Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Made Accessible via Tor Anonymity Network

Facebook has created a special .onion address that enables users of the Tor anonymity network to access the social media website.

Facebook has created a special .onion address that enables users of the Tor anonymity network to access the social media website.

Facebook’s integrity systems and the way the anonymity network works have prevented users from easily accessing the website. In order to address these issues, Facebook has created a hidden service, which is accessible at the address https://facebookcorewwwi.onion/.

“Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Alec Muffett, a software engineer for Security Infrastructure at Facebook London, said in a blog post on Friday.

Muffett has noted that facebookcorewwi.onion connects users directly to one of the company’s datacenters, or the “Core WWW Infrastructure.”

“I am excited that this move by Facebook will help to continue opening people’s minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services,” Tor Project Leader Roger Dingledine wrote in a blog post.

“Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today’s era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it’s ok for their users to want more safety,” Dingledine added.

SSL certificate

 Facebook is using an SSL digital certificate to help users determine if they are on the legitimate website.

“We decided to use SSL atop this service due in part to architectural considerations – for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link,” Muffett said. “As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser’s ‘SSL Certificate Warning’ for that onion address and increases confidence that this service really is run by Facebook.”

Runa Sandvik, a security and privacy researcher involved with the Tor Project and one of the individuals who assisted Facebook on this project, has pointed out that this is the first time a certificate authority, in this case Digicert, has issued a legitimate SSL certificate for a .onion address.

How did Facebook generate the name?

 While many have applauded Facebook’s initiative, there has been much debate over how Facebook managed to get the name of the hidden service considering that names are derived from a randomly generated RSA-1024 key. Many people have accused Facebook of somehow brute forcing the name.

“We did the math,” said Catalin Cosoi, chief security strategist at Bitdefender. “You would need around 1,000,000 servers up for 1 year to generate ‘facebookcorewww’ (without the trailing ‘i’, this being randomly there) on the fastest GPUs out there. But the real question is: if Facebook has the resources to brute force the correct full key in a fair amount of time, what could stop Google or the NSA from doing it?”

However, according to Facebook and the Tor Project, no brute force attacks were involved in the process. Instead, the company simply got lucky.

“The short answer is that for the first half of it (‘facebook’), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted,” Dingledine explained.

“Then they had some keys whose name started with ‘facebook’, and they looked at the second half of each of them to pick out the ones with pronounceable and thus memorable syllables. The ‘corewwwi’ one looked best to them — meaning they could come up with a story about why that’s a reasonable name for Facebook to use — so they went with it,” Dingledine added. “So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with ‘facebook’ and end with pronouncable syllables, but that’s not brute forcing all of the hidden service name (all 80 bits).”

Muffett said in a post on Reddit that they “created a bunch of addresses with a ‘facebook’ prefix and then went fishing around in the results for a good one.”


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...