November 1, 2014 weblog
Facebook has URL for users running Tor-enabled browsers
A reassuring message on Friday from Facebook: "It's important to us at Facebook to provide methods for people to use our site securely." That is why Facebook implemented HTTPS across the service and Perfect Forward Secrecy, HSTS (HTTP Strict Transport Security), and other technologies. (In July 2013, Facebook announced they now use https by default for all Facebook users. This means that a person's browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http." This uses Transport Layer Security [TLS] and makes the communication between browser and Facebook servers more secure.) All well and good—but then there is Tor, which has been a challenge for Facebook's security mechanisms. Alec Muffett, software engineer for security infrastructure at Facebook London, explained why it was a challenge for Facebook use and what Facebook has now done. He said, "from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts such behavior might suggest that a hacked account is being accessed through a 'botnet', but for Tor this is normal." The security infrastructure would make it difficult for some people connecting to Facebook using Tor, as the algorithms for detecting fraudulent users would get in their way.
As Andy Greenberg explained in Wired, "Until now, Facebook has made it difficult for users to access its site over Tor, sometimes even blocking their connections. Because Tor users appear to log in from unusual IP addresses all over the world, they often trigger the site's safeguards against botnets, collections of hijacked computers typically used by hackers to attack sites."
That hurdle has been addressed. The Muffett note on Friday said, "To make their experience more consistent with our goals of accessibility and security, we have begun an experiment which makes Facebook available directly over Tor network at the following URL: facebookcorewwwi.onion/ " The url, he said, only works with Tor-enabled browsers.
The significance of the onion address lies in the fact that there is a now a way to access Facebook through Tor, without losing the Tor cloud's cryptographic protections. It provides end-to-end communication, from browser directly into a Facebook datacenter. As such, Facebook has shown a commitment to secure browsing, in making the social network available via Tor. Adam Clark Estes of Gizmodo said, "While you may think of Facebook as the pioneer of invading your digital privacy, the company has done a much better job pioneering better security methods on the internet. This is not surprising, since so many people use Facebook and a compromised Facebook account can do real damage. It is good news to know that this behemoth is using some of its mountains of cash to make the internet a safer place."
According to Muffett, "we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link. As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's 'SSL Certificate Warning' for that onion address and increases confidence that this service really is run by Facebook."
This is not the last bit of news likely to emerge from the Tor effort; he said, "we hope to share some of the lessons that we have learned - and will learn - about scaling and deploying services via the Facebook onion address." He said they are looking forward to improving this service.
Nonetheless, can we blame anyone calling up the irony of Facebook engaging with Tor? Andy Greenberg in Wired on Friday wrote that "the world's least anonymous website has just joined the Web's most anonymous network." Engadget's headline was: "Oh, the irony: Facebook works on the world's biggest anonymity network." Daniel Cooper, associate European editor, commented that "Facebook, the site where people share their entire personal lives for everyone to gawp at, is now available on the anonymity network that's designed to do precisely the opposite." Lucian Armasu said in Tom's Hardware, "there's no point in connecting to Facebook over Tor to stay anonymous if you're going to login with your real Facebook account and post personal information about yourself, pictures of yourself or your family, and so on. If you do that, you won't be anonymous anymore, defeating the entire point of using Facebook over Tor." Nonetheless, said Armasu, this new feature is likely to be found useful for some people living under oppressive governments. "These are the type of users that would most benefit from using Facebook over Tor, because unlike pseudonyms, Tor could actually protect their identities and make it much harder or impossible for governments to hunt them down."
© 2014 Tech Xplore