Facebook Sets Up Shop On Tor

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.

They wanted to release this years ago...

... but it took all this time to calculate that .onion URL.

Re:They wanted to release this years ago...

[NotInHere]

On how they got the address: https://lists.torproject.org/p...

This is how .onion addresses are made: https://gitweb.torproject.org/...

Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).

Re:They wanted to release this years ago...

[davydagger]

>facebookcorewwwi.onion/

the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

Anonymity?

[MachineShedFred]

So you go through Tor to access Facebook, where you immediately have to log in, and...

What's the point again?

Re:Anonymity?

[rogoshen1]

Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?

Re:Anonymity?

[Charliemopps]

So you go through Tor to access Facebook, where you immediately have to log in, and...

What's the point again?

Some countries block facebook. I think that's the point.

Re:Anonymity?

[bill_mcgonigle]

So you go through Tor to access Facebook, where you immediately have to log in, and...

You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).

If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.

This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.

Re:Anonymity?

[pegr]

Oh, even better. What root CA is signing off on .onion domains now?

Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!

Nice try NSA

[rrohbeck]

Then all you have to do is enable Javascript to make Facebook work.