Tor Messenger FAQ

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not be depending on it for their privacy and safety.


  • Linux
    • Extract the bundle (tar xf tor-messenger-linux*) and then run ./start-tor-messenger.desktop
    • Some other script options:
        Tor Messenger Script Options
          --verbose         Display Tor and Instantbird output in the terminal
          --log [file]      Record Tor and Instantbird output in file (default: tor-messenger.log)
          --detach          Detach from terminal and run Tor Messenger in the background.
          --register-app    Register Tor Messenger as a desktop app for this user
          --unregister-app  Unregister Tor Messenger as a desktop app for this user
  • OS X
    • Copy the Tor Messenger application from the disk image to your local disk before running it.
  • Windows
    • Install Tor Messenger as you would install any other application.

Removing Tor Messenger/Uninstalling

On all platforms (Windows, OS X, Linux), removing the Tor Messenger directory/application will uninstall Tor Messenger. (Windows users: we do not modify the Registry.)

As of v0.2.0b2, OS X users will also need to remove the profile folder (TorMessenger-Data), which is either found next to application bundle, or in ~/Library/Application\ Support/, depending on where the application bundle is located.

Where are my OTR keys stored? / How can I preserve them across updates?

Note that, as of v0.2.0b2, Tor Messenger contains a secure updater, and the following steps are no longer necessary moving forward. However, if you're migrating from a previous release, they are still relevant.

  1. The two files you want to look for are otr.private_key and otr.fingerprints (leave the otr.instance_tags file alone). They are found in the profile directory. See the table below for the profile location for your version / platform.
  2. Move the aforementioned files (otr.private_key and otr.fingerprints) to a temporary location
  3. Remove the main Tor Messenger directory (or the application on OS X)
  4. Extract the latest beta
  5. Open the beta folder and copy the files you moved earlier to the path corresponding to your platform for the new version (again, consult the table below)

Note that this only preserves your OTR keys, and authenticated fingerprints. You will still need to recreate your accounts with the account wizard.

Profile locations


v0.1.x tor-messenger/Messenger/TorMessenger/Data/Browser/profile.default/
v0.2.x tor-messenger/Browser/TorBrowser/Data/Browser/profile.default/


v0.1.x Tor Messenger\Messenger\TorMessenger\Data\Browser\profile.default\
v0.2.x Tor Messenger\Browser\TorBrowser\Data\Browser\profile.default\


v0.1.x Tor[profile].default/ Note that if you're doing this in Finder, you'll need to open the context menu and choose Show Package Contents to access directories nested under the app.
v0.2.x TorMessenger-Data/Browser/[profile].default/ The root folder (TorMessenger-Data), is either found next to application bundle, or in ~/Library/Application\ Support/, depending on where the application bundle is located.


Tor Messenger does not use libpurple. We do not build or ship it as part of Tor Messenger. (Even for Instantbird, the default is to build without libpurple and it has to be explicitly enabled during the build.) All our transport protocols -- XMPP, Google Talk, IRC, etc. -- are written in JavaScript. Please see ticket #10937 for more information.


JavaScript certainly suffers from a somewhat undeservedly bad reputation. What users may not realize is that for just about every website they visit in a browser, they are served some JavaScript which the browser must download and run on their behalf. That's the literal equivalent of downloading and running an application, in the traditional way you'd think of it, for every website you see, with the added benefit that the browser can sandbox and run it with fewer privileges. And, occasionally, that JavaScript is attacker controlled. Given those conditions, other languages have faired just as poorly. Think about Java applets or Flash (admittedly, an ECMAScript dialect).

JavaScript itself is a memory managed language, which theoretically eliminates a certain class of exploits, the common pitfalls of C and C++. Further, Mozilla's JavaScript VM has been in production for quite some time and seen plenty of battle hardening. Tor Messenger is one application and it comes signed by a trusted source.


Tor Messenger uses the reference implementation of OTR, libotr. In order to interact with it from JavaScript, we have written a set of liberally licensed bindings, which we have open sourced here:

OTR is automatically enabled for one-to-one conversations (single contact) and the contact you are talking with should also have an OTR-enabled client. This is regardless of the protocol you use (IRC, XMPP, Google Talk, etc.)

Logging Disabled

There seems to be confusion over our decision to disable logging and what it actually means. We disable logging by default in Tor Messenger and no conversations are logged, encrypted or otherwise. Note that this does not mean that the other person cannot log your conversations; there is no way we can detect or prevent them from doing so and users should always be mindful of that.

In future releases, we will allow users to easily turn on logging if they desire since it seems to be a commonly requested feature.

Windows XP

We are aware of Tor Messenger not working on Windows XP. This is most likely an issue with the Windows cross-compilation. (We build Tor Messenger for Windows and OS X on Linux.) We are tracking this issue in bug #17469.


Facebook's XMPP gateway was deprecated in April 2015 and, as of February 2016, does not appear to work anymore. Support for Facebook was dropped starting in Tor Messenger 0.1.0b5.

Google Talk

Many Google Talk users are reporting issues connecting to their account with Tor Messenger. Using Tor with Google accounts has always been problematic and Tor Messenger is no exception. However, Google does address the issue head on (see How can I access my account from this computer?):

Summarizing the above link, here are the steps you need to undertake:

  1. Enable two-factor authentication (2FA) on your Google account. This step unfortunately requires a phone number that can receive a voice call or text (SMS).
  2. Generate an app password (see How to generate an App password on
  3. Now use the app password you generated in step 2 to connect Tor Messenger to your Google Talk account

Google Talk users should note that they can only talk to their contacts over OTR (encrypted chat) if the person they are talking with has an OTR-enabled client like Tor Messenger (or Pidgin, Adium). This is because OTR only works if the other person is also using it.


Tor Messenger 0.1.0b5 and up supports OTR conversations over Twitter DMs (direct messages). Simply configure your Twitter account with Tor Messenger and add the Twitter account you want as a contact. Any (direct) message you send to another Twitter contact will be over OTR provided both contacts are running Tor Messenger (or another client that supports Twitter DMs and OTR).


On August 5, 2016, legacy versions of Yahoo! Messenger were discontinued. Support for Yahoo! was dropped starting in Tor Messenger 0.3.0b1.

Cryptographic Protocols

As a start, we put effort into implementing OTR because it's a widely deployed protocol. However, we do recognize its shortcomings. After our 1.0, we will be exploring other protocols, including those that support the group setting, like np1sec, and those that support more modern use cases, like async, offline messaging, and multiple devices, such as OMEMO.

Mobile (Android, iOS)

We do not have plans for Tor Messenger for mobile currently but we recommend ChatSecure by the Guardian Project or Signal by Open Whisper Systems.

Using Tor Messenger with Tor Browser

Tor Messenger ships with its own instance of the Tor daemon (running on SOCKSPort 9152; ControlPort 9153) so it does not depend on Tor Browser. Since we are using different ports, you can run both applications together but do note that this starts two Tor processes (one per application). We have plans to fix this in the future, please see the discussion on Tor Process Sharing.

How do I auto-join encrypted XMPP chats?

Setting this up is not very intuitive in Tor Messenger. It works just like in Instantbird:

  1. click Tools > Accounts > choose your XMPP account Properties > Auto-Joined Channels

That should have a list of the rooms. The format should be,

conference.server/resource PASSWORD, conference.otherserver/resource

  1. Add the password after the server (where it says "PASSWORD" in the example above).

How do I add root certificates?

Importing root certificates to Tor Messenger will hide the warning that the root issuer is not trusted when connecting to an account on the server for the first time. This mostly happens when connecting to .onion servers.

Go to

Tools > Options > Advanced > Certificates

and choose Import to import a new certificate.

You should always make sure the certificate is trustworthy by comparing the fingerprints and/or GPG keys.

How do I connect to my XMPP server with its onion address?

When creating the XMPP account for domain clearweb with onion dotonion, input,

Username: username
Domain: clearweb

Then on the third screen (Advanced Options),

Click XMPP options, and scroll down a bit,

Server: dotonion

If you've already created the account, click

Properties > Advanced options

from the account menu.

How to verify the signature of Tor Messenger

For Tor Messenger releases, we do not sign all the individual files, but rather just one file which has the sha256sum checksums. This file is called sha256sums-signed-build.txt (starting with version 0.3.0b2).

To verify the integrity of the package(s) you download, start by downloading this file sha256sums-signed-build.txt and its signature sha256sums-signed-build.txt.asc. (You can find these files along with the other files on

Now start by verifying this file first:

  gpg --verify sha256sums-signed-build.txt.asc sha256sums-signed-build.txt

This should say:

gpg: Good signature from "Sukhbir Singh ..."

Next, run sha256sum $FILE, replacing $FILE with the file you are verifying the signature for. Assume $FILE to be tor-messenger-linux64-0.3.0b2_en-US.tar.xz in the example below:

  sha256sum tor-messenger-linux64-0.3.0b2_en-US.tar.xz

The output of this should match the corresponding output of the file in sha256sums-signed-build.txt.

Last modified 3 years ago Last modified on Jun 19, 2017, 8:04:55 PM