Security Experts:

Facebook Made Accessible via Tor Anonymity Network

Facebook has created a special .onion address that enables users of the Tor anonymity network to access the social media website.

Facebook's integrity systems and the way the anonymity network works have prevented users from easily accessing the website. In order to address these issues, Facebook has created a hidden service, which is accessible at the address https://facebookcorewwwi.onion/.

"Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Alec Muffett, a software engineer for Security Infrastructure at Facebook London, said in a blog post on Friday.

Muffett has noted that facebookcorewwi.onion connects users directly to one of the company's datacenters, or the "Core WWW Infrastructure."

"I am excited that this move by Facebook will help to continue opening people's minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services," Tor Project Leader Roger Dingledine wrote in a blog post.

"Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today's era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it's ok for their users to want more safety," Dingledine added.

SSL certificate

 Facebook is using an SSL digital certificate to help users determine if they are on the legitimate website.

"We decided to use SSL atop this service due in part to architectural considerations - for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link," Muffett said. "As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's 'SSL Certificate Warning' for that onion address and increases confidence that this service really is run by Facebook."

Runa Sandvik, a security and privacy researcher involved with the Tor Project and one of the individuals who assisted Facebook on this project, has pointed out that this is the first time a certificate authority, in this case Digicert, has issued a legitimate SSL certificate for a .onion address.

How did Facebook generate the name?

 While many have applauded Facebook's initiative, there has been much debate over how Facebook managed to get the name of the hidden service considering that names are derived from a randomly generated RSA-1024 key. Many people have accused Facebook of somehow brute forcing the name.

"We did the math," said Catalin Cosoi, chief security strategist at Bitdefender. "You would need around 1,000,000 servers up for 1 year to generate 'facebookcorewww' (without the trailing 'i', this being randomly there) on the fastest GPUs out there. But the real question is: if Facebook has the resources to brute force the correct full key in a fair amount of time, what could stop Google or the NSA from doing it?"

However, according to Facebook and the Tor Project, no brute force attacks were involved in the process. Instead, the company simply got lucky.

"The short answer is that for the first half of it ('facebook'), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted," Dingledine explained.

"Then they had some keys whose name started with 'facebook', and they looked at the second half of each of them to pick out the ones with pronounceable and thus memorable syllables. The 'corewwwi' one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it," Dingledine added. "So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with 'facebook' and end with pronouncable syllables, but that's not brute forcing all of the hidden service name (all 80 bits)."

Muffett said in a post on Reddit that they "created a bunch of addresses with a 'facebook' prefix and then went fishing around in the results for a good one."


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.