Jump to: navigation, search


General Safety Advice[edit]

Recommended knowledge: Modes of Anonymity.

Note: Most existing instant messenger protocols are unsafe from a privacy point of view. This is not a Whonix specific problem. It is a general problem with instant messengers.

Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols have encryption disabled by default, some do not support encryption at all. See also Overview about Pidgin protocols and their encryption features[1]. If encryption to the server is enabled, the Tor Exit Node can no longer eavesdrop. This fixes one problem, however it also leaves another problem unresolved.

Even with encryption to the server enabled, the server could still gather interesting information. For example:

  • Account names
  • Buddy list (list of contacts)
  • Log login dates and times
  • Timestamp of messages
  • Who communicates with whom
    • If the recipient knows the sender and the recipient uses a non-anonymous account or the recipient ever logged in without Tor, this can be used as a hint for determining who the sender is.
  • Content of messages - Can be prevented using end-to-end encryption. This is covered in OTR encryption below.

Jabber/XMPP is a server-federation-based protocol designed with openness in mind. Its security depends on you making good use of OTR as you can never be sure if servers are properly encrypted between each other. Privacy with Jabber is limited, as it is visible to various kinds of attackers who your account is talking to. Tor only helps to pseudonymize your account and hide your current location, but your social graph may still expose your identity. For a good operational security guide on chatting anonymously see The Intercept's article.

Systems which do not require a server by design, i.e. serverless instant messengers are likely better from a privacy point of view. Such systems are #RetroShare and #Tox.

For IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. The TorifyHOWTO/IrcSilc contains general IRC safety techniques and other tips.

Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?

Ricochet IM[edit]

Ricochet IM[2] is a new successor of the unmaintained TorChat.

It is a portable P2P python chat application that does not save chat history. It relies on Tor onion services for creating identities. Its encryption and authentication properties are as strong as Tor's. No metadata is ever collected because it is server-less. An OTF sponsored audit in early 2016 shows that there were a few minor problems (fixed since).[3][4]

It is packaged in Debian backports. Whonix support is a work in progress.

Tor Messenger[edit]

Installation instructions.

(1) Go to https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger#Downloads and download the Tor Messenger for Linux. Store it in /home/user/.

(2) Read https://www.torproject.org/docs/verifying-signatures.html.en and learn about gpg verification.

(3) Go to https://www.torproject.org/docs/signing-keys.html.en to get the gpg keys.

(4) Verify the Tor Messenger download.

(5) Go into /home/user/ with the file manger. (Dolphin) (Dolphin -> View -> Show Hidden Files)

(6) If you still have the old version of Tor Messenger opened, close it.

(7) Rename your old /home/user/tor-messenger_en-US to something else.

(8) Extract the Tor Messenger. Right click on the downloaded archive -> extract -> extract archive here.

(9) Done.

(10) To start it, got to your /home/user/tor-messenger_en-US folder and double click start-tor-messenger. Or type in terminal.


For usage instructions refer to this guide.

Usage of Tor Messenger in Whonix should not differ from usage of Tor Messenger outside of Whonix. Already pre-configured for Stream Isolation, no manual settings changes required.

Forum discussion


RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.

RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.

Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor hidden service. People who scan Tor hidden services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Hidden Services and limiting connections only to trusted people.

On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit.[7] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice.[8]

Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility. You can exchange your key on dedicated chat servers at: https://retroshare.rocks/

After adding tons of random "friends" from a public forum, connection to a very few people over TCP. [9] [10] Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.

RetroShare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.

Installation and Setup[edit]

WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.

RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.

Before adding the repo[11], fetch the key and verify[12] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <home:AsamK@build.opensuse.org>
      Key fingerprint = E2CE 3677 C801 5772 D097  B0AA 9418 A479 2169 1F91

Download key with curl to home folder.

curl -o retroshare-pubkey.asc http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.key

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc

If it looks good import into trusted.gpg.d.[13]

gpg --no-default-keyring --keyring ./retroshare-pubkey.gpg --import retroshare-pubkey.asc
sudo cp retroshare-pubkey.gpg /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

For stable builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"

For nightly builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/retroshare06-git.list"

Update your package lists.

sudo apt-get update

Install Retroshare.

sudo apt-get install retroshare06

For the latest nightly package name install retroshare06-git instead.


RetroShare setup:

    • Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.
    • Check Advanced Options -> Create a hidden node
    • Change key-length to 4096 bits for adequate security then generate the new profile.



Follow the steps in this guide to connect to others over I2P.


INCOMPLETE - Depends on unimplemented features for Whonix[15]

On your Whonix-Gateway.

If you want to read an introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add. [16]

HiddenServiceDir /var/lib/tor/retroshare/
HiddenServicePort 7812<Local Address port>


Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/retroshare/hostname

Reminder: always backup your hidden service key. This is necessary in case you want to restore it on another machine, on a newer Whonix-Gateway, after hdd failure, etc. Follow the instructions below to find its location; root permission is required to access it.



You can use the usual Qubes tools. The following example shows how to copy /var/lib/tor/retroshare/private_key from your sys-whonix VM to your vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/retroshare/private_key

Using the example above, you could then find the Tor hidden service private key in your vault VM in a file.


Consider moving the file from QubesIncoming folder to a location of your choice.

You can then use the usual Qubes capabilities to backup your vault and/or other VMs. This can be conveniently done using QubesManager. Please refer to the Qubes documentation about backups for steps on how to do that.


TODO document
See also, File Transfer.


Tox[17][18] looks like a promising solution. The official client implementation the official project implementation based on a protocol library, Toxcore. Its very feature rich and can do a variety of functions besides VOIP. It can work over Tor which allows communications with others even if they are not anonymous.[19] There are clients developed for every major OS platform both desktop and mobile.[20]

Users are assigned a public and private key, and they connect to each other directly in a peer-to-peer network. Users have the ability to message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl library[21].

In February 2014, audio and video calls as well as conferences were still being implemented, as of August 2014 those features are ready in all the main clients. The official client aims to provide support for messaging, group messaging, voice and video calling, voice and video conferencing, typing indicators, read-receipts, push-to-talk technology, file sharing technology, and desktop streaming. Additional features can be implemented by any client as long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client.[22]

Install How-To[edit]

1. Before adding the repo[23], fetch the key and verify fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  4096R/0xA2B076511A171ABE 2015-08-26 Tox Project <admin@tox.chat>
      Key fingerprint = 0BC7 82D5 57DA 04D8 C542  87F3 A2B0 7651 1A17 1ABE

Download key with scurl to home folder.

scurl -o tox-pubkey.asc https://pkg.tox.chat/debian/pkg.gpg.key

Check fingerprints/owners without importing anything.

gpg --with-fingerprint tox-pubkey.asc

If it looks good import into trusted.gpg.d.

gpg --no-default-keyring --keyring ./tox-pubkey.gpg --import tox-pubkey.asc
sudo cp tox-pubkey.gpg /etc/apt/trusted.gpg.d/tox-pubkey.gpg
sudo sh -c 'echo "deb https://pkg.tox.chat/debian nightly release" > /etc/apt/sources.list.d/tox.list'
sudo apt-get update -qq

The Tox Repository has now been installed.

You can now install utox, qtox, toxic, ratox and tox-bootstrapd.

2. For info about clients see this page then install your client of choice.

On the desktop your choices are to install utox, qtox, toxic or ratox with sudo apt-get install.



Pidgin supports most protocols. However do not use it. It has a very bad security track record with many remotely exploitable bugs - a result of being written in C and containing many legacy protocols. There is no reason to use it when Tor Messenger is now available.

IRC Client HexChat[edit]

See HexChat.


The concept of having a serverless and fully encrypted instant messenger based on Tor hidden services is marvelous.

Unfortunately, since time of writing (September 2015) TorChat can not be recommended. This is because the TorChat developer currently does not respond to other people, see TorChat issues. Communication and support is crucial for anonymity related projects. TorChat is an unofficial project. Unaffiliated with The Tor Project. A modern and maintained alternative is Ricochet IM.

In 2015 security analysis[24] of TorChat protocol and it's Python implementation was conducted. It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.[25]

Other Software[edit]

If it is not listed here, it for now is recommended against. You can search Whonix forums to see if that chat client has been discussed in past or if you think a privacy respecting chat client is missing on this page.

Footnotes / References[edit]

  1. http://archive.is/8w0Zf
  2. https://ricochet.im/
  3. https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
  4. https://en.wikipedia.org/wiki/Ricochet_(software)
  5. Qubes-Whonix is 64 bit by default. The 32 bit version should also work. But why bother.
  6. The Default/Download version of Whonix is 32 bit. Therefore, 64 bit software won't run. The only way around this is building Whonix from source code.
  7. https://www.eff.org/secure-messaging-scorecard
  8. https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scorecard-pt1/
  9. Chance of working better (untested): Tunnel UDP over Tor.
  10. Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
  11. http://retroshare.sourceforge.net/downloads.html
  12. http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.gpg
  13. To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
  14. RetroShare .deb Packages installation instructions from RetroShare's third party repository
  15. https://github.com/RetroShare/RetroShare/issues/356
  16. Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
  17. https://wiki.tox.chat/users/faq#what_is_tox
  18. https://tox.chat
  19. https://wiki.tox.chat/users/tox_over_tor_tot
  20. https://wiki.tox.chat/clients
  21. http://nacl.cr.yp.to
  22. https://en.wikipedia.org/wiki/Tox_(software)
  23. https://wiki.tox.chat/binaries
  24. Security Analysis of Instant Messenger TorChat
  25. https://en.wikipedia.org/wiki/TorChat#Security


Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.