Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Tor .Onion Sites May Get Digital Certificates Soon

Posted by timothy on from the try-to-stop-from-crying dept.

Trailrunner7 writes News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project's proxy service. Unlike any .onion domain before it, Facebook's would be verified by a legitimate digital signature, signed and issued by DigiCert. Late yesterday, Jeremy Rowley, DigiCert's vice president of business development and legal, explained his company's decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future. "Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook," Rowley explained. "Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com."

52 comments

  1. Wat? by Ol+Olsoc · · Score: 0

    Is this April Fools Day in November?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. Wait by Anonymous Coward · · Score: 1

    Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

    1. Re:Wait by Anonymous Coward · · Score: 1

      Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

      1. you can put on facebook whatever you want, not just information about your last BM or your personal information

      2. the purpose of certs is to *verify* the other end of the connection

      3. the purpose of Tor is to anonymity the "connectee" - the person connecting to the service, not necessarily the service itself.

      4. the purpose of .onion is more about providing a "hidden service"
                http://en.wikipedia.org/wiki/....

      So, #2 and #4 seem a little at odds with each other. #2 *can* break #4, unless the certificates are signed by private CAs anyway. But apparently this is about public CA infrastructure.

      Facebook is just means of publishing information.

    2. Re:Wait by jythie · · Score: 4, Informative

      There is also another advantage of things like this, Tor becomes more effective as more people are using it for general tasks. I can recall a while back someone being caught for sending fake bomb threats via Tor. How did they find the person? They were the only one using Tor on their entire network and only used it at the same times the emails were sent.

      So there is an advantage to people simply using Tor for their normal everyday activities like this.

    3. Re:Wait by fluffy99 · · Score: 2

      Tor becomes more effective as more people are using it for general tasks.

      Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity? Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.

    4. Re:Wait by NickFortune · · Score: 1

      Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity?

      I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

      The way I see if, if you're running Silk Road X.Y then it's probably worth their while to take the time and trouble needed to find you. If all you want to do is stop your mobile phone company from tracking every site you visit over 3G (speaking purely hypothetically, of course) then without evidence of any illegal activity, they're unlikely to bother..

      Just because it's not perfect doesn't mean it's useless, you know?

      Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.

      Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?

      --
      Don't let THEM immanentize the Eschaton!
    5. Re:Wait by Anonymous Coward · · Score: 0

      1. you can put on facebook whatever you want, not just information about your last BM or your personal information

      So what? It simply makes no sense for anyone who uses facebook to require the privacy of tor.

    6. Re:Wait by Anonymous Coward · · Score: 0

      If you pose a real Problem, their fríends at Google-Mozilla have ensured a rich supply of Firefox exploits for NSA-GCHQ

    7. Re:Wait by Raumkraut · · Score: 1

      It does if you're posting anything critical of $regime from within the borders of $regime.

    8. Re:Wait by fluffy99 · · Score: 1

      I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

      My point was that it's much simpler when you have direct control over the node.

      Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?

      Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?

      As much as Tor can help, there is no such thing as being perfectly anonymous on the internet. I certainly don't trust Facebook to protect it any more than I trust Google who also makes money by tracking and targeting me.

    9. Re:Wait by NickFortune · · Score: 1

      My point was that it's much simpler when you have direct control over the node.

      Entry or exit? I mean sure, if you connect to Silk Road and you're unlucky enough to enter through an NSA node at one and and exit through another one, then you're probably toast. But as I understand it, the number of subverted nodes is still fairly small compared to the total number. Which brings us back to the GP's point about security increasing with the number of nodes.

      Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?

      The weak link there is Facebook. I don't think anyone's seriously proposing FB as a champion of individual privacy.

      And yes, there are ways other than JS and cookies to track people. But they tend to involve things like traffic analysis which is time consuming and requires human surveillance. Little Johnny who just wants to connect to the Pirate Bay from his mum's basement is probably fairly secure.

      As much as Tor can help, there is no such thing as being perfectly anonymous on the internet

      See, this is the crux of the matter, really. Security is a relative value. It's not like "oh, it's possible to circumvent this measure therefore it is of no value". It's "I know this channel is potentially insecure, but it's sure as hell better than communicating in plaintext, and hopefully the bad guys will go after easier targets".

      It's like having a lock on your font door. They won't keep the government out, but there's all sorts of good reasons for having them installed.

      --
      Don't let THEM immanentize the Eschaton!
  3. why companies? by Anonymous Coward · · Score: 0

    why does this stupid CA industry try to infest tor with its rotten products? Why can't the tor project try to do the verification themselfes? something like the consensus?

    1. Re:why companies? by Anonymous Coward · · Score: 1

      The real solution would be for some kind of DNS system to appear within TOR that instead of resolving hostnames to IPs it resolves hostnames to onionsites. So instead of p7geb3m31n12rkkr3m.onion (or was it p7geb3m32n12rkkr3m.onion?) you type facebook.onion and internally you would be at p7geb3m31n12rokr3m.onion. No clue how this would ever be operated without being gamed to hell and back, with 4chan constantly trying to redirect popular sites somewhere else, but at least then a "facebook.onion" ssl certificate would make sense.

      As it stands, the original purpose was to have the certificate identify p7geb3m31n12rkkr3rn.onion as the real facebook site, but it does nothing if you typo it and get another site claiming to be facebook that also has a real certificate for their onion address.

    2. Re:why companies? by Anonymous Coward · · Score: 0

      Namecoin.

    3. Re:why companies? by jythie · · Score: 1

      The problem with namecoin is some already made that, and people love developing their own reduncent solutions instead.

  4. It's a trap by Anonymous Coward · · Score: 1

    They want to track users by SSL session cache and use the information to ratmap even more users.

  5. Why not use Verizon as your ISP as well by Crashmarik · · Score: 2

    I mean at the point you are using Facebook on TOR all you haven't done a thing for your privacy and just slowed your internet connection down. Might as well let Verizon label all your traffic as well.

    To top it off I can't imagine why anyone would want to deal with sites that are using certificates on TOR. All they do is provide a nice well defined entity that can be leaned on, to get your information.

    1. Re:Why not use Verizon as your ISP as well by Ksevio · · Score: 1

      What about people in repressive countries that don't have open access to these sites? It would be good to be able to access Facebook or Twitter and know the connection is secure.

    2. Re:Why not use Verizon as your ISP as well by Crashmarik · · Score: 4, Insightful

      If you are worried about your government persecuting you Facebook is not the place to hangout. If you want to get your message out to social media get a friend in a less repressive country to post on your behalf. Posting on facebook from someplace like Syria or No Korea would be tantamount to signing your own death warrant.

    3. Re:Why not use Verizon as your ISP as well by NotInHere · · Score: 2

      For hidden services, the address is also a public key, which is used to encrypt the connection one layer down. You don't need TLS in TLS, its bullshit. Tor should ship with a list of frequent hidden services (perhaps they can ask apk on how to make a host file engine ;) ? ).

    4. Re:Why not use Verizon as your ISP as well by ChunderDownunder · · Score: 1

      Creating a login, Winston Smith (not your real name), and using tor to access facebook isn't sufficiently anonymous?

    5. Re:Why not use Verizon as your ISP as well by Ralph+Wiggam · · Score: 2

      If you want to get your message out to social media get a friend in a less repressive country to post on your behalf.

      You don't see any problems with that plan?

    6. Re:Why not use Verizon as your ISP as well by Anonymous Coward · · Score: 0

      It would be good to be able to access Facebook or Twitter

      [citation needed]

    7. Re:Why not use Verizon as your ISP as well by jythie · · Score: 2

      Actually both twitter and facebook have been used in activism like this already, it is one of their appeals in repressive countries.

    8. Re:Why not use Verizon as your ISP as well by Anonymous Coward · · Score: 0

      Clearly he doesn't.
      He's too wrapped up in the minor flaws of a currently available system to see the major flaws in his hypothetical perfect world.
      Same old problem geeks have been having since before the creation of the internet, the hubris of ignorance.

    9. Re:Why not use Verizon as your ISP as well by Anonymous Coward · · Score: 0

      Facebook Real Name Policy
      https://www.facebook.com/help/112146705538576?_fb_noscript=1/

    10. Re:Why not use Verizon as your ISP as well by Anonymous Coward · · Score: 0

      what's your point. They have a rule that is never enforced.

      Something like one third of my facebook friends use an account that is not their real name.

  6. Lessons previous learned: by Severus+Snape · · Score: 3, Interesting

    Lavabit.

    You would need to be a fucking moron to not believe there is not a warrant drafted for the FISC court already. Trust in any US web stakeholders for any users privacy is fallacy. Never mind when getting up to illegal shenanigans found on .onion like Silk Road.

  7. a legitimate digital signature by fustakrakich · · Score: 0

    OMG! ROFLMAO!

    Ow wait, you're serious? Now I wanna cry...

    --
    “He’s not deformed, he’s just drunk!”
  8. That's fucking stupid by Anonymous Coward · · Score: 4, Insightful

    The protocol itself cryptographically ensures that you're talking to the same service every time. That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

    Using a certificate hierarchy with TOR can only do one thing: Expose you.

    1. Re:That's fucking stupid by 93+Escort+Wagon · · Score: 1

      That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

      So how did Facebook manage to get https://facebookcorewwwi.onion... ?

      --
      #DeleteChrome
    2. Re:That's fucking stupid by Anonymous Coward · · Score: 2, Informative

      They chose facebook*, created a bunch of matching addresses and selected the address which looked nicest. The corewwwi part is actually random. You can't create the private key which results in the same address as Facebook's. You could create another address that starts with facebook, but functionally that would be an entirely different address that would not give you the ability to intercept requests to Facebook's address.

    3. Re:That's fucking stupid by Anonymous Coward · · Score: 0

      seriously, wouldn't the certificate revocation checking give away your real IP or allow a MITM if you are using tor exit nodes, both of which would completely defeat the purpose?

    4. Re:That's fucking stupid by Anonymous Coward · · Score: 0

      It can be useful for verifying that one *.onion address is associated with another (in the case of DV, as in here where both facebook*.onion and facebook.com are listed as alt names), or as verification of the entity behind the cert (EV). The user connecting to the server doesn't need to be verified (other in the Facebook case where they sign in, of course).

      Since .onion addresses look funny, it's hard to distinguish the real thing (say, slashdotbeu9ahw.onion) and a fake (slashdoth08aseljk.onion) if the user just skims past the junk part.

      As for certificate checking: That can be mitigated, assuming the server is not malicious, by OCSP stapling, where the server can send a (CA-certified and timestamped) chunk that says "yep, still valid"; as long as the browser thinks that's recent enough it should be fine. While the user will still go through normal certification if it's missing/invalid, that would at least stop passive tracking in the normal case.

    5. Re: That's fucking stupid by Anonymous Coward · · Score: 0

      +1 This is why

    6. Re:That's fucking stupid by Anonymous Coward · · Score: 0

      You're right that there is an identification problem: How do you know that a .onion address is really the address you want to connect to, i.e. is it owned by the entity you want to interact with? I posit that the CA hierarchy system completely fails at solving that problem and, by pretending to solve that problem, makes things worse. From the very start, identification was a major goal of certificates, which is why all this identity information is in a certificate. It never worked. People could get certificates for domains they didn't own. Then came extended validation certificates. Now the CAs promise that they really check to whom they issue a certificate, which was their job all along. It still doesn't work. And that's not the only fault with the CA system. CAs could issue certificates at the behest of a government entity. There are dozens of CAs from all over the world which are trusted by default. CAs issue certificates with poor cryptographic quality. CAs fail to revoke certificates promptly and even if they did, revokation is terminally broken.

      Will a CA issue a certificate to facebookcorewwwl.onion? If so, how does Facebook's certificate protect you? But maybe they won't issue that certificate because the address starts with a well known trademark and they really check (yeah, right...). Will they also refuse to issue a certifcate to an impostor if the name is less well known?

      The .onion address is what matters. It's the authoritative information. Using the CA system with TOR is like trusting non-authoritative DNS servers more than the ones to which a domain is actually delegated.

    7. Re:That's fucking stupid by Anonymous Coward · · Score: 0

      (AC from before)

      Agreed, the CA system is broken. Both because there is no adequate consequence when a CA screws up (EV shouldn't have existed, CAs issuing non-EV level OVs should have had all their certificates downgraded to DV-only instead, and a few CAs should have had their certs outright revoked at this point.) CAs being compelled to issue certificates should also have their certs revoked, since they can no longer be trusted - which would involve the business being being destroyed, possibly meaning (but not guaranteeing) a higher bar for the request / better chance of the CA fighting back.

      Ultimately, though, the whole system was from an era where centralization looked like it made sense; there certainly wasn't quite so many CAs flying around, and government interference was at least not as obvious. Knowing what we do now, the next system should at least have better mitigation of those threats... once we figure out how that can actually work and still be usable. In the mean time, though, having facebook.com and facebookcorewwwi.onion signed by the same cert can at least aid in transition. After all, at worst it's an unneeded layer on top of the authentication (to the .onion) that Tor already provides. That is, a DV-equivalent is useless, but maybe they can do OV on top.

      What does concern me a bit is that there isn't a very clear statement that that cert was DV certified to facebookcorewwwi.onion... It probably was, but it would be nice if they mentioned that somebody at DigiCert actually used Tor.

  9. Facebook has built a hidden version.. by Anonymous Coward · · Score: 0

    ..sadly, not hidden enough.

    'The Darknet Facebook' - like, what the actual fuck?

  10. Make no mistake by Anonymous Coward · · Score: 0

    facebook == NSA

  11. this is a good thing by Anonymous Coward · · Score: 0

    this is a good thing: the more people who are on tor, even for stupid things like facebook, the more tor nodes there are which increases invisibility for people who actually need anonymity.

  12. So let me get this straight by Anonymous Coward · · Score: 0

    So a centralized for for profit easily subpoena-able identity authority based off questionable (ca's, ssl, etc) security during non-anonymous browsing to verify unique hosts for your "anonymous" tor session? And you would pay for this anonymously ... somehow?
    btw. Bitcoins are not really anonymous.

    That is quite rich.

  13. Note to self by Anonymous Coward · · Score: 0

    Do not trust DigiCert

    1. Re:Note to self by mysidia · · Score: 1

      I don't mind DigiCert, as long as they will participate in Certificate Transparency.

      Very soon; I will not want to trust anything issued by a Certificate authority that does not participate in Certificate Transparency.

  14. Well, anyway ... by CaptainDork · · Score: 3, Informative

    ... I used the Tor browser to get to one of my burner Facebook accounts and it locked me. Such joy. I was coming at the site from another country, so Facebook had a major cow.

    I went mainstream and gave Facebook a tummy rub and all is well, but it was a fun ride.

    I still wonder what the Sam Hill any Facebook member would be doing on Tor, but you can bet your sweet ass that Facebook wants you no matter what route you take.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Well, anyway ... by Pope+Hagbard · · Score: 2

      I still wonder what the Sam Hill any Facebook member would be doing on Tor

      The non-paranoid idea normally floated is that it's for getting into FB from a country that's censoring it.

  15. How did they demonstrate ownership of the domain? by Anonymous Coward · · Score: 0

    Can you really send email to an @xxxxx.onion address? Or did they use a uucp style address?

  16. The aim is to break anonymity because ... by Anonymous Coward · · Score: 0

    ... Facebook have said they are fundamentally opposed even to pseudonymity, let alone anonymity. Facebook likes to cooperate with various government agencies. Once logged in to a service that actually knows who the user is - like Facebook - that user's browsing of another onion site becomes much easier to de-anonymize via one attack or another. The aim here is to get dumb criminals to use a service over tor that is tied to their identity while making people think that Facebook actually gives a rat's ass whether or not they get arrested in China for being dissidents.

  17. That's fucking stupid by Anonymous Coward · · Score: 0

    Maybe some web sites use hidden services not for anonymity (of the provider), but to avoid having to go through an exit node. At this point, having an SSL certificate shows newbies the name of the company, etc., so they don't have to check the .onion address with a trusted source. And more layers of security is usually a good thing, especially when layering completely different systems with different vulnerabilities.

  18. Lookups monitored? by Anonymous Coward · · Score: 0

    Isn't this a huge security risk? Couldn't someone monitor the DNS lookups?

    1. Re:Lookups monitored? by Anonymous Coward · · Score: 0

      Which DNS lookups are you talking about?

  19. Re:How did they demonstrate ownership of the domai by Anonymous Coward · · Score: 0

    You could... if you decided the only MX worth sending to is the domain itself and you dialup into Tor. But placing a file with a pre-determined content on your domain works just as well. It just shows that you're in control of the server that hosts the domain, and thus the domain.

  20. Not for Americans by Anonymous Coward · · Score: 0

    Pretty sure Facebook did this for countries that suppress the internet - so that their site is available to them. If you already live in the USA, don't bother using the Tor network to connect, like other people have said in the comments - it's a trap.

    Good for oppressed people though