Facebook sets up hidden service for Tor users

After repeated key generation, and what Facebook says was an awful lot of luck, the social networking giant is now able to offer its web services from the https://facebookcorewwwi.onion address to users on the anonymous Tor network.

In a blog post announcing the Facebook hidden service, Facebook software engineer Alec Muffett, said that the service would allow Tor users to communicate directly with Facebook's datacentres.

"Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Muffet said.

One aspect of the service's design that Facebook regards as unique is the implementation of SSL over Tor.

"We decided to use SSL atop this service due in part to architectural considerations — for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link," Muffett said. "As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook."

Due to the way that the urls for hidden services on Tor are configured, using the 16-character hash generated when a public key is created as the URL, has led to concerns that Facebook was able to bruteforce its way into selecting the public key it desired.

Tor project leader, Roger Dingledine, said the social network would not be able to force themselves to generate that chosen address, had they wanted to.

"I talked to them about this," Dingledine wrote. "The short answer is that they did the vanity name thing for the first half of it ("facebook"), which is only 40 bits so it's possible to generate keys over and over until you get some keys whose first 40 bits of the hash match the string you want."

"Then they had some keys whose name started with "facebook", and they looked at the second half of each of them to decide which one they thought would be most memorable for the second half of the name as well. This one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it."

Muffet confirmed the method suggested by Dingledine, and said that Facebook had been "tremendous lucky".

Although primarily used for reasons of security and anonymity, Tor itself has encountered some security issues in recent times.

Earlier this year, the anonymous network warned its users that an attacker had been attempting to deanonymise traffic for as long as six months.

This week it was revealed that a malicious exit node, a bridge between the Tor network and the wider internet, was found to be wrapping Windows executables within another executable designed to drop malware.