The popular non-profit organisation, Tor Project, took to its blog to announce that it is shutting down Tor Messenger.
Tor Messenger is a cross-platform chat app geared at communication and was first introduced in 2015. The company aimed that all the conversations that take place on the messenger would be secured by directing the traffic over the Tor network. It also planned to use encrypted “one-to-one conversation” by adding and using the OTR (Off-the-Record) messaging.
In addition to the privacy aspect of the Tor Messenger, Tor also wanted to make sure that the chat app supported a number of networks and protocols ranging from Jabber (XMPP), IRC, Google Talk, Facebook as well as Twitter, packing all this in an easy-to-use graphical interface while taking care of the privacy and security settings automatically without much inputs from the user.
At its launch, The Tor Project tried to clarify the limitations of such an app by adding that it was meant to allow communication on existing social networks instead of making a dedicated chat platform that was different from all the existing messaging platforms.
The advantage that Tor Messenger held over other chat clients was the fact that even though servers could log the metadata of users because of the client-server model, the route to the server would still be undisclosed because of the presence of Tor network. The communication would itself be encrypted using OTR messaging. In the blog post, the organisation highlighted three main reasons for shutting down the development of the Messenger.
The first problem was that Tor Messenger was based on Instantbird where Tor developers could sit back and check the changes in the app to refine security and privacy without worrying about other aspects of the app. The original developers working on Instantbird have stopped maintaining the app and while Tor developers can still port the chat features to the Tor Messenger, the UI itself is no longer being developed.
The second issue was that Tor Messenger had a ‘centralised client-server’ model making it vulnerable to metadata leaks without any solution on mitigating the risk. Possible leaks could reveal information on the participants of conversations and the social graphs without revealing any actual data. The leak would be enough for anyone to work out the pattern of the communications including who your friends are, how much and when you talk to your friends.
Last but not the least, the team highlighted the increasingly limited resources working on the project. Developers did not complete any external audit and ignored user requests and bug reports because of lack of workforce behind the Tor Messenger.
Considering this, it concluded that it would be best to discontinue rather than ship something that is incomplete.