Facebook Joins Tor, And The Dark Web Gets A Little More Useful (If A Little Less Cool)
from the good-news dept
Just a couple months ago, we wrote about how the folks behind Tor were looking for ways to deal with the fact that much of the web treats Tor visitors differently. It’s a tough problem to solve, as we noted, because for all the benefits that Tor provides by allowing people to be anonymous, it’s also very much a tool that is abused by some for nefarious purposes, including spamming and attacks. For sites that have any sort of heuristic systems in place (including us at Techdirt), it often defaults to treating many, if not all, Tor users as second-class citizens. This isn’t an easy problem to solve, by any means. We’ve done our best to train our systems to minimize the hassle for Tor users, and yet they are still more likely to run into issues than non-Tor users (sometimes because of upstream efforts). We’re certainly watching this effort closely, in hopes that we can benefit from it as well.
However, it looks like Facebook has taken a rather bold move to help Tor users: setting up its very own Tor hidden service, effectively creating a special “hidden” Tor version of Facebook that is designed for Tor users. Yes, Facebook has joined the dark web. It may not seem as cool as various dark markets and such, but it actually is rather important in helping to validate the use of Tor and the fact that not everything on Tor hidden services are about selling drugs or hiring hitmen, as some reports seem to imply.
This is a pretty big move, because Facebook was rather aggressive in treating tor users badly in the past, sometimes accusing them of hacking their own account, kicking them out or just displaying stuff weirdly. Obviously, users logged into Facebook over Tor are identifying themselves to Facebook, but it does provide more security and privacy for others, and works more seamlessly for those who wish to use Tor regularly.
As Runa Sandvik also notes, this is the first time that a certificate authority has issued a legitimate SSL certificate for a .onion address (Facebook is at https://facebookcorewwwi.onion/ in case you were wondering). Having both of these things happen at once may, as Andy Greenberg jokes, feel sort of like when your parents joined Facebook, but it also, hopefully, is the beginning of more widespread recognition that the Tor hidden services can be useful — and not just for questionable enterprises. Hopefully others follow Facebook’s lead.
Filed Under: certificate authority, dark web, ssl, tor
Companies: facebook
Comments on “Facebook Joins Tor, And The Dark Web Gets A Little More Useful (If A Little Less Cool)”
Also in the news, hundreds if not thousands of Tor users that already don’t use Tor properly have one more way to reduce its effectiveness and cross-contaminate private and non-private browsing.
Re: Re:
Exactly. Anyone who thinks Facebook is doing this for users is incredibly naive and massively stupid. Facebook is doing this for the same reason Facebook does everything: profit.
Re: Re:
I am not an expert but using the .onion version of FB should actually reduce leaks between your anonymous browsing and your non-anonymous browsing when compared to browsing the .com FB over tor. If you browse the .com FB over Tor using a facebook identity that is linked to your real identity while also browsing gay porn websites FB can tell that you were using the same exit node as someone browsing gay porn. This functionally reduces your anonymity set making it easier to figure out that you are the person using both FB and looking at gay porn.
If you use the .onion version of FB then FB never knows what exit node you are using (as long as you don’t click a link in facebook that goes outside of facebook) so your anonymity set doesn’t get reduced when you look for gay porn.
Re: Re: Re:
Not really being a regular Tor user and only knowing at a high level how Tor works, therefore this might be a stupid question, but shouldn’t Tor use a random exit node for each request (i.e. each time you click on a link, even if it’s a link to another page on the same site, it randomly chooses a different exit node for that request)?
Or can you set up specific routing with Tor? e.g. facebook.com -> exit node X, gayporn.com -> exit node Y, default -> exit node Z?
And to further obfuscate matters, at least for HTTP/S type traffic (non-latency sensitive traffic) shouldn’t the exit node add a random delay (say between 20ms and 250ms for arguments sake) to the outgoing request to make it harder to use correlation (user clicked on link at 10:22:32,300 and at 10:22:32,305 exit node sent a request to howtobuildabomb.edu) to ‘mush up’ everyones requests?
Re: Re: Re:
I am not a Tor user and don’t understand it’s inner workings but as I understand, on Tor, you are already doing this. Many people use the same exit node and that could already be associated with the data which is why it makes it anonymous. The fact that the data could be coming from any one of multiple users (100s? 1000s?) on the same exit node they can’t associate any traffic with you any more than they could associate the other person with your facebook traffic.
However, this does appear to open you up to identifying yourself on an anonymous network. Why would anyone log into their real facebook account on the Tor network? I would think that if a user visited a nefarious site after visiting FB (without disabling referring information) and that site was being monitored… then data could be subpoenaed from FB for all users using the FB site at that moment. This would significantly reduce the anonymity to those capable of requesting such records.
Re: Re: Re: Re:
It’s important to remember that governments are not the only bad actors. If a black hat wants to hack you, he needs your IP address. The fewer people that know your IP address the harder it is for the black hat to get it.
It seems more likely that facebook wants to better understand how to exploit users on the tor network, so they’re setting this up to learn all they can about how users use it.
I can only imagine the amount of behavioral data they’re going to rake in with this move.
From the Wired article:
Sounds like it makes man-in-the-middle attacks impossible. I’m not really familiar with Tor; can it actually do that? If it can, I’d love to see Google get revenge on the NSA by setting up their own Tor service and adding Tor to Chrome/Chromium.
Re: Re:
“Sounds like it makes man-in-the-middle attacks impossible”
You should have your hearing checked.
Re: Re:
DuckDuckGo has a hidden service (http://3g2upl4pq6kufc4m.onion/) if that helps at all.
Re: Re:
it can do that with firefox, not googles browser it leaks shit all over
Well....
Plus side – its a great deal more cover traffic for TOR (after all, that’s why TOR was released to the public in the first place)
Down side – most of that will be redirections outside of TOR to embedded movie files or similar that nontheless will be accessed over TOR – putting a massive strain on the whole system, which already struggles a little with the load on it today. Unless farcebook are willing to also fund additional nodes to carry some of their load, they are going to degrade the TOR performance for everyone.
I find it both interesting and scary that Facebook was able to brute force the vanity onion address ‘facebookcorewwwi’. Facebook accomplished this through brute force generating public/private RSA keypairs over and over again, looking for public keys that start with ‘facebook’. An onion address is literally a randomly generated public key. Or in this case, Facebook managed to randomly generate a human readable public key!
An onion address (public RSA key) is 80-bit in length. The first half of Facebook’s onion address is ‘facebook’, which is 40-bit out of 80-bit total. Facebook has a lot of servers to farm out for key generation. I still find it impressive they managed generate the first 40-bit exactly like they wanted to, in human readable format. I’m glad Facebook showed the Tor community that brute forcing 40-bit keys is easily within the realm of possibility.
It’s even more scary when you consider there are faster attack methods against asymmetric keys, than mere brute force attacks. Which is why 2048-bit RSA key lengths are recommended. 2048-bit onion addresses would obviously be a lot longer than the current 80-bit onion addresses, but would be much more secure. A 256-bit elliptical curve key would be shorter, and supposedly just as secure as a 2048-bit RSA key. Both asymmetric keys are about equal in security to a 128-bit symmetric AES key.
“Sounds like it makes man-in-the-middle attacks impossible.”
Connecting to Facebook through a Tor Hidden Service definitely makes MITM attacks and server impersonation harder, but unfortunately not impossible.
Two obstacles must be overcome to impersonate a Tor Hidden Service with a https certificate:
1. Either brute force a Tor Hidden Service’s private RSA key through repeat keypair generation (slowest method). Or run the Hidden Service public RSA key though an integer factorization algorithm to derive it’s private RSA key (faster than brute force key generation). If someone can figure out a Hidden Service’s private key, or cause a hash collision, then they can impersonate that Hidden Service.
https://lists.torproject.org/pipermail/tor-talk/2014-October/035417.html
2. Facebook managed to register a .onion address with DigiCert Inc certificate authority. Which means DigiCert, or any other certificate authorities listed in your web browser, authenticates the https connection to facebookcorewwwi.onion. Certificate authorities have been compromised in the past, and have issued forged certificates that appear valid.
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170
I’ve rambled on long enough. Here’s a link to the Tor Project mailing list, where arma discusses the method Facebook used to brute force their onion vanity address.
https://lists.torproject.org/pipermail/tor-talk/2014-October/035412.html
Re: Re:
“Certificate authorities have been compromised in the past, and have issued forged certificates that appear valid.”
but this is a potential issue for any https connection you connect to with or without tor.
Re: Re: Re:
doesnt matter the hidden service is already more secure than than SSL, they did even need a cert ,it was pointed out on the tor blog by devs
Re: Re:
they did not brute force it please see the tor blog, A hidden service does not need SSL at all, its already more secure than SSL, this was all covered on the TOR blog, please go read
Re: Re:
the hidden service address, has nothing to do with the crypto that, secures the connection, which is a much larger key than the address. The address can not be spoofed, that the point of the address nothing more
I always preferred the term ‘deep net’ over ‘dark web’. It’s a shame dark web is more prevalently used.
Re: Re:
I’ve never heard either term. I’ve heard darknet and deep web.
Re: Re:
‘deep net’ and ‘dark net’ are different things
Anyone who trusts Facebook to not be gathering all the data to hand over to the gov is naive. The very purpose of Tor is to keep us safe from authoritarian governments like the US where Facebook is headquartered. Don’t let major web companies, in bed with such governments, soften you up to the idea of Tor being under their control. If that happens, it’s purpose will be undermined and it’d be a good as not using it.
Re: Re:
The very purpose of Tor is to keep us safe from authoritarian governments like the US where Facebook is headquartered.
You do know that Tor was created by the US government, right?
Don’t let major web companies, in bed with such governments, soften you up to the idea of Tor being under their control.
See my answer above.
Re: Re: Re:
“You do know that Tor was created by the US government, right?”
Got any on-line resources about this we could read??
I’d love to know more.
—
Where are the cops and feds?
I can’t believe we haven’t yet heard law enforcement screams about how this makes it harder to protect children from pedophiles – well, that or some “because terrorism” wailing and gnashing of teeth.
It's a trap!
Facebook has spent billions trying to gather every possible scrap of data on everyone on the Internet (including people who aren’t even Facebook users, see “shadow profiles”). If you think for even one nanosecond that they’re going to do anything that detracts from that effort, then you’re not merely naive, you’re not merely stupid, you’re both AND you’re insane.
It is visible to everyone because no one is more innocent when it comes to social media, though for what Facebook would want to Tor is not to increase their profits massantes .
GNU/Linux users are also treated as if they are second-class citizens…
How are Tor users supposed to watch videos on Facebook if the website suggests to download Adobe Flash?
Re:
Perhaps because Adobe Flash bypasses Tor network, exposing the real IP address.
FBI said Facebook is great and now Tor users (who FBI is trying to unmask) will use Facebook.
Genious!
Shrug
Won’t use Facebook under any circumstances