Facebook Joins Tor, And The Dark Web Gets A Little More Useful (If A Little Less Cool)
from the good-news dept
Just a couple months ago, we wrote about how the folks behind Tor were looking for ways to deal with the fact that much of the web treats Tor visitors differently. It's a tough problem to solve, as we noted, because for all the benefits that Tor provides by allowing people to be anonymous, it's also very much a tool that is abused by some for nefarious purposes, including spamming and attacks. For sites that have any sort of heuristic systems in place (including us at Techdirt), it often defaults to treating many, if not all, Tor users as second-class citizens. This isn't an easy problem to solve, by any means. We've done our best to train our systems to minimize the hassle for Tor users, and yet they are still more likely to run into issues than non-Tor users (sometimes because of upstream efforts). We're certainly watching this effort closely, in hopes that we can benefit from it as well.However, it looks like Facebook has taken a rather bold move to help Tor users: setting up its very own Tor hidden service, effectively creating a special "hidden" Tor version of Facebook that is designed for Tor users. Yes, Facebook has joined the dark web. It may not seem as cool as various dark markets and such, but it actually is rather important in helping to validate the use of Tor and the fact that not everything on Tor hidden services are about selling drugs or hiring hitmen, as some reports seem to imply.
This is a pretty big move, because Facebook was rather aggressive in treating tor users badly in the past, sometimes accusing them of hacking their own account, kicking them out or just displaying stuff weirdly. Obviously, users logged into Facebook over Tor are identifying themselves to Facebook, but it does provide more security and privacy for others, and works more seamlessly for those who wish to use Tor regularly.
As Runa Sandvik also notes, this is the first time that a certificate authority has issued a legitimate SSL certificate for a .onion address (Facebook is at https://facebookcorewwwi.onion/ in case you were wondering). Having both of these things happen at once may, as Andy Greenberg jokes, feel sort of like when your parents joined Facebook, but it also, hopefully, is the beginning of more widespread recognition that the Tor hidden services can be useful -- and not just for questionable enterprises. Hopefully others follow Facebook's lead.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificate authority, dark web, ssl, tor
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
I can only imagine the amount of behavioral data they're going to rake in with this move.
[ link to this | view in thread ]
[ link to this | view in thread ]
Well....
Down side - most of that will be redirections outside of TOR to embedded movie files or similar that nontheless will be accessed over TOR - putting a massive strain on the whole system, which already struggles a little with the load on it today. Unless farcebook are willing to also fund additional nodes to carry some of their load, they are going to degrade the TOR performance for everyone.
[ link to this | view in thread ]
An onion address (public RSA key) is 80-bit in length. The first half of Facebook's onion address is 'facebook', which is 40-bit out of 80-bit total. Facebook has a lot of servers to farm out for key generation. I still find it impressive they managed generate the first 40-bit exactly like they wanted to, in human readable format. I'm glad Facebook showed the Tor community that brute forcing 40-bit keys is easily within the realm of possibility.
It's even more scary when you consider there are faster attack methods against asymmetric keys, than mere brute force attacks. Which is why 2048-bit RSA key lengths are recommended. 2048-bit onion addresses would obviously be a lot longer than the current 80-bit onion addresses, but would be much more secure. A 256-bit elliptical curve key would be shorter, and supposedly just as secure as a 2048-bit RSA key. Both asymmetric keys are about equal in security to a 128-bit symmetric AES key.
"Sounds like it makes man-in-the-middle attacks impossible."
Connecting to Facebook through a Tor Hidden Service definitely makes MITM attacks and server impersonation harder, but unfortunately not impossible.
Two obstacles must be overcome to impersonate a Tor Hidden Service with a https certificate:
1. Either brute force a Tor Hidden Service's private RSA key through repeat keypair generation (slowest method). Or run the Hidden Service public RSA key though an integer factorization algorithm to derive it's private RSA key (faster than brute force key generation). If someone can figure out a Hidden Service's private key, or cause a hash collision, then they can impersonate that Hidden Service.
https://lists.torproject.org/pipermail/tor-talk/2014-October/035417.html
2. Facebook managed to register a .onion address with DigiCert Inc certificate authority. Which means DigiCert, or any other certificate authorities listed in your web browser, authenticates the https connection to facebookcorewwwi.onion. Certificate authorities have been compromised in the past, and have issued forged certificates that appear valid.
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77 170
I've rambled on long enough. Here's a link to the Tor Project mailing list, where arma discusses the method Facebook used to brute force their onion vanity address.
https://lists.torproject.org/pipermail/tor-talk/2014-October/035412.html
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
You do know that Tor was created by the US government, right?
Don't let major web companies, in bed with such governments, soften you up to the idea of Tor being under their control.
See my answer above.
[ link to this | view in thread ]
Re:
You should have your hearing checked.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Where are the cops and feds?
[ link to this | view in thread ]
Re:
but this is a potential issue for any https connection you connect to with or without tor.
[ link to this | view in thread ]
Re:
If you use the .onion version of FB then FB never knows what exit node you are using (as long as you don't click a link in facebook that goes outside of facebook) so your anonymity set doesn't get reduced when you look for gay porn.
[ link to this | view in thread ]
It's a trap!
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
DuckDuckGo has a hidden service (http://3g2upl4pq6kufc4m.onion/) if that helps at all.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
FBI said Facebook is great and now Tor users (who FBI is trying to unmask) will use Facebook.
Genious!
[ link to this | view in thread ]
Shrug
[ link to this | view in thread ]
Re: Re:
Or can you set up specific routing with Tor? e.g. facebook.com -> exit node X, gayporn.com -> exit node Y, default -> exit node Z?
And to further obfuscate matters, at least for HTTP/S type traffic (non-latency sensitive traffic) shouldn't the exit node add a random delay (say between 20ms and 250ms for arguments sake) to the outgoing request to make it harder to use correlation (user clicked on link at 10:22:32,300 and at 10:22:32,305 exit node sent a request to howtobuildabomb.edu) to 'mush up' everyones requests?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
However, this does appear to open you up to identifying yourself on an anonymous network. Why would anyone log into their real facebook account on the Tor network? I would think that if a user visited a nefarious site after visiting FB (without disabling referring information) and that site was being monitored... then data could be subpoenaed from FB for all users using the FB site at that moment. This would significantly reduce the anonymity to those capable of requesting such records.
[ link to this | view in thread ]
Re: Re: Re:
It's important to remember that governments are not the only bad actors. If a black hat wants to hack you, he needs your IP address. The fewer people that know your IP address the harder it is for the black hat to get it.
[ link to this | view in thread ]
Re: Re:
Got any on-line resources about this we could read??
I'd love to know more.
---
[ link to this | view in thread ]