Facebook Sets Up Shop On Tor 125
itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.
They wanted to release this years ago... (Score:5, Funny)
... but it took all this time to calculate that .onion URL.
Re: (Score:3, Insightful)
Re:They wanted to release this years ago... (Score:5, Informative)
On how they got the address: https://lists.torproject.org/p... [torproject.org]
This is how .onion addresses are made: https://gitweb.torproject.org/... [torproject.org]
Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).
Re:They wanted to release this years ago... (Score:5, Insightful)
the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)
its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.
Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
Re: (Score:2)
It's 80 bits.
It's an SHA-1 hash, but in square root of the time. Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.
This works all the time, as long as there are collisions in that space that match your hash.
Re: (Score:2)
Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.
That doesn't make any sense at all, if they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash. It is the other way around, you must generate a public key and SHA-1 hash that, cut to 80 bits and convert to base32 and that'll be your service descriptor. Since each letter = 5 bits they basically brute force created 2^40 = public keys to find one that hashed to facebook*. There are tools for this, the estimate for a single 1.5 GHz processor choosing 8 letters is about ~25 d [stackexchange.com]
Re: (Score:2)
they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash.
I was assuming they had HASH(seed) = 0xDEADBEEF and they were trying to HASH("FACEBOOK" + whatever) and get 0xDEADBEEF. To do this, you would feed your hash function--which iteratively generates a hash based on a stream--"FACEBOOK", and then start appending 40-bit strings.
There was some assertion that the full length of the identifier is 80 bits, and that Facebook only brute forced 40 bits. This is how you find a hash collision with a known prefix: you hash the prefix, then continue computing the next
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Its the fact that its facebookcorewww?, which bothers me, and the insinuation that both core and www are just random.
Then everyone started jumping down my throat with what I already know about onion addresses under a false pretext.
Re: (Score:1)
Re: (Score:2)
Which means if they had meager 1,000 1.5Ghz machines at their disposal, they could have generated 1000 different facebookXXXXXXXX addresses in 25 days and picked the best one.
A thousand random 8-character strings didn't get me any cool names: http://www.random.org/strings/... [random.org]
Re: (Score:2)
>facebookcorewwwi.onion/
the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)
its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.
Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
De-anonymizing attacks have almost certainly already taken place (see the 2014 "Cicada 3301" contest for one example) so this shouldn't be the tipoff that if you are relying on a Tor hidden service for long term anonymity you are probably not going to find it. Tor can be used anonymously by clients who change their actual whereabouts often enough to avoid a pattern, but hidden services are ripe for exploit and always will be, the process is just too complex to avoid all possible weak links.
Re: (Score:1)
Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
Its not unreasonable to say tor is broken completely if facebook is involved.
Anonymity? (Score:5, Interesting)
So you go through Tor to access Facebook, where you immediately have to log in, and...
What's the point again?
Re:Anonymity? (Score:5, Funny)
Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?
Re: (Score:2)
You mean the part of social media that requires your real name for registration?
Re: (Score:3)
It has some advantages. Location data is very important data, and facebook loses it. They still know where your friends are, but its better than before.
Re: (Score:2)
Re:Anonymity? (Score:5, Insightful)
So you go through Tor to access Facebook, where you immediately have to log in, and...
What's the point again?
Some countries block facebook. I think that's the point.
Re: (Score:1)
Re: (Score:3)
Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.
You forgot trolling/catfishing/generally shitting in the pool. I can see this having one rampant use: creation and manipulation of throwaway/hacked accounts. They better have one amazing captcha on the Tor-facing login page or Facebook is about to get a whole lot filthier.
Re: (Score:1)
Re:Anonymity? (Score:5, Insightful)
So you go through Tor to access Facebook, where you immediately have to log in, and...
You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).
If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.
This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.
Re: (Score:1)
Re: (Score:2)
I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?
Anonymous Twitter accounts make a lot more sense than anonymous facebook accounts.
Re: (Score:1)
I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?
Because having an account usually allows you to access more profiles than not being logged in at all; some profiles are so restricted that you need to be a friend on their friends list to view, but that's another matter entirely.
Re: (Score:1)
Re: (Score:3)
I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential use
Re:Anonymity? (Score:5, Interesting)
Oh, even better. What root CA is signing off on .onion domains now?
Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!
Re: (Score:1)
Connections to tor hidden services don't need https, since the in-transit connection is already encrypted as it's transmitted through the tor network.
Re: (Score:3)
So you go through Tor to access Facebook, where you immediately have to log in, and...
What's the point again?
Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build
Re: (Score:1)
In unrelated news, a gun shop that had been selling boots with a target on them, is now selling steel-toed boots with a target on them.
Re: (Score:1)
So you go through Tor to access Facebook, where you immediately have to log in, and... What's the point again?
Its mainly for the muppets who see Tor all over the news and just want a new fad to follow.
They assume that because the media is shoving Tor down their throats, they have to use it because its "popular" and "cool". Rather than understanding what its designed for.
Gotta love the sheep flocking crowd.
Facebook's just in it for the news coverage, with a chance of bringing in some of those sheep who will log in, simple as.
So, lemme get this straight... (Score:2, Insightful)
I should access a network the intent of which is to track every move I make through a network that is supposedly granting me anonymity.
What the fuck is the point?
Re: (Score:3)
Re: (Score:2)
China, Iran, North Korea, occasionally Turkey, Libya, Egypt, perhaps Russia, Ukrane, Hong Kong. Something like 25% of the internet either can't or potentially can't access Facebook right now. But with TOR you can.
lol (Score:4, Insightful)
So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?
We're through the looking glass now for sure.
Re: (Score:2)
"It's only wrong when someone else does it."
I have no idea why I have to say it out loud. Hypocrites don't believe they're hypocrites. Frankly, they don't believe in hypocrisy. What they want, they deserve. What anyone else wants, is either irrelevant (if it doesn't interfere with what they want) or evil (if it does interfere with what they want).
Say what you will about unvarnished greed. At least it's internally consistent.
Re: (Score:2)
At least it's internally consistent
Until it starts demanding big government for everyone but them, paid for by everyone but them. Even the greedy can be hypocrites.
Re: (Score:2)
Read the GP's post again. Big government for everyone else is what they want. Everyone but them paying for it is what they want. Big government for themselves interferes with what they want.
Internally consistent.
Re: (Score:2)
Don't imagine that burger king ever liked the fact McDonalds sold hamburgers
Re: (Score:2)
at least at the brothel you know you're getting fucked, and they're upfront about that being their business model.
Re: (Score:2)
+1 Excellent Analogy XD
Words. I can't even. (Score:4, Insightful)
So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?
Re: (Score:2)
It seems like they are viewing tor as a "free vpn" so people can use facebook without their employer/school/etc knowing what they are doing.
Re: (Score:2)
Wait! Do I have to go to facebook from there or can I use it as another VPN hop?
Re: (Score:2)
It's VPNs all the way down!
Re: (Score:2)
no script and private browsing.
If you haven't figured it out already, browse facebook in a private browsing/incognito window. If your not using FF or chrome/chromium, kill yourself.
Also, use https-everywhere, and noscript.
Re: (Score:3)
If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site [eff.org] with your favourite browser and with tor browser, and compare the results.
Re:Words. I can't even. (Score:4, Interesting)
It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.
Why? (Score:3)
Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.
Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"
Re: (Score:2)
I think more people will just think "What's Tor?"
This is really a "news for nerds" sort of deal here. The general public, and even most power users aren't going to be all that interested in it due to the niche. As to why Facebook has elected to pursue an onion site, who knows. I doubt it's because they see a big future in Tor, or maybe they do. Given that Tor has a bit of a burden of knowledge to actually understand what it offers, most users won't know or care.
I'm willing to believe that it's possible an i
People missing the point (Score:2)
A lot of people here are really completely missing the point of this. It isn't for privacy conscious US or EU users, it is for users in countries where Facebook is completely banned/blocked. China, Iran, Syria, etc.
And it is a great thing to happen. It would be wonderful if Twitter did the same.
Re: (Score:2)
I always thought that TOR is quite capable of doing that all by itself?
Re: (Score:2)
It is, but Facebook having their own TOR address is much more reliable (and likely faster) than having to use one of a limited number of exit nodes. Every person using the internal address will also reduce the burden on the exit nodes and give higher speeds so this is a win for everyone.
Re: (Score:1)
Re: (Score:2)
Yes, but it means going via an exit node. Exit notes can't sniff or meddle in your traffic if you use SSL, but they are under high contention. Few people are willing to take the legal risk of running one, as it carries a possibility of being falsely accused of a serious crime.
Re: (Score:1)
tor has been blocked in China for years, it's actually easier to block tor than facebook since with tor all you have to block is the protocol while if you want to block facebook (or any other TLS-encrypted site) you have to individually block each of the hundreds of constantly changing public IP-addresses
I guess they could block based on TLS certificate but for some reason this isn't done, that's why you can get around some blocks with hosts files etc
Re: (Score:3)
More people running Tor potentially means more Tor exit nodes.
Who knows. Possibly a good thing.
where's the slashdot.onion? (Score:1)
Re:Is this an Onion story? (Score:4, Funny)
Nice try NSA (Score:5, Interesting)
Then all you have to do is enable Javascript to make Facebook work.
Anonymize your connection through tor... (Score:2)
... then log into Facebook with your real name and post your data from that connection.
the magic rule (Score:1)
Network = KnownStuff (Score:2)
SSL? (Score:2)
Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive?
Yesterday we had news of Chrome dropping support for it.
Now facebook it setting up new servers that use it?
Re: (Score:2)
Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive? Yesterday we had news of Chrome dropping support for it.
Now facebook it setting up new servers that use it?
SSL 3.0 is from 1996. The latest version of SSL is called TLS 1.2 [wikipedia.org] and is from 2008, with 1.3 under development.