Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Facebook Encryption Privacy Social Networks The Internet

Facebook Sets Up Shop On Tor 125

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.
This discussion has been archived. No new comments can be posted.

Facebook Sets Up Shop On Tor

Comments Filter:
  • by Anonymous Coward on Friday October 31, 2014 @11:24AM (#48279881)

    ... but it took all this time to calculate that .onion URL.

    • Re: (Score:3, Insightful)

      The fact that it was possible for them to generate that vanity URL means that Tor hidden service identifiers do not contain enough bits to be secure.
    • by davydagger ( 2566757 ) on Friday October 31, 2014 @11:49AM (#48280231)
      >facebookcorewwwi.onion/

      the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

      its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

      Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
      • It's 80 bits.

        It's an SHA-1 hash, but in square root of the time. Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

        This works all the time, as long as there are collisions in that space that match your hash.

        • by Kjella ( 173770 )

          Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

          That doesn't make any sense at all, if they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash. It is the other way around, you must generate a public key and SHA-1 hash that, cut to 80 bits and convert to base32 and that'll be your service descriptor. Since each letter = 5 bits they basically brute force created 2^40 = public keys to find one that hashed to facebook*. There are tools for this, the estimate for a single 1.5 GHz processor choosing 8 letters is about ~25 d [stackexchange.com]

          • they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash.

            I was assuming they had HASH(seed) = 0xDEADBEEF and they were trying to HASH("FACEBOOK" + whatever) and get 0xDEADBEEF. To do this, you would feed your hash function--which iteratively generates a hash based on a stream--"FACEBOOK", and then start appending 40-bit strings.

            There was some assertion that the full length of the identifier is 80 bits, and that Facebook only brute forced 40 bits. This is how you find a hash collision with a known prefix: you hash the prefix, then continue computing the next

        • look again, its facebookcorewww, with just one character left random.
          • That looks like plausible words; random letters can form words. How often have you found "ass" and "dicks" in word searches?
        • This I understand, that if it was just facebook* I wouldn't be worried.

          Its the fact that its facebookcorewww?, which bothers me, and the insinuation that both core and www are just random.

          Then everyone started jumping down my throat with what I already know about onion addresses under a false pretext.
      • There is a list of generation times on a 1.5 Ghz processor that can be found on the Shallot repository [github.com] which also includes software to do it.
        • Which means if they had meager 1,000 1.5Ghz machines at their disposal, they could have generated 1000 different facebookXXXXXXXX addresses in 25 days and picked the best one.

          A thousand random 8-character strings didn't get me any cool names: http://www.random.org/strings/... [random.org]

          ...but I'm pretty sure 1000x1.5Ghzx25d is on the low end of what Facebook can deliver for a project.

      • >facebookcorewwwi.onion/

        the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

        its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

        Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

        De-anonymizing attacks have almost certainly already taken place (see the 2014 "Cicada 3301" contest for one example) so this shouldn't be the tipoff that if you are relying on a Tor hidden service for long term anonymity you are probably not going to find it. Tor can be used anonymously by clients who change their actual whereabouts often enough to avoid a pattern, but hidden services are ripe for exploit and always will be, the process is just too complex to avoid all possible weak links.

      • Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

        Its not unreasonable to say tor is broken completely if facebook is involved.

  • Anonymity? (Score:5, Interesting)

    by MachineShedFred ( 621896 ) on Friday October 31, 2014 @11:26AM (#48279917) Journal

    So you go through Tor to access Facebook, where you immediately have to log in, and...

    What's the point again?

    • by rogoshen1 ( 2922505 ) on Friday October 31, 2014 @11:31AM (#48279999)

      Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?

    • It has some advantages. Location data is very important data, and facebook loses it. They still know where your friends are, but its better than before.

      • as well as IP source address, and with that, an ISP name, and localtion down to city. That can tell someone what network to sniff if they want your personal information.
    • Re:Anonymity? (Score:5, Insightful)

      by Charliemopps ( 1157495 ) on Friday October 31, 2014 @11:35AM (#48280055)

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      What's the point again?

      Some countries block facebook. I think that's the point.

    • Re:Anonymity? (Score:5, Insightful)

      by bill_mcgonigle ( 4333 ) * on Friday October 31, 2014 @11:49AM (#48280229) Homepage Journal

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).

      If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.

      This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.

      • by brunes69 ( 86786 )

        I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

        Anonymous Twitter accounts make a lot more sense than anonymous facebook accounts.

        • by Anonymous Coward

          I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

          Because having an account usually allows you to access more profiles than not being logged in at all; some profiles are so restricted that you need to be a friend on their friends list to view, but that's another matter entirely.

      • It goes against their TOS to use a fake name but why not just do it anyways, if privacy is your thing and you're using Tor.
    • I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential use

    • Re:Anonymity? (Score:5, Interesting)

      by pegr ( 46683 ) on Friday October 31, 2014 @12:41PM (#48280841) Homepage Journal

      Oh, even better. What root CA is signing off on .onion domains now?

      Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!

      • by Anonymous Coward

        Connections to tor hidden services don't need https, since the in-transit connection is already encrypted as it's transmitted through the tor network.

    • by sudon't ( 580652 )

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      What's the point again?

      Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build

    • In unrelated news, a gun shop that had been selling boots with a target on them, is now selling steel-toed boots with a target on them.

    • So you go through Tor to access Facebook, where you immediately have to log in, and... What's the point again?

      Its mainly for the muppets who see Tor all over the news and just want a new fad to follow.
      They assume that because the media is shoving Tor down their throats, they have to use it because its "popular" and "cool". Rather than understanding what its designed for.

      Gotta love the sheep flocking crowd.

      Facebook's just in it for the news coverage, with a chance of bringing in some of those sheep who will log in, simple as.

  • I should access a network the intent of which is to track every move I make through a network that is supposedly granting me anonymity.

    What the fuck is the point?

    • by sinij ( 911942 )
      Maybe if you don't have any Facebook friends and want someone to read your feed? At least this way you can be fairly certain that spooks will read it.
    • by Hadlock ( 143607 )

      China, Iran, North Korea, occasionally Turkey, Libya, Egypt, perhaps Russia, Ukrane, Hong Kong. Something like 25% of the internet either can't or potentially can't access Facebook right now. But with TOR you can.

  • lol (Score:4, Insightful)

    by Charliemopps ( 1157495 ) on Friday October 31, 2014 @11:35AM (#48280039)

    So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?

    We're through the looking glass now for sure.

    • "It's only wrong when someone else does it."

      I have no idea why I have to say it out loud. Hypocrites don't believe they're hypocrites. Frankly, they don't believe in hypocrisy. What they want, they deserve. What anyone else wants, is either irrelevant (if it doesn't interfere with what they want) or evil (if it does interfere with what they want).

      Say what you will about unvarnished greed. At least it's internally consistent.

      • by Qzukk ( 229616 )

        At least it's internally consistent

        Until it starts demanding big government for everyone but them, paid for by everyone but them. Even the greedy can be hypocrites.

        • Read the GP's post again. Big government for everyone else is what they want. Everyone but them paying for it is what they want. Big government for themselves interferes with what they want.

          Internally consistent.

    • no one likes competition.

      Don't imagine that burger king ever liked the fact McDonalds sold hamburgers
  • by SkunkPussy ( 85271 ) on Friday October 31, 2014 @11:38AM (#48280075) Journal

    So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

    • by Kardos ( 1348077 )

      It seems like they are viewing tor as a "free vpn" so people can use facebook without their employer/school/etc knowing what they are doing.

    • >yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

      no script and private browsing.

      If you haven't figured it out already, browse facebook in a private browsing/incognito window. If your not using FF or chrome/chromium, kill yourself.

      Also, use https-everywhere, and noscript.
    • If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site [eff.org] with your favourite browser and with tor browser, and compare the results.

    • by LessThanObvious ( 3671949 ) on Friday October 31, 2014 @12:55PM (#48280995)

      It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.

  • by jenningsthecat ( 1525947 ) on Friday October 31, 2014 @11:47AM (#48280199)

    Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.

    Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"

    • by Vokkyt ( 739289 )

      I think more people will just think "What's Tor?"

      This is really a "news for nerds" sort of deal here. The general public, and even most power users aren't going to be all that interested in it due to the niche. As to why Facebook has elected to pursue an onion site, who knows. I doubt it's because they see a big future in Tor, or maybe they do. Given that Tor has a bit of a burden of knowledge to actually understand what it offers, most users won't know or care.

      I'm willing to believe that it's possible an i

  • A lot of people here are really completely missing the point of this. It isn't for privacy conscious US or EU users, it is for users in countries where Facebook is completely banned/blocked. China, Iran, Syria, etc.

    And it is a great thing to happen. It would be wonderful if Twitter did the same.

    • I always thought that TOR is quite capable of doing that all by itself?

      • It is, but Facebook having their own TOR address is much more reliable (and likely faster) than having to use one of a limited number of exit nodes. Every person using the internal address will also reduce the burden on the exit nodes and give higher speeds so this is a win for everyone.

        • by ndato ( 3482697 )
          Also, when using a TOR address there is no exit-node, and the data is encripted end-to-end.
      • Yes, but it means going via an exit node. Exit notes can't sniff or meddle in your traffic if you use SSL, but they are under high contention. Few people are willing to take the legal risk of running one, as it carries a possibility of being falsely accused of a serious crime.

    • by Anonymous Coward

      tor has been blocked in China for years, it's actually easier to block tor than facebook since with tor all you have to block is the protocol while if you want to block facebook (or any other TLS-encrypted site) you have to individually block each of the hundreds of constantly changing public IP-addresses

      I guess they could block based on TLS certificate but for some reason this isn't done, that's why you can get around some blocks with hosts files etc

  • Oh yeah, that's right.
  • Nice try NSA (Score:5, Interesting)

    by rrohbeck ( 944847 ) on Friday October 31, 2014 @12:50PM (#48280943)

    Then all you have to do is enable Javascript to make Facebook work.

  • ... then log into Facebook with your real name and post your data from that connection.

  • The magic rule of anonymity on Tor is don't go to websites that will actively attempt to use code to find out who you are....oh and don't log in as your actual first and last name on the worst website for privacy on the entire internet. That's probably a rule too.
  • When you push the Enter button, it goes somewhere, you know not where.
  • Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive?
    Yesterday we had news of Chrome dropping support for it.

    Now facebook it setting up new servers that use it?

    • Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive? Yesterday we had news of Chrome dropping support for it.

      Now facebook it setting up new servers that use it?

      SSL 3.0 is from 1996. The latest version of SSL is called TLS 1.2 [wikipedia.org] and is from 2008, with 1.3 under development.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...