Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information


Instant Messenger Chat

General Safety Advice[edit]

It is recommended to review the Do not Mix Anonymity Modes section in conjunction with this entry. For a comprehensive comparison of instant messengers, see here.


Tor exit relays can eavesdrop on communications if encryption to the server is disabled. Depending on the protocol, encryption might be disabled by default or not even supported. Tails has noted that without encryption, the exit relay can see the contact list, all messages, file transfers, and audio/video. [1] While encryption to the server prevents exit relay eavesdropping, it still leaves one problem unresolved: server logging.

High-risk users should also bear in mind that even in the event that strong and secure end-to-end encryption is used -- for example encrypted chat using .onion connections only (staying within the Tor network) -- sophisticated attackers (nation state actors) are capable of compromising the trusted computing base (TCB) [2] of nearly all platforms: [3]

All proper end-to-end encrypted (E2EE) messaging systems store private key(s) exclusively on user's device (endpoint). The holy grail of attacks against E2EE systems is called exfiltration where the sensitive data, namely the private keys or plaintext messages, are stolen from the endpoint. The attack is directed against the trusted computing base (TCB) of the target system. The overwhelming majority of TCBs are connected to the network and compromising them with polished malware that exploits a zero-day vulnerability, is trivial and undetectable.

Server Logging[edit]

Encrypted server connections do not prevent the server gathering interesting information about users, such as common contacts and the regularity of communications. An example list includes:

  • Account names.
  • Buddy list (list of contacts).
  • The exact date and time of logins.
  • Message timestamps.
  • Communication patterns like common contacts.
    • If the recipient knows the sender and has ever used a non-anonymous account or logged in without Tor, this information can be used to try and determine the sender's identity.

The content of messages will only be protected by using end-to-end encryption, for example Off-the-Record (OTR) encryption. To completely remove the threat of server logging, prefer decentralized (server-less) instant messengers like Ricochet IM.

Jabber / XMPP[edit]

Jabber/XMPP is a free server-federation-based protocol designed with openness in mind: "... All of the existing XMPP servers, clients, and programming libraries support the key features of an IM system, such as one-to-one and multi-party messaging, presence subscriptions and notifications, and contact lists."

The system is decentralized because there is no central authoritative server; anyone can run a server. Some users are confused on this point because there are a number of large and popular public XMPP servers (like, to which many have subscribed. [4] Each network user has a unique XMPP address called a JID (Jabber ID). The JID is similar to an email address insofar as it has a username and domain name like [5]

Safely using the protocol requires proper use of OTR, because it is unwise to trust server connections are properly encrypted between each other. Jabber privacy is also limited, as various adversaries are capable of observing which accounts are communicating. Jabber and Tor combined only guarantee pseudonymous communications, as while the user's current location is hidden, the social graph can still expose their true identity. For tips on operational security when chatting anonymously, see this article by The Intercept. Also see: Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?


When using IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. Therefore the associated daemon will not identify the username which is linked with a particular TCP connection, as is normally the case.

The Tor Project Internet Relay Chat page contains a number of important recommendations and tips for safe IRC use:

  • Use onion services when available.
    • Check self-signed certificates have the correct SSL/TLS certificate.
  • Cycle Tor circuits to evade censorship bans.
  • Chain VPNs and Tor for registration.
  • Use OTR for end-to-end encryption.
  • Distrust users and servers in general.
  • Avoid personally identifiable information in chats.
  • Check the user fingerprint before using IRC.
  • Harden the IRC client.
  • And more.


Applications discussed in this chapter are listed in order of best usability and compatibility with Whonix, based on the opinion and experience of Whonix developers.

It should be noted that no single application listed here has a superior feature set. Users must make a choice based on personal preferences and their self-assessed threat model:

  1. Gajim has better usability, more Jabber users, supports offline messages, and can provide OTR or OMEMO-grade encryption. On the downside, it requires a Jabber server which weakens anonymity.
  2. HexChat is an open source IRC client based on XChat (therefore not technically an instant messenger). It has better usability and supports encrypted plugins like OTR, but on the downside it relies on centralized IRC servers.
  3. Ricochet IM is a decentralized (server-less) option, but it "only" uses onion encryption and is difficult to set up. OTR or OMEMO-grade encryption is not yet available, [6] and offline messages are not supported. [7] Ricochet IM is also not user-friendly.
  4. Tox is also a fully-featured, decentralized (server-less) option which employs strong encryption, but the software is in alpha status and is not available as a Debian package. [8] Tox developers warn in their wiki: "... Keep in mind that these clients are alpha software under heavy development, and are probably not ready for day-to-day use. ..." [9]




Ubuntu provides a succinct overview of Gajim: [10]

Gajim is a free software, instant messaging client for the Jabber (XMPP) protocol which uses the GTK+ toolkit. It runs on GNU/Linux, BSD and Windows. The name Gajim is a recursive acronym for Gajim (is) a jabber instant messenger. The goal of Gajim is to provide a full featured and easy to use Jabber client. Gajim works nicely with GNOME, but does not require it to run. It is released under the GNU General Public License.

Gajim has various features, including: [11]

  • Chat client synchronization.
  • Group chats.
  • Sending of pictures, videos and other files to friends or groups.
  • Secure end-to-end encryption via OMEMO or PGP.
  • The option to keep and manage all chat history.
  • Connection compatibility with other messengers via transports, such as IRC.
  • Various other features are available via plugins.

In late-2018, audio/video is reportedly not functional in Gajim. Further, OTR support was dropped in Gajim release 1.0, but the OMEMO plugin is an encryption alternative. [12] Note that Debian stretch has v0.16 of the Gajim package available, so optionally the OTR plugin can still be used instead of OMEMO (stretch-backports has v1.1 available).


The steps below install Gajim, along with the OMEMO encryption plugin and HTTP Upload plugin (which is required for file transfers). [13] The latter plugin is fully integrated into the core Gajim software as of v1.0. Upon first launch of the program, users can use an existing XMPP account or create a new one.

Update the package lists.

sudo apt-get update

Install gajim, gajim-omemo and gajim-httpupload.

sudo apt-get install gajim gajim-omemo gajim-httpupload

Start Gajim from the start menu or type in konsole.





On first launch, an Account Creation Wizard Dialog will appear. Use the wizard to either create a new account to connect to the jabber network or use an existing account. For new accounts, there are multiple jabber servers available and only a username and password is required to join. [15]

Gajim Settings[edit]

The following changes are recommended for better security and privacy.


  • Edit -> Accounts -> uncheck Save conversation logs for all contacts

Activity settings:

  • Preferences -> Status -> uncheck Away after [16]
  • Preferences -> Status -> uncheck Not available after

Privacy settings:

  • Preferences -> Advanced-> Privacy -> uncheck
    • Allow client / OS information to be sent
    • Allow local system time information to be sent
    • Log encrypted chat session
    • Allow my idle time to be sent

Prevent auto-start:

  • Preferences -> Advanced-> applications -> Custom -> clear fields for: [17]
    • Browser
    • Mail Client
    • File Browser

Network settings: [18]

  • Preferences -> Advanced -> global proxy -> Tor
  • Preferences -> Advanced -> global proxy -> mange -> Tor -> check Use proxy authentication -> set username to gajim -> set password to gajim

Gajim cannot be installed by default in Whonix yet, as there is more development work TODO; see Dev/Gajim.

HexChat: IRC Client[edit]

See HexChat.

Ricochet IM[edit]



Ricochet IM is is a portable, P2P, python chat application that is installed in Whonix by default. It is the new successor to the unmaintained TorChat. [19] The Ricochet site describes how the application works: [20]

Ricochet uses the Tor network to reach your contacts without relying on messaging servers. It creates a hidden service, which is used to rendezvous with your contacts without revealing your location or IP address.

Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request - asking to be added to your contacts list.

You can see when your contacts are online, and send them messages (and soon, files!). Your list of contacts is only known to your computer - never exposed to servers or network traffic monitoring.

Everything is encrypted end-to-end, so only the intended recipient can decrypt it, and anonymized, so nobody knows where it’s going and where it came from.

In summary, the benefits of Ricochet IM include:

  • No saving of chat history.
  • Reliance on Tor onion services for identity creation.
    • Encryption and authentication properties therefore match Tor's strength.
  • The server-less design means no metadata is ever collected.
  • An OTF sponsored audit in early 2016 only identified a few minor problems (since fixed). [21] [22]

Whonix Configuration[edit]

Ricochet should be fully functional in Whonix. If any problems are encountered, please leave comments on the open Phabricator ticket.

Add a Ricochet Python Profile[edit]

In Whonix-Gateway (sys-whonix), onion-grater requires some adjustments.

Extend onion-grater Whitelist

On Whonix-Gateway.

Create a new directory. [23]

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

Whonix 14:

sudo ln -s /usr/share/onion-grater-merger/examples/40_ricochet.yml /usr/local/etc/onion-grater-merger.d/

Whonix 15 and above:

sudo ln -s /usr/share/doc/onion-grater-merger/examples/40_ricochet.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

Modify Firewall Settings[edit]

In Whonix-Workstation (anon-whonix), the firewall requires some adjustments.

Modify Whonix-Workstation User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Workstation AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> User Firewall Settings

If using Non-Qubes-Whonix, complete this step.

In Whonix-Workstation, open the whonix_firewall configuration file in an editor.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_default.conf

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws-14 -> Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> Global Firewall Settings

If using Non-Qubes-Whonix, complete this step.

In Whonix-Workstation, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_default.conf




Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run.

sudo whonix_firewall

Start Ricochet[edit]

In Whonix-Workstation (anon-whonix), launch ricochet either through the start menu or from the command line.


Backup/Restore Ricochet ID[edit]

Backup ricochet.json in the config directory path below which contains the private key under identity in serviceKey. [24]

You need to replace /path/to/backup/location with the actual location of your backup folder.

cp /home/user/.local/share/Ricochet/ricochet/ricochet.json /path/to/backup/location

For now this is enough. Alternatively you could also backup the whole folder /home/user/.local/share/Ricochet.

cp -r /home/user/.local/share/Ricochet /path/to/backup/location




Tox [25] [26] looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VoIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. [27] Desktop and mobile client versions have been developed for every major OS platform. [28]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. [29] [30] Tox helps to protect user privacy by: [31]

  • Removing the need to rely on central authorities to provide messenger services
  • Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
  • Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As of late-2018, the following secure (encrypted) features have been implemented: [32]

  • Voice and video calls.
  • Instant messaging.
  • Desktop screen sharing / streaming.
  • File sharing.
  • Typing indicators.
  • Message read-receipts.
  • Profile encryption.
  • Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. [33]


The following instructions will install the "qTox" graphical user client. As qTox is not currently available as a stand-alone Debian package, users have three choices in late-2018:

  • Build the package from source (difficult).
  • Rely on an unsigned, self-contained AppImage downloaded from the Tox homepage (insecure).
  • Install Flatpak from stretch-backports and then install Tox from the Flathub repository (easiest).

Flatpak Method[edit]

It is recommended to create a separate Whonix-Workstation before installing addtional software. Tox is also alpha software which has not been formally audited, therefore it is less trusted.

Install Flatpak[edit]

Package flatpak can be installed from Debian backports. This is non-ideal, see footnote. [34]

1. Boot Whonix-Workstation (whonix-ws-14) TemplateVM.

2. Add the current Debian stable backports codename stretch-backports to Debian apt sources.

Note: this applies to Whonix Later Whonix versions may use a codename different to stretch.

In Whonix-Workstation (whonix-ws-14) TemplateVM, run.

sudo su -c "echo -e 'deb stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t stretch-backports install flatpak

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian stretch to buster. [35] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

Add the Flathub Repository and Install qTox[edit]

Flathub is a common place to source Flatpak applications. To enable it, run.

flatpak remote-add --if-not-exists flathub

Next, restart Whonix-Workstation to allow flatpak to finish setting up.

To install qTox from flathub, open a terminal (Konsole) and run. [36]

flatpak install flathub io.github.qtox.qTox

Start qTox[edit]

To launch qTox, run.

flatpak run io.github.qtox.qTox

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.
TODO: Add instructions for Qubes-Whonix.

Deprecated Chat Clients[edit]


Pidgin supports most protocols and OTR end-to-end encrypted chat. However, it is not recommended because it has a very poor security record with many remotely exploitable bugs. Security researcher and developer Micah Lee notes this is the result of reliance on legacy protocols and the libpurple, libotr and libxml libraries which are: "... massive, written in C/C++, and are littered with memory corruption bugs. ..." [37]


Whonix developers no longer list RetroShare, which is a friend-to-friend (peer-to-peer), decentralized network and not an anonymizing network. Encrypted RetroShare connections support chat, voice and video, mail, file-sharing, forums and Tor. [38] Although RetroShare is under active development, [39] there are several serious concerns which disqualify a recommendation:

  • The RetroShare package is signed with weak 1024-bit keys (in late-2018).
  • A 2016 code review which focused on implementation vulnerabilities discovered multiple security issues: [40]
    • The attack surface is high due to the feature-rich codebase.
    • Systemic "insecure coding practice" was identified, particularly "...inconsistent return value checking and error handling, poor usage of explicit and implicit typecasting, and relaxed handling of adverse security edge-cases."
    • Within a 24-hour period, auditors had developed proof of concept exploits for web-like vulnerabilities, weak binary protections, and out of bound memory reads and remote memory corruption (promptly rectified by developers).
  • A coverity scan of the RetroShare code shows a large number of outstanding defects, along with a relatively high defect density. [41] [42]


TorChat has not been recommended by Whonix developers since late-2015. The reason is development has been at a standstill since 2013 and the TorChat developer does not respond to other people, suggesting the project has been abandoned. TorChat is also an unofficial project and unaffiliated with The Tor Project. Since communication, support, active development and security fixes are essential for anonymity-related projects, Ricochet IM is strongly recommended as a modern, maintained alternative. [43]

Another reason to avoid TorChat is the findings of a 2015 security analysis [44] which inspected the protocol and Python implementation: [45]

It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.

Tor Messenger[edit]

Do not use Tor Messenger! It was deprecated by upstream developers in early-2018. [46]

Other Software[edit]

For anonymous Voice over IP (VoIP) or encrypted, anonymous phone calls using the Tor anonymity network, see: VoIP.

If a messenger program is not listed in this chapter, it is for now recommended against. If readers feel any privacy-respecting chat clients are missing on this page, first search the Whonix forums to see if that application has been discussed in the recent past. Any additions to this page will be based on an objective analysis of the software's underlying strength and compatibility with Whonix. [47]

Footnotes / References[edit]

  1. See: for an overview of Pidgin protocols and associated encryption features.
  2. "... the trusted computing base or TCB comprises the set of all hardware, software, and firmware components that are critical to establishing and maintaining its security. Typically, the TCB consists of an operating system with all its in-built security controls, individual system hardware, network hardware and software, defined security procedures and protocols, and the actual physical location of the system itself." Trusted Computing Base or "TCB"
  4. Other popular public servers are listed here.
  8. Tox has not yet been formally audited by security professionals, but this is the case for most software. Further, passing a formal audit does not guarantee that the software is in fact safe.
  13. Note this feature can be combined with OMEMO for encrypted file transfers.
  14. anon-apps-config which is installed by default will deactivate gajim plugin installer / updater because it is not secure.
  15. A new account can always be added with: Edit -> Accounts -> New
  16. To prevent needlessly leaking your activity to the server.
  17. For better security, this prevents the automatic start of these applications from the chat client.
  18. To set use of the Tor network, along with Stream Isolation.
  23. Using /usr/local/etc/onion-grater-merger.d/ because that onion-grater settings folder is persistent in Qubes-Whonix TemplateBased ProxyVMs, i.e. Whonix-Gateway (commonly called sys-whonix). Non-Qubes-Whonix users could also use /etc/onion-grater-merger.d/. Qubes-Whonix users could also use /etc/onion-grater-merger.d/ but then users would have to make /etc/onion-grater-merger.d/ persistent, which would require doing this inside the Whonix-Gateway TemplateVM (commonly called whonix-gw-14) and restart their Whonix-Gateway ProxyVM or to use bind-dirs. Both is more complicated than simply using /usr/local/etc/onion-grater-merger.d/ which is persistent either way and even allows multiple Whonix-Gateway ProxyVMs based on the same Whonix-Gateway TemplateVM for lets say one Whonix-Gateway ProxyVM extending and relaxing onion-grater's whitelist and the other Whonix-Gateway ProxyVM with the default more restricted onion-grater whitelist.
  30. Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs.
  32. Depending on the mobile / desktop client in use.
  34. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix users might want to consider using Multiple Whonix-Workstations and Qubes-Whonix users might want to consider using Multiple Qubes-Whonix TemplateVMs or Software Installation in a TemplateBasedVM.
  35. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  38. Unlike other private P2P options, the F2F network can grow in size without compromising their users' identities. Also, passwords or digital signatures are required for authentication.
  39. See also:
  42. For example, compare this result with the low number of defects and defect density of the Tor codebase.
  43. Particularly since Ricochet IM passed a recent (2016) security audit with flying colors.
  44. Security Analysis of Instant Messenger TorChat
  46. Also see:


Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.