Facebook Sets Up Shop On Tor

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday October 31, 2014 @04:18AM from the mixing-privacy-with-antiprivacy dept.

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.

66 of 125 comments (clear)

Min score:

Reason:

Sort:

They wanted to release this years ago... by Anonymous Coward · 2014-10-31 04:24 · Score: 5, Funny

... but it took all this time to calculate that .onion URL.
1. Re:They wanted to release this years ago... by Wonko+the+Sane · 2014-10-31 04:27 · Score: 2, Insightful
  
  The fact that it was possible for them to generate that vanity URL means that Tor hidden service identifiers do not contain enough bits to be secure.
2. Re:They wanted to release this years ago... by NotInHere · 2014-10-31 04:45 · Score: 5, Informative
  
  On how they got the address: https://lists.torproject.org/p...
  This is how .onion addresses are made: https://gitweb.torproject.org/...
  Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).
3. Re:They wanted to release this years ago... by davydagger · 2014-10-31 04:49 · Score: 5, Insightful
  
  >facebookcorewwwi.onion/
  
  the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)
  
  its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.
  
  Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
4. Re:They wanted to release this years ago... by bluefoxlucid · 2014-10-31 06:13 · Score: 1
  
  It's 80 bits.
  It's an SHA-1 hash, but in square root of the time. Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.
  This works all the time, as long as there are collisions in that space that match your hash.
  
  --
  Support my political activism on Patreon.
5. Re:They wanted to release this years ago... by stephenmac7 · 2014-10-31 06:46 · Score: 1
  
  There is a list of generation times on a 1.5 Ghz processor that can be found on the Shallot repository which also includes software to do it.
  
  --
  "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
6. Re:They wanted to release this years ago... by jeffmeden · 2014-10-31 06:48 · Score: 1
  
  >facebookcorewwwi.onion/
  the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)
  its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.
  Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
  De-anonymizing attacks have almost certainly already taken place (see the 2014 "Cicada 3301" contest for one example) so this shouldn't be the tipoff that if you are relying on a Tor hidden service for long term anonymity you are probably not going to find it. Tor can be used anonymously by clients who change their actual whereabouts often enough to avoid a pattern, but hidden services are ripe for exploit and always will be, the process is just too complex to avoid all possible weak links.
7. Re:They wanted to release this years ago... by Kjella · 2014-10-31 07:19 · Score: 1
  
  Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.
  That doesn't make any sense at all, if they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash. It is the other way around, you must generate a public key and SHA-1 hash that, cut to 80 bits and convert to base32 and that'll be your service descriptor. Since each letter = 5 bits they basically brute force created 2^40 = public keys to find one that hashed to facebook*. There are tools for this, the estimate for a single 1.5 GHz processor choosing 8 letters is about ~25 days. Note that spoofing a full address would take millions of years the same way.
  
  --
  Live today, because you never know what tomorrow brings
8. Re:They wanted to release this years ago... by davydagger · 2014-10-31 07:32 · Score: 1
  
  look again, its facebookcorewww, with just one character left random.
9. Re:They wanted to release this years ago... by bluefoxlucid · 2014-10-31 08:05 · Score: 1
  
  they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash.
  
  I was assuming they had HASH(seed) = 0xDEADBEEF and they were trying to HASH("FACEBOOK" + whatever) and get 0xDEADBEEF. To do this, you would feed your hash function--which iteratively generates a hash based on a stream--"FACEBOOK", and then start appending 40-bit strings.
  There was some assertion that the full length of the identifier is 80 bits, and that Facebook only brute forced 40 bits. This is how you find a hash collision with a known prefix: you hash the prefix, then continue computing the next 40 bits in brute force, rather than running the full 80 bits repeatedly. There is always the danger of not finding a collision, of course, even if your hash function is smaller than 40 bits.
  
  --
  Support my political activism on Patreon.
10. Re:They wanted to release this years ago... by bluefoxlucid · 2014-10-31 08:07 · Score: 1
  
  That looks like plausible words; random letters can form words. How often have you found "ass" and "dicks" in word searches?
  
  --
  Support my political activism on Patreon.
11. Re:They wanted to release this years ago... by mythosaz · 2014-10-31 08:23 · Score: 1
  
  Which means if they had meager 1,000 1.5Ghz machines at their disposal, they could have generated 1000 different facebookXXXXXXXX addresses in 25 days and picked the best one.
  A thousand random 8-character strings didn't get me any cool names: http://www.random.org/strings/...
  ...but I'm pretty sure 1000x1.5Ghzx25d is on the low end of what Facebook can deliver for a project.
12. Re:They wanted to release this years ago... by fustakrakich · 2014-10-31 12:58 · Score: 1
  
  Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
  Its not unreasonable to say tor is broken completely if facebook is involved.
  
  --
  “He’s not deformed, he’s just drunk!”
13. Re:They wanted to release this years ago... by davydagger · 2014-11-01 11:38 · Score: 1
  
  This I understand, that if it was just facebook* I wouldn't be worried.
  
  Its the fact that its facebookcorewww?, which bothers me, and the insinuation that both core and www are just random.
  
  Then everyone started jumping down my throat with what I already know about onion addresses under a false pretext.
Anonymity? by MachineShedFred · 2014-10-31 04:26 · Score: 5, Interesting

So you go through Tor to access Facebook, where you immediately have to log in, and...
What's the point again?

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
1. Re:Anonymity? by rogoshen1 · 2014-10-31 04:31 · Score: 5, Funny
  
  Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?
2. Re:Anonymity? by NotInHere · 2014-10-31 04:32 · Score: 2
  
  It has some advantages. Location data is very important data, and facebook loses it. They still know where your friends are, but its better than before.
3. Re:Anonymity? by Charliemopps · 2014-10-31 04:35 · Score: 5, Insightful
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  What's the point again?
  Some countries block facebook. I think that's the point.
4. Re:Anonymity? by bill_mcgonigle · 2014-10-31 04:49 · Score: 4, Insightful
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).
  If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.
  This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:Anonymity? by davydagger · 2014-10-31 04:52 · Score: 1
  
  as well as IP source address, and with that, an ISP name, and localtion down to city. That can tell someone what network to sniff if they want your personal information.
6. Re:Anonymity? by SuricouRaven · 2014-10-31 05:31 · Score: 2
  
  I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential users.
  *Much as I hate to say this, facebook is actually useful for something. Occasionally. Like organising protests and disseminating accounts of abuses of power.
7. Re:Anonymity? by xaotikdesigns · 2014-10-31 05:31 · Score: 1
  
  Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.
  
  --
  XDInd
8. Re:Anonymity? by xaotikdesigns · 2014-10-31 05:32 · Score: 1
  
  What about using TOR through the proxy?
  
  --
  XDInd
9. Re:Anonymity? by pegr · 2014-10-31 05:41 · Score: 4, Interesting
  
  Oh, even better. What root CA is signing off on .onion domains now?
  Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!
10. Re:Anonymity? by brunes69 · 2014-10-31 06:11 · Score: 1
  
  I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?
  Anonymous Twitter accounts make a lot more sense than anonymous facebook accounts.
11. Re:Anonymity? by Anonymous Coward · 2014-10-31 06:22 · Score: 1
  
  I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?
  Because having an account usually allows you to access more profiles than not being logged in at all; some profiles are so restricted that you need to be a friend on their friends list to view, but that's another matter entirely.
12. Re:Anonymity? by MouseTheLuckyDog · 2014-10-31 06:39 · Score: 1
  
  You mean the part of social media that requires your real name for registration?
13. Re:Anonymity? by sudon't · 2014-10-31 06:47 · Score: 2
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  What's the point again?
  Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build up will be harder to put a real name and address to. It might be helpful to those plotting the next "Facebook Revolution" by making it more difficult for some governments to figure out in a timely manner exactly who's posting.
  It'll be interesting to see how this works because FB flags me each time I log in from a different IP, and forces me to answer a "security question."
  
  --
  -- sudon't
  Air-ride Equipped
14. Re:Anonymity? by jeffmeden · 2014-10-31 06:52 · Score: 2
  
  Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.
  You forgot trolling/catfishing/generally shitting in the pool. I can see this having one rampant use: creation and manipulation of throwaway/hacked accounts. They better have one amazing captcha on the Tor-facing login page or Facebook is about to get a whole lot filthier.
15. Re: Anonymity? by dAzED1 · 2014-10-31 07:03 · Score: 1
  
  The point is that the rules make this new feature pointless.
16. Re:Anonymity? by Anonymous Coward · 2014-10-31 07:14 · Score: 1
  
  Connections to tor hidden services don't need https, since the in-transit connection is already encrypted as it's transmitted through the tor network.
17. Re:Anonymity? by neatville · 2014-10-31 13:47 · Score: 1
  
  It goes against their TOS to use a fake name but why not just do it anyways, if privacy is your thing and you're using Tor.
18. Re:Anonymity? by penguinoid · 2014-10-31 16:36 · Score: 1
  
  In unrelated news, a gun shop that had been selling boots with a target on them, is now selling steel-toed boots with a target on them.
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
So, lemme get this straight... by Opportunist · 2014-10-31 04:33 · Score: 1, Insightful

I should access a network the intent of which is to track every move I make through a network that is supposedly granting me anonymity.
What the fuck is the point?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:So, lemme get this straight... by sinij · 2014-10-31 05:41 · Score: 2
  
  Maybe if you don't have any Facebook friends and want someone to read your feed? At least this way you can be fairly certain that spooks will read it.
2. Re:So, lemme get this straight... by Hadlock · 2014-10-31 05:49 · Score: 1
  
  China, Iran, North Korea, occasionally Turkey, Libya, Egypt, perhaps Russia, Ukrane, Hong Kong. Something like 25% of the internet either can't or potentially can't access Facebook right now. But with TOR you can.
  
  --
  moox. for a new generation.
lol by Charliemopps · 2014-10-31 04:35 · Score: 3, Insightful

So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?
We're through the looking glass now for sure.
1. Re:lol by idontgno · 2014-10-31 04:45 · Score: 1
  
  "It's only wrong when someone else does it."
  I have no idea why I have to say it out loud. Hypocrites don't believe they're hypocrites. Frankly, they don't believe in hypocrisy. What they want, they deserve. What anyone else wants, is either irrelevant (if it doesn't interfere with what they want) or evil (if it does interfere with what they want).
  Say what you will about unvarnished greed. At least it's internally consistent.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:lol by davydagger · 2014-10-31 04:53 · Score: 1
  
  no one likes competition.
  
  Don't imagine that burger king ever liked the fact McDonalds sold hamburgers
3. Re:lol by Qzukk · 2014-10-31 05:10 · Score: 1
  
  At least it's internally consistent
  Until it starts demanding big government for everyone but them, paid for by everyone but them. Even the greedy can be hypocrites.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
4. Re:lol by GameboyRMH · 2014-10-31 06:15 · Score: 1
  
  Read the GP's post again. Big government for everyone else is what they want. Everyone but them paying for it is what they want. Big government for themselves interferes with what they want.
  Internally consistent.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Words. I can't even. by SkunkPussy · 2014-10-31 04:38 · Score: 3, Insightful

So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

--
SURELY NOT!!!!!
1. Re:Words. I can't even. by Kardos · 2014-10-31 04:45 · Score: 1
  
  It seems like they are viewing tor as a "free vpn" so people can use facebook without their employer/school/etc knowing what they are doing.
2. Re:Words. I can't even. by davydagger · 2014-10-31 04:56 · Score: 1
  
  >yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?
  
  no script and private browsing.
  
  If you haven't figured it out already, browse facebook in a private browsing/incognito window. If your not using FF or chrome/chromium, kill yourself.
  
  Also, use https-everywhere, and noscript.
3. Re:Words. I can't even. by Opportunist · 2014-10-31 05:01 · Score: 1
  
  Wait! Do I have to go to facebook from there or can I use it as another VPN hop?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Words. I can't even. by Kardos · 2014-10-31 05:20 · Score: 1
  
  It's VPNs all the way down!
5. Re:Words. I can't even. by NotInHere · 2014-10-31 05:21 · Score: 2
  
  If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site with your favourite browser and with tor browser, and compare the results.
6. Re:Words. I can't even. by LessThanObvious · 2014-10-31 05:55 · Score: 3, Interesting
  
  It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.
Re:Facebook on Tor by rogoshen1 · 2014-10-31 04:41 · Score: 1

at least at the brothel you know you're getting fucked, and they're upfront about that being their business model.
Why? by jenningsthecat · 2014-10-31 04:47 · Score: 2

Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.
Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
1. Re:Why? by Vokkyt · 2014-10-31 05:36 · Score: 1
  
  I think more people will just think "What's Tor?"
  This is really a "news for nerds" sort of deal here. The general public, and even most power users aren't going to be all that interested in it due to the niche. As to why Facebook has elected to pursue an onion site, who knows. I doubt it's because they see a big future in Tor, or maybe they do. Given that Tor has a bit of a burden of knowledge to actually understand what it offers, most users won't know or care.
  I'm willing to believe that it's possible an irresponsible journalist could really misrepresent the story to the public, but I guess I'd like to see it before it happened, and I feel that the Facebook PR engine would be quick to jump on any major misrepresentation due to recent allegations of Law Enforcement Officers using Facebook to aide in arrests for drug users. It's just not the kind of urban legend that they'd want out there to have to deal with.
People missing the point by CaptBubba · 2014-10-31 04:55 · Score: 1

A lot of people here are really completely missing the point of this. It isn't for privacy conscious US or EU users, it is for users in countries where Facebook is completely banned/blocked. China, Iran, Syria, etc.
And it is a great thing to happen. It would be wonderful if Twitter did the same.
1. Re:People missing the point by Opportunist · 2014-10-31 05:02 · Score: 1
  
  I always thought that TOR is quite capable of doing that all by itself?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:People missing the point by CaptBubba · 2014-10-31 05:17 · Score: 1
  
  It is, but Facebook having their own TOR address is much more reliable (and likely faster) than having to use one of a limited number of exit nodes. Every person using the internal address will also reduce the burden on the exit nodes and give higher speeds so this is a win for everyone.
3. Re:People missing the point by SuricouRaven · 2014-10-31 05:34 · Score: 1
  
  Yes, but it means going via an exit node. Exit notes can't sniff or meddle in your traffic if you use SSL, but they are under high contention. Few people are willing to take the legal risk of running one, as it carries a possibility of being falsely accused of a serious crime.
4. Re:People missing the point by Anonymous Coward · 2014-10-31 05:35 · Score: 1
  
  tor has been blocked in China for years, it's actually easier to block tor than facebook since with tor all you have to block is the protocol while if you want to block facebook (or any other TLS-encrypted site) you have to individually block each of the hundreds of constantly changing public IP-addresses
  I guess they could block based on TLS certificate but for some reason this isn't done, that's why you can get around some blocks with hosts files etc
5. Re:People missing the point by ndato · 2014-10-31 05:43 · Score: 1
  
  Also, when using a TOR address there is no exit-node, and the data is encripted end-to-end.
Re:Is this an Onion story? by sinij · 2014-10-31 05:46 · Score: 3, Funny

Well, yes it is Onion story
Nice try NSA by rrohbeck · 2014-10-31 05:50 · Score: 4, Interesting

Then all you have to do is enable Javascript to make Facebook work.

--
thegodmovie.com - watch it
Re:Facebook on Tor by GameboyRMH · 2014-10-31 06:17 · Score: 1

+1 Excellent Analogy XD

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:Facebook and Tor by mythosaz · 2014-10-31 08:26 · Score: 2

More people running Tor potentially means more Tor exit nodes.
Who knows. Possibly a good thing.
Anonymize your connection through tor... by Arancaytar · 2014-10-31 12:59 · Score: 1

... then log into Facebook with your real name and post your data from that connection.
the magic rule by slashmydots · 2014-10-31 15:36 · Score: 1

The magic rule of anonymity on Tor is don't go to websites that will actively attempt to use code to find out who you are....oh and don't log in as your actual first and last name on the worst website for privacy on the entire internet. That's probably a rule too.
Network = KnownStuff by NotQuiteReal · 2014-10-31 16:28 · Score: 1

When you push the Enter button, it goes somewhere, you know not where.

--
This issue is a bit more complicated than you think.
SSL? by hobarrera · 2014-10-31 23:33 · Score: 1

Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive?
Yesterday we had news of Chrome dropping support for it.
Now facebook it setting up new servers that use it?
1. Re:SSL? by Kiwikwi · 2014-11-03 08:59 · Score: 1
  
  Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive? Yesterday we had news of Chrome dropping support for it.
  Now facebook it setting up new servers that use it?
  SSL 3.0 is from 1996. The latest version of SSL is called TLS 1.2 and is from 2008, with 1.3 under development.