More Tor .Onion Sites May Get Digital Certificates Soon

← Back to Stories (view on slashdot.org)

More Tor .Onion Sites May Get Digital Certificates Soon

Posted by timothy on Friday November 7, 2014 @11:46AM from the try-to-stop-from-crying dept.

Trailrunner7 writes News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project's proxy service. Unlike any .onion domain before it, Facebook's would be verified by a legitimate digital signature, signed and issued by DigiCert. Late yesterday, Jeremy Rowley, DigiCert's vice president of business development and legal, explained his company's decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future. "Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook," Rowley explained. "Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com."

25 of 52 comments (clear)

Min score:

Reason:

Sort:

Wait by Anonymous Coward · 2014-11-07 11:54 · Score: 1

Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!
1. Re:Wait by Anonymous Coward · 2014-11-07 12:16 · Score: 1
  
  Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!
  1. you can put on facebook whatever you want, not just information about your last BM or your personal information
  2. the purpose of certs is to *verify* the other end of the connection
  3. the purpose of Tor is to anonymity the "connectee" - the person connecting to the service, not necessarily the service itself.
  4. the purpose of .onion is more about providing a "hidden service"
  http://en.wikipedia.org/wiki/....
  So, #2 and #4 seem a little at odds with each other. #2 *can* break #4, unless the certificates are signed by private CAs anyway. But apparently this is about public CA infrastructure.
  Facebook is just means of publishing information.
2. Re:Wait by jythie · 2014-11-07 15:37 · Score: 4, Informative
  
  There is also another advantage of things like this, Tor becomes more effective as more people are using it for general tasks. I can recall a while back someone being caught for sending fake bomb threats via Tor. How did they find the person? They were the only one using Tor on their entire network and only used it at the same times the emails were sent.
  
  So there is an advantage to people simply using Tor for their normal everyday activities like this.
3. Re:Wait by fluffy99 · 2014-11-07 18:35 · Score: 2
  
  Tor becomes more effective as more people are using it for general tasks.
  Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity? Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.
4. Re:Wait by NickFortune · 2014-11-07 23:23 · Score: 1
  
  Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity?
  
  I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.
  The way I see if, if you're running Silk Road X.Y then it's probably worth their while to take the time and trouble needed to find you. If all you want to do is stop your mobile phone company from tracking every site you visit over 3G (speaking purely hypothetically, of course) then without evidence of any illegal activity, they're unlikely to bother..
  Just because it's not perfect doesn't mean it's useless, you know?
  
  Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.
  
  Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?
  
  --
  Don't let THEM immanentize the Eschaton!
5. Re:Wait by Raumkraut · 2014-11-08 01:40 · Score: 1
  
  It does if you're posting anything critical of $regime from within the borders of $regime.
6. Re:Wait by fluffy99 · 2014-11-08 05:37 · Score: 1
  
  I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.
  My point was that it's much simpler when you have direct control over the node.
  
  Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?
  Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?
  As much as Tor can help, there is no such thing as being perfectly anonymous on the internet. I certainly don't trust Facebook to protect it any more than I trust Google who also makes money by tracking and targeting me.
7. Re:Wait by NickFortune · 2014-11-08 06:04 · Score: 1
  
  My point was that it's much simpler when you have direct control over the node.
  
  Entry or exit? I mean sure, if you connect to Silk Road and you're unlucky enough to enter through an NSA node at one and and exit through another one, then you're probably toast. But as I understand it, the number of subverted nodes is still fairly small compared to the total number. Which brings us back to the GP's point about security increasing with the number of nodes.
  
  Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?
  
  The weak link there is Facebook. I don't think anyone's seriously proposing FB as a champion of individual privacy.
  And yes, there are ways other than JS and cookies to track people. But they tend to involve things like traffic analysis which is time consuming and requires human surveillance. Little Johnny who just wants to connect to the Pirate Bay from his mum's basement is probably fairly secure.
  
  As much as Tor can help, there is no such thing as being perfectly anonymous on the internet
  
  See, this is the crux of the matter, really. Security is a relative value. It's not like "oh, it's possible to circumvent this measure therefore it is of no value". It's "I know this channel is potentially insecure, but it's sure as hell better than communicating in plaintext, and hopefully the bad guys will go after easier targets".
  It's like having a lock on your font door. They won't keep the government out, but there's all sorts of good reasons for having them installed.
  
  --
  Don't let THEM immanentize the Eschaton!
It's a trap by Anonymous Coward · 2014-11-07 12:03 · Score: 1

They want to track users by SSL session cache and use the information to ratmap even more users.
Why not use Verizon as your ISP as well by Crashmarik · 2014-11-07 12:09 · Score: 2

I mean at the point you are using Facebook on TOR all you haven't done a thing for your privacy and just slowed your internet connection down. Might as well let Verizon label all your traffic as well.
To top it off I can't imagine why anyone would want to deal with sites that are using certificates on TOR. All they do is provide a nice well defined entity that can be leaned on, to get your information.
1. Re:Why not use Verizon as your ISP as well by Ksevio · 2014-11-07 12:11 · Score: 1
  
  What about people in repressive countries that don't have open access to these sites? It would be good to be able to access Facebook or Twitter and know the connection is secure.
2. Re:Why not use Verizon as your ISP as well by Crashmarik · 2014-11-07 12:16 · Score: 4, Insightful
  
  If you are worried about your government persecuting you Facebook is not the place to hangout. If you want to get your message out to social media get a friend in a less repressive country to post on your behalf. Posting on facebook from someplace like Syria or No Korea would be tantamount to signing your own death warrant.
3. Re:Why not use Verizon as your ISP as well by NotInHere · 2014-11-07 12:26 · Score: 2
  
  For hidden services, the address is also a public key, which is used to encrypt the connection one layer down. You don't need TLS in TLS, its bullshit. Tor should ship with a list of frequent hidden services (perhaps they can ask apk on how to make a host file engine ;) ? ).
4. Re:Why not use Verizon as your ISP as well by ChunderDownunder · 2014-11-07 12:27 · Score: 1
  
  Creating a login, Winston Smith (not your real name), and using tor to access facebook isn't sufficiently anonymous?
5. Re:Why not use Verizon as your ISP as well by Ralph+Wiggam · 2014-11-07 12:37 · Score: 2
  
  If you want to get your message out to social media get a friend in a less repressive country to post on your behalf.
  
  You don't see any problems with that plan?
6. Re:Why not use Verizon as your ISP as well by jythie · 2014-11-07 15:45 · Score: 2
  
  Actually both twitter and facebook have been used in activism like this already, it is one of their appeals in repressive countries.
Lessons previous learned: by Severus+Snape · 2014-11-07 12:17 · Score: 3, Interesting

Lavabit.
You would need to be a fucking moron to not believe there is not a warrant drafted for the FISC court already. Trust in any US web stakeholders for any users privacy is fallacy. Never mind when getting up to illegal shenanigans found on .onion like Silk Road.
Re:why companies? by Anonymous Coward · 2014-11-07 12:27 · Score: 1

The real solution would be for some kind of DNS system to appear within TOR that instead of resolving hostnames to IPs it resolves hostnames to onionsites. So instead of p7geb3m31n12rkkr3m.onion (or was it p7geb3m32n12rkkr3m.onion?) you type facebook.onion and internally you would be at p7geb3m31n12rokr3m.onion. No clue how this would ever be operated without being gamed to hell and back, with 4chan constantly trying to redirect popular sites somewhere else, but at least then a "facebook.onion" ssl certificate would make sense.
As it stands, the original purpose was to have the certificate identify p7geb3m31n12rkkr3rn.onion as the real facebook site, but it does nothing if you typo it and get another site claiming to be facebook that also has a real certificate for their onion address.
That's fucking stupid by Anonymous Coward · 2014-11-07 12:34 · Score: 4, Insightful

The protocol itself cryptographically ensures that you're talking to the same service every time. That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).
Using a certificate hierarchy with TOR can only do one thing: Expose you.
1. Re:That's fucking stupid by 93+Escort+Wagon · 2014-11-07 13:13 · Score: 1
  
  That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).
  So how did Facebook manage to get https://facebookcorewwwi.onion... ?
  
  --
  #DeleteChrome
2. Re:That's fucking stupid by Anonymous Coward · 2014-11-07 13:34 · Score: 2, Informative
  
  They chose facebook*, created a bunch of matching addresses and selected the address which looked nicest. The corewwwi part is actually random. You can't create the private key which results in the same address as Facebook's. You could create another address that starts with facebook, but functionally that would be an entirely different address that would not give you the ability to intercept requests to Facebook's address.
Well, anyway ... by CaptainDork · 2014-11-07 15:18 · Score: 3, Informative

... I used the Tor browser to get to one of my burner Facebook accounts and it locked me. Such joy. I was coming at the site from another country, so Facebook had a major cow.
I went mainstream and gave Facebook a tummy rub and all is well, but it was a fun ride.
I still wonder what the Sam Hill any Facebook member would be doing on Tor, but you can bet your sweet ass that Facebook wants you no matter what route you take.

--
It little behooves the best of us to comment on the rest of us.
1. Re:Well, anyway ... by Pope+Hagbard · 2014-11-07 15:34 · Score: 2
  
  I still wonder what the Sam Hill any Facebook member would be doing on Tor
  The non-paranoid idea normally floated is that it's for getting into FB from a country that's censoring it.
Re:why companies? by jythie · 2014-11-07 15:43 · Score: 1

The problem with namecoin is some already made that, and people love developing their own reduncent solutions instead.
Re:Note to self by mysidia · 2014-11-07 17:46 · Score: 1

I don't mind DigiCert, as long as they will participate in Certificate Transparency.
Very soon; I will not want to trust anything issued by a Certificate authority that does not participate in Certificate Transparency.