Facebook Creates .Onion Site; Now Accessible Via Tor Network

UPDATE – Facebook has entered the hidden services with a new .onion site that will let Tor Network users sign into the world’s (second) most populace social network.

UPDATE – This story has been updated with commentary from the Tor Project.

Facebook announced today that the social network will now be directly available to users as a Tor hidden service.

The Tor Project is an Internet-traffic anonymization service that relays user traffic through a number of proxy servers all around the world in order to cloak true IP addresses and identities. Tor users can connect with similarly anonymized Web-servers located in the “.onion” top level domain. These servers are referred to as Tor Hidden Services.

In the past, Tor users have had issues connecting anonymously to Facebook.

“Using normal Facebook over Tor was often a challenge for many reasons; users would have trouble logging in, be forced to identify friends in photos, be forced to change passwords, and so on,” Runa Sandvik, a Tor advocate and project volunteer credited with assisting and advising Facebook, told Threatpost in an email interview. “Now, you can log on and also register – to Facebook over Tor by using the .onion site without running into any of these issues. Your connection is also end-to-end encrypted, that is to say there is no exit relay in the picture here that can see that you are browsing Facebook over Tor.”

Many of the problems that Tor users have experienced when attempting to log into Facebook arise from well-intentioned security controls built into the social network’s infrastructure.

“Tor challenges some assumptions of Facebook’s security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” explained Alec Muffett, a Software Engineer for Security Infrastructure at Facebook London. “In other contexts such behaviour might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal.”

This seemingly counter-intuitive marriage of one service that promotes online anonymization and another that profits off the personal information of its user-base abrades logical thinking — at least on the surface.  Roger Dingledine of the Tor Project suggests that accessing Facebook through Tor is not a contradiction, though only after “putting aside the (still very important) questions of Facebook’s privacy habits, their harmful real-name policies, and whether you should or shouldn’t tell them anything about you.” The key point, Dingledine writes, is that anonymity isn’t just about hiding from your destination.

“There’s no reason to let your ISP know when or whether you’re visiting Facebook,” Dingledine said. “There’s no reason for Facebook’s upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there’s still no reason to let them automatically discover what city you’re in today while you do it.”

Also, privacy preferences aside, there are a number of countries, like China and Iran, in which Facebook is inaccessible through the public Web. In such countries, traveling through a proxy service like Tor is often the only way to access a service like Facebook’s.

Dingledine goes on to explain both in his blog post and in the comments thereafter that Facebook’s cooperation with Tor carries a broader message about legitimate use of the so-called “Dark Web.” The Dark Web, which Dingledine suggests should be called the “Private Web” (as opposed to the public one that profits off user information) basically refers to Tor’s Hidden services but also to other parts of the Web not indexed by search engines.

In its announcement, Facebook makes clear that the service is in an experimental phase at the moment and that there will likely be bugs to work out.

Facebook’s move into the hidden services is not the only novelty at play here. Facebook’s .onion address will connect users to its core infrastructure. This means that users connecting to Facebook’s datacenter via Tor will be doing so directly rather than through an exit relay. Furthermore, Facebook has outfitted its hidden services site with an SSL certificate so that users won’t have to deal with SSL certificate warnings and can therefore be assured they are in fact connecting to the real Facebook.

As Sandvik noted on Twitter earlier today, the launch of the Facebook Tor hidden service marks the first time a certificate authority has issued a legitimate SSL certificate for a .onion address.

In order to access the .onion variety of Facebook, users will have to connect to the web through the Tor Browser Bundle or through some other Tor Network-enabled browser.

Suggested articles

Discussion

  • maxcohen on

    How sad Facebook is now into child exploitation and selling drugs since that is the sole purpose of the TOR network. And that was sarcasm.
  • TorGhost on

    That is not the soul purpose of TOR.
  • Cameron on

    Still having trouble signing in Facebook need help PS3
  • Eemil on

    Looks like this is Facebook's way of getting into China.
  • Torbot on

    Great, now the NSA will have more data on Tor and exit nodes unless people are using fake facebook accounts for Tor.
  • robert on

    Come on gang, I know you all think that the right to privacy is Sacrosanct. Tell it to the kids being abused in pornography. That is itself is illegal in the US. I have been at the ROAD site and it had links to murder for hire and child pornography. Ergo, what the FBI did was totally legal with or without a warrant. Murder is also illegal in the US. TOR has no redeeming social value. The links on TOR to child pornography, the sale of weapons illegal in the US and the sale of heroin, also illegal in the US, out weigh any legitimate links by 95%. II have tried to find one legitimate political site and could not. They are childish. There are support groups and forums for pedophiles and rapist of children saying what they like to do to kids. If TOR had any socially redeeming philosophy they would not let child pornographers link up there on the onion. Let them figure out how to do it on their own. One must take the good with the bad. On TOR the bad outweighs the good 95 to 5 at best. If you want to "blow the whistle" use hard copy mail. Why did the unabomber and bin laden stay free for sooooo long. They eschewed the internet. GOOD FOR THE FBI . DO NOT DELUDE YOURSELF THAT PERVS ARE NOT IDENTIFIABLE ON TOR. TOR has been hacked by the FBI, Anonymous, NSA and law enforcement around the world. USE Bitcoins at your own Peril!!! If you really want stuff secure use flash dives, change computers and networks on which you work. Snail mail stuff. TOR IS NOT SECURE and there are now viruses traveling the TOR network for financial ill gotten gain. Legitimate data is secure, all you need to do is get encryption on your hard drives, documents, and emails. Meaning encryption keys, public and private. Why would you trust a VPN or TOR. After all they are run by people. People are the weakest link in any security system. People have the ability to get your MAC addresses on TOR now. Legitimate people do not need TOR. Pornographers of children and criminals do.
    • Joe on

      naaaa... the problem is that Bin Laden and heroin and weapons smuggling were operated by the CIA!!!! ... that's why we got an urgent need to protect from the NSA... they ARE the criminals!!!!
  • to mr robert on

    Legitimate people do not need TOR. Pornographers of children and criminals do. 1. The U.S. Navy developed Tor with the intent of protecting intel communications? Likely the FBI uses it themselves, as well as the other intelligence agencies, especially when working abroad. Anonymous conceals themselves with it also, but they aren't a government agency. 2. Tor helped the illegal-surveillance whistleblowers safely communicate? 3. Political dissenters may choose to use hidden sites, as a regular net site can often be dangerous, as opposed to a "dark" site? It's also very useful in countries where the Internet is censored. Then again, you're probably a strawman.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.