Facebook Sets Up Shop On Tor

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.

They wanted to release this years ago...

... but it took all this time to calculate that .onion URL.

Re:They wanted to release this years ago...

[NotInHere]

On how they got the address: https://lists.torproject.org/p...

This is how .onion addresses are made: https://gitweb.torproject.org/...

Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).

Re:They wanted to release this years ago...

[davydagger]

>facebookcorewwwi.onion/

the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

Anonymity?

[MachineShedFred]

So you go through Tor to access Facebook, where you immediately have to log in, and...

What's the point again?

Re:Anonymity?

[rogoshen1]

Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?

Re:Anonymity?

[Charliemopps]

So you go through Tor to access Facebook, where you immediately have to log in, and...

What's the point again?

Some countries block facebook. I think that's the point.

Re:Anonymity?

[bill_mcgonigle]

So you go through Tor to access Facebook, where you immediately have to log in, and...

You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).

If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.

This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.

Re:Anonymity?

[pegr]

Oh, even better. What root CA is signing off on .onion domains now?

Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!

lol

[Charliemopps]

So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?

We're through the looking glass now for sure.

Words. I can't even.

[SkunkPussy]

So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

Re:Words. I can't even.

[LessThanObvious]

It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.

Re:Is this an Onion story?

[sinij]

Well, yes it is Onion story

Nice try NSA

[rrohbeck]

Then all you have to do is enable Javascript to make Facebook work.