Facebook Adds "Onion" Address for Anonymous Browsing. But Does It?

Facebook implemented a new way for users to access its site via Tor “without losing the cryptographic protections provided by the Tor cloud” and disclosing their location, according to a Facebook announcement.

Users who have the Tor-enabled browser enabled can access Facebook directly through the https://facebookcorewwwi.onion/ URL, said Alec Muffett, software engineer at Facebook. Through an “.onion” address they can connect to Facebook`s Core WWW Infrastructure that provides a direct connection between the browser and a Facebook data center. Catalin Cosoi, Chief Security Strategist at Bitdefender says:

The hidden service name is derived from a 1024 bit RSA Key randomly generated when putting your service online in TOR”. This means you have to generate a custom key in order to derive a name like “facebookcorewwwi”. And if you can generate the RSA key behind a hidden service, then you could actually hijack any hidden service in TOR.”

On user accusations of having done so, Facebook said it got lucky.

“Regarding the Onion address, we did what everyone else does and (in our case) created a bunch of addresses with a “facebook” prefix and then went fishing around in the results for a good one. I feel that we were tremendously fortunate,” Muffett replied to a user. Cosoi said:

We did the math, you would need around 1.000.000 servers up for 1 year to generate “facebookcorewww” ” (without the trailing “i”, this being randomly there) on the fastest GPUs out there. But the real question is: if Facebook has the resources to brute force the correct full key in a fair amount of time, what could stop Google or the NSA from doing it?”

Facebook also allows access via HTTPS (Hypertext Transfer Protocol Secure), but the site`s security infrastructure conflicts with the way the anonymity-focused browser works. Because Tor bounces traffic between nodes to hide the user`s actual location, Facebook is misled to believe the user is a hacker trying to conceal his identity.

“Tor challenges some assumptions of Facebook’s security mechanisms — for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” Muffett said. “In other contexts such behavior might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal.”

Basically this opens the biggest social media platform to TOR users that have something to say, but don’t want to be tracked down for doing so,” Cosoi said. “Facebook`s outreach combined with TOR – hidding your source IP and anonymizing your location- could prove to be a very tricky thing to control”.

Facebook also provides an SSL security certificate that cites its .onion address. This removes the Tor Browser’s “SSL Certificate Warning” and verifies Facebook`s ownership of the onion address.

“Issuing an SSL certificate for a Tor implementation is ” in the Tor world ” a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion,” the software engineer added.