Facebook Sets Up Shop On Tor

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday October 31, 2014 @04:18AM from the mixing-privacy-with-antiprivacy dept.

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.

22 of 125 comments (clear)

Min score:

Reason:

Sort:

They wanted to release this years ago... by Anonymous Coward · 2014-10-31 04:24 · Score: 5, Funny

... but it took all this time to calculate that .onion URL.
1. Re:They wanted to release this years ago... by Wonko+the+Sane · 2014-10-31 04:27 · Score: 2, Insightful
  
  The fact that it was possible for them to generate that vanity URL means that Tor hidden service identifiers do not contain enough bits to be secure.
2. Re:They wanted to release this years ago... by NotInHere · 2014-10-31 04:45 · Score: 5, Informative
  
  On how they got the address: https://lists.torproject.org/p...
  This is how .onion addresses are made: https://gitweb.torproject.org/...
  Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).
3. Re:They wanted to release this years ago... by davydagger · 2014-10-31 04:49 · Score: 5, Insightful
  
  >facebookcorewwwi.onion/
  
  the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)
  
  its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.
  
  Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.
Anonymity? by MachineShedFred · 2014-10-31 04:26 · Score: 5, Interesting

So you go through Tor to access Facebook, where you immediately have to log in, and...
What's the point again?

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
1. Re:Anonymity? by rogoshen1 · 2014-10-31 04:31 · Score: 5, Funny
  
  Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?
2. Re:Anonymity? by NotInHere · 2014-10-31 04:32 · Score: 2
  
  It has some advantages. Location data is very important data, and facebook loses it. They still know where your friends are, but its better than before.
3. Re:Anonymity? by Charliemopps · 2014-10-31 04:35 · Score: 5, Insightful
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  What's the point again?
  Some countries block facebook. I think that's the point.
4. Re:Anonymity? by bill_mcgonigle · 2014-10-31 04:49 · Score: 4, Insightful
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).
  If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.
  This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:Anonymity? by SuricouRaven · 2014-10-31 05:31 · Score: 2
  
  I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential users.
  *Much as I hate to say this, facebook is actually useful for something. Occasionally. Like organising protests and disseminating accounts of abuses of power.
6. Re:Anonymity? by pegr · 2014-10-31 05:41 · Score: 4, Interesting
  
  Oh, even better. What root CA is signing off on .onion domains now?
  Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!
7. Re:Anonymity? by sudon't · 2014-10-31 06:47 · Score: 2
  
  So you go through Tor to access Facebook, where you immediately have to log in, and...
  What's the point again?
  Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build up will be harder to put a real name and address to. It might be helpful to those plotting the next "Facebook Revolution" by making it more difficult for some governments to figure out in a timely manner exactly who's posting.
  It'll be interesting to see how this works because FB flags me each time I log in from a different IP, and forces me to answer a "security question."
  
  --
  -- sudon't
  Air-ride Equipped
8. Re:Anonymity? by jeffmeden · 2014-10-31 06:52 · Score: 2
  
  Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.
  You forgot trolling/catfishing/generally shitting in the pool. I can see this having one rampant use: creation and manipulation of throwaway/hacked accounts. They better have one amazing captcha on the Tor-facing login page or Facebook is about to get a whole lot filthier.
lol by Charliemopps · 2014-10-31 04:35 · Score: 3, Insightful

So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?
We're through the looking glass now for sure.
Words. I can't even. by SkunkPussy · 2014-10-31 04:38 · Score: 3, Insightful

So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

--
SURELY NOT!!!!!
1. Re:Words. I can't even. by NotInHere · 2014-10-31 05:21 · Score: 2
  
  If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site with your favourite browser and with tor browser, and compare the results.
2. Re:Words. I can't even. by LessThanObvious · 2014-10-31 05:55 · Score: 3, Interesting
  
  It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.
Why? by jenningsthecat · 2014-10-31 04:47 · Score: 2

Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.
Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Re:So, lemme get this straight... by sinij · 2014-10-31 05:41 · Score: 2

Maybe if you don't have any Facebook friends and want someone to read your feed? At least this way you can be fairly certain that spooks will read it.
Re:Is this an Onion story? by sinij · 2014-10-31 05:46 · Score: 3, Funny

Well, yes it is Onion story
Nice try NSA by rrohbeck · 2014-10-31 05:50 · Score: 4, Interesting

Then all you have to do is enable Javascript to make Facebook work.

--
thegodmovie.com - watch it
Re:Facebook and Tor by mythosaz · 2014-10-31 08:26 · Score: 2

More people running Tor potentially means more Tor exit nodes.
Who knows. Possibly a good thing.