UPDATE – This story has been updated with commentary from the Tor Project.
Facebook announced today that the social network will now be directly available to users as a Tor hidden service.
The Tor Project is an Internet-traffic anonymization service that relays user traffic through a number of proxy servers all around the world in order to cloak true IP addresses and identities. Tor users can connect with similarly anonymized Web-servers located in the “.onion” top level domain. These servers are referred to as Tor Hidden Services.
In the past, Tor users have had issues connecting anonymously to Facebook.
“Using normal Facebook over Tor was often a challenge for many reasons; users would have trouble logging in, be forced to identify friends in photos, be forced to change passwords, and so on,” Runa Sandvik, a Tor advocate and project volunteer credited with assisting and advising Facebook, told Threatpost in an email interview. “Now, you can log on and also register – to Facebook over Tor by using the .onion site without running into any of these issues. Your connection is also end-to-end encrypted, that is to say there is no exit relay in the picture here that can see that you are browsing Facebook over Tor.”
Many of the problems that Tor users have experienced when attempting to log into Facebook arise from well-intentioned security controls built into the social network’s infrastructure.
“Tor challenges some assumptions of Facebook’s security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” explained Alec Muffett, a Software Engineer for Security Infrastructure at Facebook London. “In other contexts such behaviour might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal.”
This seemingly counter-intuitive marriage of one service that promotes online anonymization and another that profits off the personal information of its user-base abrades logical thinking — at least on the surface. Roger Dingledine of the Tor Project suggests that accessing Facebook through Tor is not a contradiction, though only after “putting aside the (still very important) questions of Facebook’s privacy habits, their harmful real-name policies, and whether you should or shouldn’t tell them anything about you.” The key point, Dingledine writes, is that anonymity isn’t just about hiding from your destination.
“There’s no reason to let your ISP know when or whether you’re visiting Facebook,” Dingledine said. “There’s no reason for Facebook’s upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there’s still no reason to let them automatically discover what city you’re in today while you do it.”
Also, privacy preferences aside, there are a number of countries, like China and Iran, in which Facebook is inaccessible through the public Web. In such countries, traveling through a proxy service like Tor is often the only way to access a service like Facebook’s.
Dingledine goes on to explain both in his blog post and in the comments thereafter that Facebook’s cooperation with Tor carries a broader message about legitimate use of the so-called “Dark Web.” The Dark Web, which Dingledine suggests should be called the “Private Web” (as opposed to the public one that profits off user information) basically refers to Tor’s Hidden services but also to other parts of the Web not indexed by search engines.
In its announcement, Facebook makes clear that the service is in an experimental phase at the moment and that there will likely be bugs to work out.
Facebook’s move into the hidden services is not the only novelty at play here. Facebook’s .onion address will connect users to its core infrastructure. This means that users connecting to Facebook’s datacenter via Tor will be doing so directly rather than through an exit relay. Furthermore, Facebook has outfitted its hidden services site with an SSL certificate so that users won’t have to deal with SSL certificate warnings and can therefore be assured they are in fact connecting to the real Facebook.
As Sandvik noted on Twitter earlier today, the launch of the Facebook Tor hidden service marks the first time a certificate authority has issued a legitimate SSL certificate for a .onion address.
In order to access the .onion variety of Facebook, users will have to connect to the web through the Tor Browser Bundle or through some other Tor Network-enabled browser.