The Tor Project announced they will be building an anonymous instant messenger, according to documents shown at the Tor 2014 Winter Developers Meeting in Reykjavík, Iceland. Currently users can make use of the Tor Browser Bundle to better safeguard their online paper trail, so news of a secure messenger is very welcome. Abbreviated TIMB, the new bundle will be paired up with InstantBird, an instant messenger project dating back to 2007. The InstantBird messenger already has some privacy features built into the Open Source client, so coupled with Tor, the software should have a good advantage over current offerings. The Tor developer team’s goal is to build in encrypted off-the-record chatting into InstantBird, then bundle it into the existing launcher out already.
With experiential builds set to release March 31st, 2014, it will be some time before the public will be able to test this in action. A few months following the experimental builds, the actual bundle release will début. Interestingly enough, Pidgin was considered a choice in place of InstantBird, but not chosen for the backbone of the messaging client. However, talks are in the works to audit other IM clients to test their fortitude in locations where “communication for the purpose of activism is met with intimidation, violence, and prosecution.”
As Tor software gains features and popularity, more and more people are hoping on board to protect their privacy. Existing “unofficial” clients, such as TorChat and BitMessage have large user bases, but having the new messaging service bundled into the easy-as-pie-to-install Tor Bundle, those numbers could very well decline. We will have to wait to see the adoption rate in the months to come. It is incredibly easy to download and install the Tor Bundle, so it’s merely a matter of choosing to safeguard yourself.
Most of the disclosed issues are with exit nodes, or otherwise known as exit relays, though running an exit node requires consent on part of that individual. In reviewing this diagram, you’ll see where the clear transmission can occur at the exit node to Bob. It’s entirely possible that Bob’s information could come from a government run exit node. Therefore, it’s highly important that you use HTTPS secure traffic to reduce your attack surface. It’s important to educate yourself on best practices when using Tor software, so don’t assume that what you are doing is inherently safe. It is of high risk to run a Tor exit node, especially in countries where anonymity is more of a problem. Speculation also exists on the NSA’s ability to crack the Tor Project’s security. Much of the argument hinges on the NSA’s ability to crack the portion of Tor traffic that may still use 1024-bit encryption.
The Tor project is a 2 million dollar per year non-profit organization, staffed by 30 developers over 12 countries. Interest is high in the projects goals, including making the software as easy to use. As said above, you still need to educate yourself on best practices to avoid issues going forward, in the same vein you wouldn’t do online backing on an open WiFi network, despite how secure the connection on the website is. You must be proactive in taking extra steps beyond Tor for true effectiveness.
When used correctly, the Tor Project’s software is an invaluable asset to advocates of online privacy.