On October, 31 last week Facebook announced that they are making the network directly accessible for users as a Tor Hidden Service.
What Tor does is offering anonymity for users offering and using different web-services over the Internet. Connecting to certain points on the Tor ‘.onion’ network domain, the users are able to hide their real IP addresses going through several proxy servers all over the world. These servers are called ‘Tor Hidden Services’.
Using such services though, a lot of Tor customers had trouble connecting to Facebook and other sites requiring identification in the past.
Runa Sandvik, a Tor project volunteer and advocate told the Threatpost web-site in an e-mail interview that entering Facebook through a Tor server was often challenging for users. Many of the problems were connected to the security checks Facebook implied in their infrastructure. Entering the social network users were often required to identify friends through pictures, change passwords, confirm identity, etc. The change now will enable them to enter Facebook using the .onion web-site without giving further authentication. In the meantime their connection will be encrypted from beginning to end without anyone being able to identify that they are browsing it through the Tor service.
Alek Muffet, a security software engineer for Facebook London said that users having trouble browsing the network through a Tor service was due to the fact that Tor was challenging some of the its safety mechanisms – for example a user appearing to be browsing it at one point from Australia, can next minute appear to be browsing it the from Sweden or Canada which for Facebook security appears as an account being hacked. This is normal for Tor though, he admits.
This is not the only change for Tor users Facebook implements. Entering the network from the .onion web-site they will be directly connected to the Facebook data center without having to use a relay exit. In addition a SSL security certificate will be encrypted in the page, so users would not have to deal with SSL security messages, being sure they are connected to the real Facebook site at the same time.
‘As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser’s ‘SSL Certificate Warning‘ for that onion address and increases confidence that this service really is run by Facebook.’, is said in their message.
Another novelty they prepare is making .onion web-site users to be able to browse Facebook through mobile devices. This is still under construction, but Facebook are hoping to be able to offer it as a service soon too. ‘A medium-term goal will be to support Facebook’s mobile-friendly website via an onion address, although in the meantime we expect the service to be of an evolutionary and slightly flaky nature.‘.
Anyway, as Runa Sandvik announced in a Twitter message, ‘The launch of the Facebook Tor hidden service also marks the first time a CA has issued a legitimate SSL cert for a .onion address.‘, which is a break-through on its own.
