider that tracks everything and matches them to real ids, and even has a data feed to the NSA (which itself now has a backfeed to the FSB).

'Metadata' here is the excuse not the reason. The reason is simply that nobody thinks Tor is secure.

All that effort to create a secure way for dissidents to protest safely in places Russia, and look where we are now.

Re:Honeypot not metadata

Obviously the IP addresses of the relays you use to connect to the network, must be accessible to each user of the network.

Tor gives you both options: you can connect to one of the publicly listed relays, or you can jump through a bunch of hoops to obtain the address of a less-public bridge. Or you can set up a completely private bridge and share it with your friends. None of these are ideal, but nobody's found a better option.

So I'm curious to hear what you think an "uncompromised" developer would be doing differently in this situation.

There are alternatives

[jarle.aase]

Unlike the open Internet, Tor makes it easy to create real peer to peer messaging clients. All Tor nodes can create hidden services that are instantly accessible to anyone. Using a true peer to peer architecture, without hub's, there are no meta-data laying around, except on the peers themselves.

Tor Chat (which now seems dead) pioneered this approach. Ricochet is an alternative that is actively maintained.

I am working on a project to bring another peer to peer instant messenger to the onion party. I believe it matters to be able to communicate privately. I believe that it matters a lot.

Re:Tor went pro-woman, lost male developers

>If those "male" developpers were bitter, angry, pathetic, misogynistic pigs like you, then nothing of value was lost.

Except, you know, their labour and their force of will.

Hint: it's men who build OSS for the love of it, not cunts (who only love what others can do for them)

(Note: young girls can love men, but you pieces of shit banned men from taking them as brides)

Doesn't using TOR just shout "I'M A CRIMINAL"???

I know someone who knows someone at a state judicial level and supposedly whenever someone use TOR, alarms start blaring and that specific TOR user becomes a target because they are obviously trying to hide from law enforcement so therefore they are a criminal and/or terrorist. You get put on a list. If you should get arrested having that "ding" on your record (using TOR) is almost like admission of guilt.

Yes, yes, I know the standard cry of "TOR is meant to protect battered women" but everyone is guilty of being a criminal just by usage.

running services

while hidden services is just one little bit that many people don't use and most certainly don't run.

Why have it in the first place? Rhetorical question. Ask yourself if it is critical that there are zero bugs in those codepaths. Excuses are irrelevent. If you can't trust the most critical components of a system, the system is not trustworthy.

switches have threat surface too

Unlike the open Internet, Tor makes it easy to create real peer to peer messaging clients. All Tor nodes can create hidden services that are instantly accessible to anyone.

I don't buy it. Anyone with cooperation of the ISPs can see these 'hidden' networks. Or block them.

I go with that other comment that characterizes tor as a honeypot. I won't spell out the nuance of the logic that leads to that conclusion, but like Tor(tm) data routes, the nuance is not hidden to those with eyes to see.

no

define 'almost like admission of guilt'. I smell disingenuity expressed through near hyperbolic exageration.

There are some who believe that neither your librarian, nor your cable television company (aka internet provider) ought to be able to read your reading material over your shoulder, let alone record it with minute accuracy and sell it to the highest bidder.

Instant messaging is dead.

[Rexdude]

Whatsapp and FB Messenger killed it. You can scream about XMPP and secure apps like this or Signal all you want, they are utterly useless unless the people you communicate with also switch to them. Network effect's a party pooper. Unless you exclusively hang out with security researchers, no one's going to bother.