Jump to: navigation, search


(Redirected from TorChat)

General Safety Advice[edit]

Recommended knowledge: Modes of Anonymity.

Note: Most existing instant messenger protocols are unsafe from a privacy point of view. This is not a Whonix specific problem. It is a general problem with instant messengers.

Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols have encryption disabled by default, some do not support encryption at all. See also Overview about Pidgin protocols and their encryption features[1]. If encryption to the server is enabled, the Tor Exit Node can no longer eavesdrop. This fixes one problem, however it also leaves another problem unresolved.

Even with encryption to the server enabled, the server could still gather interesting information. For example:

  • Account names
  • Buddy list (list of contacts)
  • Log login dates and times
  • Timestamp of messages
  • Who communicates with whom
    • If the recipient knows the sender and the recipient uses a non-anonymous account or the recipient ever logged in without Tor, this can be used as a hint for determining who the sender is.
  • Content of messages - Can be prevented using end-to-end encryption. This is covered in OTR encryption below.

Jabber/XMPP is a server-federation-based protocol designed with openness in mind. Its security depends on you making good use of OTR as you can never be sure if servers are properly encrypted between each other. Privacy with Jabber is limited, as it is visible to various kinds of attackers who your account is talking to. Tor only helps to pseudonymize your account and hide your current location, but your social graph may still expose your identity. For a good operational security guide on chatting anonymously see The Intercept's article.

Systems which do not require a server by design, i.e. serverless instant messengers are likely better from a privacy point of view. Such systems are #RetroShare and #Tox.

For IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. The TorifyHOWTO/IrcSilc contains general IRC safety techniques and other tips.

Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?

Ricochet IM[edit]

Ricochet IM[2] is a new successor of the unmaintained TorChat.

It is a portable P2P python chat application that does not save chat history. It relies on Tor onion services for creating identities. Its encryption and authentication properties are as strong as Tor's. No metadata is ever collected because it is server-less. An OTF sponsored audit in early 2016 shows that there were a few minor problems (fixed since).[3][4]

It is packaged in Debian backports. Whonix support is a work in progress.

Tor Messenger[edit]

Installation instructions.

(1) Go to https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger#Downloads and download the Tor Messenger for Linux. Store it in /home/user/.

(2) Read https://www.torproject.org/docs/verifying-signatures.html.en and learn how to perform GPG verification.

(3) Go to https://www.torproject.org/docs/signing-keys.html.en to download the relevant GPG signing keys.

(4) Verify the Tor Messenger download.

(5) Navigate to /home/user/ with the file manger. Dolphin example: Dolphin -> View -> Show Hidden Files

(6) If the old version of Tor Messenger is still open, close it.

(7) Rename the old /home/user/tor-messenger_en-US to something else.

(8) Extract the Tor Messenger. Right click on the downloaded archive -> extract -> extract archive here

(9) Done.

(10) To start it, go to the /home/user/tor-messenger_en-US folder and double click start-tor-messenger. Or type in a terminal.


For usage instructions refer to this guide.

Usage of Tor Messenger in Whonix should not differ from usage of Tor Messenger outside of Whonix. Already pre-configured for Stream Isolation, no manual settings changes required.

Forum discussion


RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.

RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.

Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor hidden service. People who scan Tor hidden services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Hidden Services and limiting connections only to trusted people.

On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit.[7] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice.[8]

Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility. You can exchange your key on dedicated chat servers at: https://retroshare.rocks/

After adding tons of random "friends" from a public forum, connection to a very few people over TCP. [9] [10] Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.

RetroShare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.

Installation and Setup[edit]

WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.

RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.

Before adding the repo[11], fetch the key and verify[12] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <home:AsamK@build.opensuse.org>
      Key fingerprint = E2CE 3677 C801 5772 D097  B0AA 9418 A479 2169 1F91

Download key with curl to home folder.

curl -o retroshare-pubkey.asc http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.key

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc

If it looks good import into trusted.gpg.d.[13]

gpg --no-default-keyring --keyring ./retroshare-pubkey.gpg --import retroshare-pubkey.asc
sudo cp retroshare-pubkey.gpg /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

For stable builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"

For nightly builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/retroshare06-git.list"

Update the package lists.

sudo apt-get update

Install Retroshare.

sudo apt-get install retroshare06

For the latest nightly package name install retroshare06-git instead.


RetroShare setup:

    • Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.
    • Check Advanced Options -> Create a hidden node
    • Change key-length to 4096 bits for adequate security then generate the new profile.



Follow the steps in this guide to connect to others over I2P.


INCOMPLETE - Depends on unimplemented features for Whonix[15]

On your Whonix-Gateway.

If you want to read an introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /etc/tor/torrc

Add. [16]

HiddenServiceDir /var/lib/tor/retroshare/
HiddenServicePort 7812<Local Address port>


Reload Tor.

After editing /etc/tor/torrc, Tor must be reloaded for changes take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /etc/tor/torrc and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

For Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/retroshare/hostname

Reminder: Always backup the hidden service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.



Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/retroshare/private_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/retroshare/private_key

The above step copies the Tor hidden service private key file to the QubesIncoming folder of the vault VM.


Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.


TODO document
Also see: File Transfer.


under review {{Template:Tox} update will follow soon


Pidgin supports most protocols. However do not use it. It has a very bad security track record with many remotely exploitable bugs - a result of being written in C and containing many legacy protocols. There is no reason to use it when Tor Messenger is now available. [17]

IRC Client HexChat[edit]

See HexChat.


The concept of having a serverless and fully encrypted instant messenger based on Tor hidden services is marvelous.

Unfortunately, since time of writing (September 2015) TorChat can not be recommended. This is because the TorChat developer currently does not respond to other people, see TorChat issues. Communication and support is crucial for anonymity related projects. TorChat is an unofficial project. Unaffiliated with The Tor Project. A modern and maintained alternative is Ricochet IM.

In 2015 security analysis[18] of TorChat protocol and its Python implementation was conducted. It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.[19]


TODO: Unfinished!

sudo apt-get install gajim gajim-omemo gajim-httpupload

  • Preferences -> Status -> uncheck 'Away after' [20]
  • Preferences -> Status -> uncheck 'Not available after'
  • Preferences -> Advanced -> applications -> Custom -> clear fields for Browser, Mail client and file browser [21]
  • Preferences -> Advanced -> global proxy -> Tor
  • Preferences -> Advanced -> global proxy -> mange -> Tor -> check 'Use proxy authentication' -> set username to 'gajim' -> set password to -> 'gajim' [22]
  • TODO: check if above makes sense - gajim might intelligently set a Tor socks user name per account already and manually setting a user name might worsen that
  • The plugin installer plugin is a security issue. [23] [24]
    • TODO: We should config-package-dev displace folder /usr/share/gajim/plugins/plugin_installer/.
    • TODO: Debian feature request to ship the gajim plugin-installer plugin in a separate Debian package.
    • Edit -> Plugins -> Uncheck "Plugin Installer"
  • TODO: create an AppArmor profile
  • TODO: does it have any protocol leaks?
    • TODO: ask gajim developers
  • TODO: disable logging by default
  • TODO: how to pre-configure gajim with all these settings by default as a linux distribution?

Other Software[edit]

If it is not listed here, it for now is recommended against. You can search Whonix forums to see if that chat client has been discussed in past or if you think a privacy respecting chat client is missing on this page.


Footnotes / References[edit]

  1. http://archive.is/8w0Zf
  2. https://ricochet.im/
  3. https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
  4. https://en.wikipedia.org/wiki/Ricochet_(software)
  5. Qubes-Whonix is 64-bit by default. The 32-bit version should also work, but is not worth bothering with.
  6. Until Whonix 14, the default download version of Whonix is 32-bit. Therefore, 64-bit software won't run unless Whonix is built from source code.
  7. https://www.eff.org/secure-messaging-scorecard
  8. https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scorecard-pt1/
  9. Chance of working better (untested): Tunnel UDP over Tor.
  10. Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
  11. http://retroshare.sourceforge.net/downloads.html
  12. http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.gpg
  13. To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
  14. RetroShare .deb Packages installation instructions from RetroShare's third party repository
  15. https://github.com/RetroShare/RetroShare/issues/356
  16. Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
  17. https://pidgin.im/news/security/
  18. Security Analysis of Instant Messenger TorChat
  19. https://en.wikipedia.org/wiki/TorChat#Security
  20. To prevent needlessly leaking your activity to the server.
  21. For better security, we better do not risk automatically starting these applications from the chat client.
  22. To get Stream Isolation.
  23. https://tails.boum.org/blueprint/replace_Pidgin/
  24. https://labs.riseup.net/code/issues/7868


Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Want to get involved with Whonix? Check out our Contribute page.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.