We are pleased to announce another public beta release of Tor Messenger. This release features a secure automatic updater and important security fixes to Instantbird. All users are highly encouraged to upgrade. Secure Updater This is the first release that contains ported patches from Tor Browser to securely update the application (#14388). Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure. OS X Profile Directory In previous releases, Tor Messenger stored its profile directory inside the application bundle. This was a result of the Tor Messenger team building on the work done for Tor Browser. While normally straightforward, this caused some trouble with Mac users who said that there's a common expectation to be able to copy extracted applications to someone else's computer. This could lead to them unknowingly transferring accounts and OTR keys. Tor Browser has since switched courses and, in the 6.0 series, it now stores its profile in ~/Library/Application\ Support/TorBrowser-Data (#13252). With that change, we can now follow suit and store the Tor Messenger profile in ~/Library/Application\ Support/TorMessenger-Data (#13861). Windows and OS X bundles are now signed In past releases, users may have seen cumbersome and scary warnings that the Tor Messenger application is not signed by a known developer (#17452), and may not be trustworthy. We are now signing the Windows and OS X bundles with the Tor Browser developer keys. Google Summer of Code (GSoC) This summer, the Tor Messenger team participated in Google's Summer of Code program, mentoring a project by Vu Quoc Huy, titled "CONIKS for Tor Messenger" (#17961). CONIKS is a key management and verification system for end-to-end secure communication services, using a model called key transparency. In this model, our users' keys are managed in a publicly (and cryptographically) auditable yet privacy preserving key directory in order to provide stronger security and better usability. Although we hope to have a prototype deployed for testing in the near future, much work remains before we can consider turning it on in production. So far, we've produced an implementation of a CONIKS keyserver and several patches to Tor Messenger to support the additional logic and interface. This has been a collaboration between researchers Marcela Melara (CONIKS' project lead) from Princeton, Ismail Khoffi from EPFL, our student Huy, and the Tor Messenger team. We'd like to thank all who participated. Before upgrading, back up your OTR keys You will need to back up your OTR keys to preserve them across this upgrade. Please see the steps to back them up, or consider simply generating new ones after upgrading. Note that with the advent of the secure updater, this step will no longer be necessary in future releases. All profile data will be preserved upon automatic update, including accounts and OTR keys (#13861). Downloads Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety. Linux (32-bit) Linux (64-bit) Windows OS X (Mac) sha256sums.txt sha256sums.txt.asc The sha256sums.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website. Changelog Here is the complete changelog since v0.1.0b6: Tor Messenger 0.2.0b2 -- September 06, 2016 Mac Bug 19269: Fix OS X file permissions Fix OS X profile when application is not placed in /Applications Tor Messenger 0.2.0b1 -- September 02, 2016 All Platforms Use the THUNDERBIRD_45_3_0_RELEASE tag on mozilla-esr45 Use the THUNDERBIRD_45_3_0_RELEASE tag on comm-esr45 Bug 19053: Display plaintext in notifications Bug 17363: Remove redundant Tor Messenger folders Bug 14388: Secure automatic updates for Tor Messenger Bug 13861: Preserve user profiles after updates Update libgcrypt to 1.6.6 for CVE-2016-6316 Update ctypes-otr to 0.0.2 Linux Bug 18634: Switch to building Tor Messenger on Debian Wheezy Mac Bug 13861: Profile directory stored in ~/Library/Application\ Support/TorMessenger-Data Bug 17460: Add graphics for OS X drag and drop to Applications Bug 17648: Fix update service error in error console Continue reading...
