News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by DigiCert.
What this means is that Tor users could be certain that when they connect to Facebook’s hidden services site in the .Onion top level domain, they were in fact communicating with the real Facebook as opposed to a domain controlled by an unknown third party.
Late yesterday, Jeremy Rowley, DigiCert’s vice president of business development and legal, explained his company’s decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future.
“Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook,” Rowley explained. “Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com.”
There are advantages to Facebook’s hidden services site having its own certificate, which should dramatically increase the social network’s usability over the anonymous browsing service. Rowley, Tor advocate and volunteer Runa Sandvik, and the Tor Project itself have explained that when users had previously connected to Facebook on Tor, they often received SSL certificate warnings, calling site ownership and legitimacy into question. Facebook also regularly locked users out of their accounts and forced to change passwords as they proxied through dispersed exit-nodes around the globe triggering well-intentioned security controls.
“As a company that has long supported the Tor Project in its efforts to provide a secure internet where people can freely express their ideas, DigiCert is continuing to work with Tor and Facebook on how best to support this project moving forward,” Rowley wrote. “We are confident that SSL/TLS has the ability to support many more communities and users looking to benefit from authenticated and encrypted internet use, including possibly in conjunction with the Tor browser, and we’re open to working with other organizations that advance the goal of secure browsing.”
It doesn’t seem that there will be any other .onion domains receiving their own certs in the immediate future, but Rowley says DigiCert has been contacted by other hidden service domain holders.
“Right now, we are in the process of evaluating how best to implement strong validation policies before possibly offering such certificates beyond the one for Facebook. We’re also exploring some possibilities with standards bodies.”
It will be interesting to see how digital certificate issuers like DigiCert navigate hidden services and the rest of the so-called “Dark Web,” which, compared to the public Web, contains a disproportionate number of websites trading in illicit goods and services.