Hidden services running on the Tor network got major support on Friday when Facebook began offering Tor users a way to connect to its services and not run afoul of the social network’s algorithms for detecting fraudulent usage of accounts.
On Friday, the company added a hidden service address with a .onion top-level domain, facebookcorewwwi.onion [updated to fix address], which allows Tor users to protect their data and identity all the way to Facebook’s datacenters. Hidden services accessed through the Tor network allow both the Web user and website to remain anonymous.
“Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Alec Muffett, a software engineer with Facebook’s security infrastructure group, said in a blog post. “It provides end-to-end communication, from your browser directly into a Facebook datacenter.”
The addition of a hidden service address allows Facebook to better filter out connections using Tor that may be malicious. Malware has increasingly begun using Tor as a way to make it much harder to identify the compromised systems involved in an attack and stymie clean-up efforts.
In June 2013, for example, Facebook cut connections to Tor following a deluge of malicious traffic from the anonymizing network. “Facebook is not blocking Tor deliberately,” the Tor Project said in a statement at the time. “However, a high volume of malicious activity across Tor exit nodes triggered Facebook’s site integrity systems which are designed to protect people who use the service.”
Facebook has already implemented a number of other security measures across its entire service, including secure HTTP (HTTPS), Perfect Forward Secrecy, and the HTTP Strict Transport Security (HSTS).
Hidden services on Tor have most often been associated with criminal enterprises, such as Silk Road marketplace that sold drugs and other illegal items until it was shut down a year ago. But the anonymizing feature enables a variety of legitimate services, such as forums for dissidents, anonymous source submissions for newspapers and media sites, and private search engines.
The privacy benefits of going through an anonymizing network to connect to Facebook are questionable, however. Matthew Green, an assistant research professor in computer science at Johns Hopkins University, summed up the issue in a tweet.
“On the one hand, cool! On the other, it seems a little like taking a shower and rolling in mud,” he stated, adding: “Ok, all cynicism aside: companies providing direct Tor links is an unalloyed good. Keep it up Facebook! Now maybe Twitter can get onboard.”
reader comments
36