The Tor Project announced today plans to discontinue Tor Messenger, the organization’s security-hardened instant messaging application.
Tor developers cited a multitude of reasons for their decision today, all containing valid reasons, in hindsight.
Tor Messenger launched in late 2015
The Tor Project launched Tor Messenger in October 2015, as an alternative to the multitude of IM clients that were available on the market, at the time.
The main attraction point was that Tor Messenger would ship with Off-the-Record (OTR) Messaging enabled by default and would exchange all messages via the Tor network. In layman terms, this meant that all messages would be automatically encrypted and travel over a secure network like Tor, keeping private conversations safe from prying eyes.
At the time of launch, Tor developers admitted that Tor Messenger wasn’t 100% secure, as it was still built on a client-server architecture that allowed servers to log IM metadata, even if the server wasn’t able to view the content of the messages.
Back then, the Tor team said they were looking into alternatives to this architectural model flaw, which would arrive in future versions.
Tor team encountered problems after problems
But eleven beta versions later, Tor Messenger development ground to a halt and the Tor team didn’t even manage to ship even a single stable version.
Probably the biggest issue that led Tor developers to drop Tor Messenger developers was that Mozilla stopped working on Instantbird, the IM client at the base of Tor Messenger.
While Mozilla chose to integrate Instantbird’s chat features into Thunderbird, the Tor team didn’t have the resources to continue the development of a separate IM client or rebase Tor Messenger on anything else.
Even if it could have extracted the chat features from the Thunderbird codebase, Tor devs would still have needed a GUI component for their IM client, something they didn’t have the resources to cover.
But this wasn’t the only issue. Tor developers also weren’t able to address the client-server architecture problem they promised to fix. This meant servers would still be able to log messages sent between Tor Messenger clients.
All of this was only exacerbated by the fact that funds were never plentiful for the development team.
“Even after all the releases, Tor Messenger was still in beta, and we had never completed an external audit (there were two internal audits by Tor developers),” the Tor Project said today. “We were also ignoring user requests for features and bug reports due to the limited resources we could allocate to the project.”
“Given these circumstances, we decided it’s best to discontinue rather than ship an incomplete product,” Tor devs said. “If you still really need XMPP, despite its centralized metadata problems, check out CoyIM.”