MUST READ:
Colonial Pipeline paid close to $5 million in ransomware blackmail payment
Facebook sets up hidden service for Tor users
The social network is now accessible to Tor users using the address https://facebookcorewwwi.onion




By Chris Duckett | October 31, 2014 -- 18:54 GMT (11:54 PDT) | Topic: Security
After repeated key generation, and what Facebook says was an awful lot of luck, the social networking giant is now able to offer its web services from the https://facebookcorewwwi.onion address to users on the anonymous Tor network.
FEATURED
Researchers track down five affiliates of DarkSide ransomware service
The Apple M1 iPad Pro is fast, and Intel is in trouble
The best wireless charging pads: Easily charge your phone without cables
The best VPN services: Safe and fast don't come free
In a blog post announcing the Facebook hidden service, Facebook software engineer Alec Muffett, said that the service would allow Tor users to communicate directly with Facebook's datacentres.
"Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Muffet said.
One aspect of the service's design that Facebook regards as unique is the implementation of SSL over Tor.
"We decided to use SSL atop this service due in part to architectural considerations — for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link," Muffett said. "As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook."
Due to the way that the urls for hidden services on Tor are configured, using the 16-character hash generated when a public key is created as the URL, has led to concerns that Facebook was able to bruteforce its way into selecting the public key it desired.
Tor project leader, Roger Dingledine, said the social network would not be able to force themselves to generate that chosen address, had they wanted to.
"I talked to them about this," Dingledine wrote. "The short answer is that they did the vanity name thing for the first half of it ("facebook"), which is only 40 bits so it's possible to generate keys over and over until you get some keys whose first 40 bits of the hash match the string you want."
"Then they had some keys whose name started with "facebook", and they looked at the second half of each of them to decide which one they thought would be most memorable for the second half of the name as well. This one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it."
Muffet confirmed the method suggested by Dingledine, and said that Facebook had been "tremendous lucky".
Although primarily used for reasons of security and anonymity, Tor itself has encountered some security issues in recent times.
Earlier this year, the anonymous network warned its users that an attacker had been attempting to deanonymise traffic for as long as six months.
This week it was revealed that a malicious exit node, a bridge between the Tor network and the wider internet, was found to be wrapping Windows executables within another executable designed to drop malware.
RELATED TOPICS
SOCIAL ENTERPRISE SECURITY TV DATA MANAGEMENT CXO DATA CENTERS




By Chris Duckett | October 31, 2014 -- 18:54 GMT (11:54 PDT) | Topic: Security
SHOW COMMENTS
MORE FROM CHRIS DUCKETT
Security
Security
NBN
Hardware
NEWSLETTERS
ZDNet Security
Your weekly update on security around the globe, featuring research, threats, and more.

SEE
ALL
MORE RESOURCES
Meet The Infrastructure For Smarter Business
White Papers from IBM
GET STARTED
Better Hosting Starts on IBM Cloud
White Papers from IBM
GET STARTED
The 2021 Call for Code Global Challenge is now open
Research from IBM
GET STARTED
RELATED STORIES
1 of 3
HelpSystems expands email, cloud security portfolio with acquisition of Agari, Beyond Security
The vendor is targeting areas ripe for growth in the cybersecurity field.
Google rolls out privacy update, new ML features for Google Analytics
The company said the new capabilities are designed to help marketers operate without cookies and other identifiers on websites and apps.
Colonial Pipeline paid close to $5 million in ransomware blackmail payment
The payment was reportedly made soon after the attack began. It wasn’t enough to stop the disruption.
CONNECT WITH US
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use
Join | Log In
TechRepublic Forums


Help us better understand our audience...
...and you could Win a $100 Amazon gift card!*
TAKE THIS SURVEY
*No purchase necessary. See official rules.
When you reply to this survey, you acknowledge that Red Ventures collects your personal data in accordance with the Red Ventures privacy policy available
Best VPNs Cloud Security AI Videos Windows 10 5G TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums NewslettersAll WritersPreferencesCommunityNewslettersLog OutZDNet Videos Windows 10 5G Best VPNs Cloud Security AI TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums PreferencesCommunityNewslettersLog Out ZDNet France ZDNet Germany ZDNet Korea ZDNet Japan