Facebook implemented a new way for users to access its site via Tor â€œwithout losing the cryptographic protections provided by the Tor cloudâ€ and disclosing their location, according to a Facebook announcement.
Users who have the Tor-enabled browser enabled can access Facebook directly through the https://facebookcorewwwi.onion/ URL, said Alec Muffett, software engineer at Facebook. Through an â€œ.onionâ€ address they can connect to Facebookâ€™s Core WWW Infrastructure that provides a direct connection between the browser and a Facebook data center.Â Catalin Cosoi, Chief Security Strategist at Bitdefender says:
The hidden service name is derived from a 1024 bit RSA Key randomly generated when putting your service online in TORâ€. This means you have to generate a custom key in order to derive a name like “facebookcorewwwi”. And if you can generate the RSA key behind a hidden service, then you could actually hijack any hidden service in TOR.â€
On user accusations of having done so, Facebook said it got lucky.
“Regarding the Onion address, we did what everyone else does and (in our case) created a bunch of addresses with a “facebook” prefix and then went fishing around in the results for a good one. I feel that we were tremendously fortunate,â€ Muffett replied to a user. Cosoi said:
We did the math, you would need around 1.000.000 servers up for 1 year to generate “facebookcorewww” ” (without the trailing “i”, this being randomly there) on the fastest GPUs out there. But the real question is: if Facebook has the resources to brute force the correct full key in a fair amount of time, what could stop Google or the NSA from doing it?â€
Facebook also allows access via HTTPS (Hypertext Transfer Protocol Secure), but the siteâ€™s security infrastructure conflicts with the way the anonymity-focused browser works. Because Tor bounces traffic between nodes to hide the userâ€™s actual location, Facebook is misled to believe the user is a hacker trying to conceal his identity.
“Tor challenges some assumptions of Facebook’s security mechanisms — for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,â€ Muffett said. â€œIn other contexts such behavior might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal.”
Basically this opens the biggest social media platform to TOR users that have something to say, but don’t want to be tracked down for doing so,â€ Cosoi said. â€œFacebookâ€™s outreach combined with TOR – hidding your source IP and anonymizing your location- could prove to be a very tricky thing to controlâ€.
Facebook also provides an SSL security certificate that cites its .onion address. This removes the Tor Browser’s â€œSSL Certificate Warningâ€ and verifies Facebookâ€™s ownership of the onion address.
â€œIssuing an SSL certificate for a Tor implementation is â€” in the Tor world â€” a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion,â€ the software engineer added.