Facebook, hidden services, and https certs

Today Facebook unveiled its hidden service that lets users access their website more safely. Users and journalists have been asking for our response; here are some points to help you understand our thinking.

Part one: yes, visiting Facebook over Tor is not a contradiction

I didn't even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn't ever use Facebook. Putting aside the (still very important) questions of Facebook's privacy habits, their harmful real-name policies, and whether you should or shouldn't tell them anything about you, the key point here is that anonymity isn't just about hiding from your destination.

There's no reason to let your ISP know when or whether you're visiting Facebook. There's no reason for Facebook's upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there's still no reason to let them automatically discover what city you're in today while you do it.

Also, we should remember that there are some places in the world that can't reach Facebook. Long ago I talked to a Facebook security person who told me a fun story. When he first learned about Tor, he hated and feared it because it "clearly" intended to undermine their business model of learning everything about all their users. Then suddenly Iran blocked Facebook, a good chunk of the Persian Facebook population switched over to reaching Facebook via Tor, and he became a huge Tor fan because otherwise those users would have been cut off. Other countries like China followed a similar pattern after that. This switch in his mind between "Tor as a privacy tool to let users control their own data" to "Tor as a communications tool to give users freedom to choose what sites they visit" is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there's a person out there who uses it for something you haven't considered.

Part two: we're happy to see broader adoption of hidden services

I think it is great for Tor that Facebook has added a .onion address. There are some compelling use cases for hidden services: see for example the ones described at using Tor hidden services for good, as well as upcoming decentralized chat tools like Ricochet where every user is a hidden service, so there's no central point to tap or lean on to retain data. But we haven't really publicized these examples much, especially compared to the publicity that the "I have a website that the man wants to shut down" examples have gotten in recent years.

Hidden services provide a variety of useful security properties. First — and the one that most people think of — because the design uses Tor circuits, it's hard to discover where the service is located in the world. But second, because the address of the service is the hash of its key, they are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address. A third nice feature is that the rendezvous process provides end-to-end encryption, even when the application-level traffic is unencrypted.

So I am excited that this move by Facebook will help to continue opening people's minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services.

Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today's era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it's ok for their users to want more safety.

As an addendum to that optimism, I would be really sad if Facebook added a hidden service, had a few problems with trolls, and decided that they should prevent Tor users from using their old https://www.facebook.com/ address. So we should be vigilant in helping Facebook continue to allow Tor users to reach them through either address.

Part three: their vanity address doesn't mean the world has ended

Their hidden service name is "facebookcorewwwi.onion". For a hash of a public key, that sure doesn't look random. Many people have been wondering how they brute forced the entire name.

The short answer is that for the first half of it ("facebook"), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted.

Then they had some keys whose name started with "facebook", and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The "corewwwi" one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it.

So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with "facebook" and end with pronouncable syllables, but that's not brute forcing all of the hidden service name (all 80 bits).

For those who want to explore the math more, read about the "birthday attack". And for those who want to learn more (please help!) about the improvements we'd like to make for hidden services, including stronger keys and stronger names, see hidden services need some love and Tor proposal 224.

Part four: what do we think about an https cert for a .onion address?

Facebook didn't just set up a hidden service. They also got an https certificate for their hidden service, and it's signed by Digicert so your browser will accept it. This choice has produced some feisty discussions in the CA/Browser community, which decides what kinds of names can get official certificates. That discussion is still ongoing, but here are my early thoughts on it.

In favor: we, the Internet security community, have taught people that https is necessary and http is scary. So it makes sense that users want to see the string "https" in front of them.

Against: Tor's .onion handshake basically gives you all of that for free, so by encouraging people to pay Digicert we're reinforcing the CA business model when maybe we should be continuing to demonstrate an alternative.

In favor: Actually https does give you a little bit more, in the case where the service (Facebook's webserver farm) isn't in the same location as the Tor program. Remember that there's no requirement for the webserver and the Tor process to be on the same machine, and in a complicated set-up like Facebook's they probably shouldn't be. One could argue that this last mile is inside their corporate network, so who cares if it's unencrypted, but I think the simple phrase "ssl added and removed here" will kill that argument.

Against: if one site gets a cert, it will further reinforce to users that it's "needed", and then the users will start asking other sites why they don't have one. I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it's sketchy — especially since hidden services that value their anonymity could have a hard time getting a certificate.

One alternative would be to teach Tor Browser that https .onion addresses don't deserve a scary pop-up warning. A more thorough approach in that direction is to have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway. Then you don't have to go through the nonsense of pretending to see if they could read email at the domain, and generally furthering the current CA model.

We could also imagine a pet name model where the user can tell her Tor Browser that this .onion address "is" Facebook. Or the more direct approach would be to ship a bookmark list of "known" hidden services in Tor Browser — like being our own CA, using the old-fashioned /etc/hosts model. That approach would raise the political question though of which sites we should endorse in this way.

So I haven't made up my mind yet about which direction I think this discussion should go. I'm sympathetic to "we've taught the users to check for https, so let's not confuse them", but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service. Let us know if you have other compelling arguments for or against.

Part five: what remains to be done?

In terms of both design and security, hidden services still need some love. We have plans for improved designs (see Tor proposal 224) but we don't have enough funding and developers to make it happen. We've been talking to some Facebook engineers this week about hidden service reliability and scalability, and we're excited that Facebook is thinking of putting development effort into helping improve hidden services.

And finally, speaking of teaching people about the security features of .onion sites, I wonder if "hidden services" is no longer the best phrase here. Originally we called them "location-hidden services", which was quickly shortened in practice to just "hidden services". But protecting the location of the service is just one of the security features you get. Maybe we should hold a contest to come up with a new name for these protected services? Even something like "onion services" might be better if it forces people to learn what it is.

Yeah, I thought about pointing to the darkweb-everywhere tool in the pet name discussion.

But ultimately I can't stand the name: I don't want to endorse names that end up with pictures of shadowy icebergs. This phrase 'darkweb' just magnifies and reinforces the FUD around hidden services.

We've been debating the names a lot lately -- I'm increasingly a fan of "the private web", as contrasted with the public web which is based on tracking you and profiting from that. It mixes together the security properties the user gets from Tor with the security properties the site gets from Tor. But you need both, so I'm ok with that.

Hey arma! I'm Colin Mahns, one of the developers on darkweb-everywhere.

The other developer Chris, along with myself have never been too happy with the name of the project and the connotations of "darkweb" (especially that iceberg picture, ugh). Problem is, neither of us can think of a name that describes what the project does any better than dwe. "privateweb-everywhere" might be a good alternative, but I don't know how the user might see this. What if a user loads our "privateweb" extension into their normal browser expecting it to function the same? It would break the internet for them pretty catastrophically. We are totally open to suggestions on how to rename this project though!

If you want to discuss this further or have any suggestions, I'm IDrinkMilk on IRC, and my email is colinmahns@riseup.net. Chris goes by acebarry on IRC and his email is chris@barry.im.

Maybe these can help.

-EVERYWHERE PLUGIN RENAMES:
----------------Preferred Names---------------------
SubNet-everywhere
FairNet-everywhere
Neutralweb-everywhere, NeutralNet-everywhere
CipherNet-everywhere
CloakNet-everywhere
HushNet-everywhere, HushWeb-everywhere
-------------------Other Options-----------------
darkweb-everywhere
StealthWeb-everywhere
Discreetweb-everywhere
Covertweb -everywhere
CuredNet-everywhere

-LinkSt8

Asker

November 01, 2014

In reply to by Anonymous (not verified)

Permalink

We had that name initially, but decided to use the all encompasing term "darkweb" since we have i2p rules as well. We keep coming back to onions-everywhere though :)

Colin

I checked out the list, it's awesome, and I think it's a great idea. but there's one concern: JavaScript may be enabled when visiting the onion version which might be security and privacy issue. (the leaks, and anonmity websites might be hacked and malwared to inject spyware and the like to the visitors' devicesso it's always a good idea to visit them via tor with javascript disabled).

Another thing, many of the websites have https support, so it would be great if you contact them and ask them to include their onion address in the certificate (like Facebook did) which add https on top of tor's encryption, increasing security and privacy.

Also, i2p isn't included in TorBrowser, so you might want to make a separate addon for i2p as it might be just a waste of storage and an unnecessary increase in size of the browser without any usability.

Thanks alot for your effort :)

Dude, user will visit the same website, if it is hacked it doesn't matter whether it's hidden or clear web. But otherwise there is no difference between visiting the either website with javascript. But actually clearnet is worse because it could be MITMed by three letter agencies

Javascript unfortunately is always going to be a problem for anyone. I keep mine disabled on my own browsers, and enable it when I need to. Of course, not every user is going to follow this...

Including the site in their HTTPS cert is actually something I personally hadn't considered until Facebook threw their .onions into their cert. I wasn't even sure a CA would issue a cert for a .onion until Friday!

The i2p rules were kept seperate until this afternoon after a discussion with Chris. It's easier to maintain a single directory of rules and keep them turned off, than what we had which was several smaller directories. The size of the extension didn't increase all that much, since we are talking about KB of a difference.

Thanks for your complement, I'm happy people are finding it useful :)

Colin

I think "Onions Everywhere" would be best.
Also, it would be great if you merge it with https everywhere as it is already shipped with Tor.
And thanks for you contribution to Tor :)

In terms of combating total commercial overtake of the public internet, I've recently come to think of and refer to what you term the public web as the corporate web. I really believe that one should be very careful here with terms, as it would seem that
facebook is making inroads into "the private web" .

As facebook's business model is corporate surveillance (based on tracking you and profiting from that), this is a step towards merging the public and private webs and so leads towards the private web becoming commercialised.

Yes, I read and note your entire post. I would be concerned right now, that this, like all facebook moves is a win for facebook. And prudence is advisable where facebook is concerned.

Really?! You are hung up on the name and how it will sound and look?
You are way too political. Political correctness leads to corruption. Hypocrisy and double standard.

Politics should not have any say in anything related to privacy and security. Even if it is just a name.

Politicians will abuse every logical fallacy in the book anyway to get what they want and manipulate the stupid sheeples into thinking what they want them to think.

You give the politicians power just by thinking about how a name sounds. It is the same as feeding the trolls. They will know they have hit a nerve and will exploit that to get even more power.

It is called moral panic and "slut" shaming. It have become very popular.

Are you another sheeple or will you stand firm like a mountain, unaffected by the current weather?

In the real world, there are those with unbending dedication to their ideas who spend lifetimes aggravated that the world won't change for them. Then there are people who figure out how to implement ideas in our imperfect world. Names frame ideas and color perceptions and are truly important. And politicians use names like "patriot act" for that very reason. It worked. Better to make a real and positive difference with a little merchandising than to complain all day and die without impact.

I've started consciously and deliberately referring to TOR as the Autonomous-web-of-light (or liberation) (AWOL-Network) - in discussions with journalists signing up to our site. (this includes tech journos).

Referring to TOR as the 'dark-web' - is like calling the housed residents of Beverly Hills 'the BHH' - or Beverly Hills Hobos. It makes no sense as descriptive term.

LM (MediaDirect.org)

Your article says it's safe to visit Facebook on Tor. But when I first got the Tor browser bundle I went to Facebook and had to log-in with my e-mail and password (because they thought I was in Romania or somewhere new and had a different IP address). The very next morning I went to Facebook on my non-Tor Firefox and it was riddled with massive moving banner ads that blocked my view constantly. But it only occurred using Firefox and I only had the problem on Facebook. I did a full virus scan and found nothing. Then I used another browser and it worked perfectly. So I uninstalled Firefox and reinstalled it. Same problem. Then I uninstalled Firefox and checked the box to NOT remember any of my settings, bookmarks, plug-ins, etc. Then I reinstalled Firefox and had no more trouble on Facebook. I decided it must be unwise to transmit personal info across Tor or go to any site that requires a log-in, email, passwords,etc. I got an email from FB about a new user accessing my account and I told them to block that IP. Then I changed my password. This has severely restricted my use of Tor. Also I spread the word about Tor to others and have told them not to use it on sites you have to log-into. HELP! krazyhorse48-tor@yahoo.com

"I got an email from FB about a new user accessing my account and I told them to block that IP" -- was that new user you, logging in via Tor earlier?

Assuming you were interacting with Facebook correctly, you'd be using https so an outside observer wouldn't be able to capture your credentials.

I don't want to say that nothing went wrong here, but there are a lot of things that it could have been.

To be more clear, yes, I knew FB was referring to me 12 hrs earlier using Tor. But for years I never had any trouble on the web. Then I downloaded the Tor browser bundle about 6 months ago, which includes https everywhere. I didn't change any settings or add any extensions. I read all of Tor's safety tips on remaining anonymous.I got the "Congratulations you are now free to explore the web anonymously" message on the browser. The first thing I did was go to FB and log in. The next morning I had the problem on my non-Tor Firefox only on FB. I assumed the exit node owner had intercepted my unencrypted traffic and attached Firefox/FB adware to my machine or FB account. I'm not super tech savy. I'm just a privacy advocate. And btw, thank you all who work on Tor. I appreciate all that you do!

for "privacy advocate" - it is you who borrows ip address owned by exit node owner. And it is the site you connect to from that address spying on you.

Asker

October 31, 2014

Permalink

This is certainly the best article dealing with this issue I have seen online today. It's concise and clears up all the misconceptions people have been forming about how Facebook apparently should not have a hidden service, that the onion (its first fifteen or sixteen characters) was bruted almost all the way, that Tor's main goal isn't to keep your entire identity concealed. Tor is for those who want choice in what they share. Facebook is making a forward step here and I just want to see how this plays out for them, and if this will be successful.

wowaname

>Facebook apparently should not have a hidden service

This blog post didn't mention that at all. If nything, facebook having a hidden service means it "legitimizes" it to regular people, and might be the catalyst Tor needs to have more people running dual setup sites. One clear and one hidden.

If you read my entire post, you would realise I didn't agree to whoever said Facebook shouldn't have a hidden service. I saw this posted on Hacker News and felt it to be wrong, since there are many legitimate uses for hidden services other than to hide a server's location.

wowaname

Great post, arma!

With respect to

…have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses…

This is an excellent idea, and I'd be glad to help out with implementation on the TorBrowser side, if we decide to do it. :)

Asker

October 31, 2014

Permalink

Browsers treat https pages differently. For example, they refuse to load mixed active content by default, and they don't send Referer headers from https sites to http links. Accessing an onion service over http won't trigger these additional protections.

I like the idea of generating a certificate based on the onion service key - that would nicely map users' expectations of browser behaviour to the actual security properties of onion services, as well as forcing the browser to better meet those expectations.

One (apparently trivial) aspect that it would be good to reinforce, though, is that the cert needs to be exportable so that it can be put onto a backend server - or onto several servers behind a load-balancer. If the cert (or any supposedly equivalent solution) locks the SSL termination onto the same box which runs the Hidden Service, the result will be a scalability chokepoint.

Alec Muffett
Security Infrastructure
Facebook Engineering
London

Asker

October 31, 2014

Permalink

thanks for such a fantastic article. roger, if your work doesn't win the nobel peace prize in my lifetime, my faith in humanity will basically be staked on you and nadia having kids.

Asker

October 31, 2014

Permalink

Any of these sound good to you?

SERVICE NAMES
----------------Preferred Names---------------------
Discreet services
Stealth services
Humane services
Cipher services
Cipher services
Cryptic services
Sub services
Fair services
Neutral services
Cured services
-------------------Other Options-----------------
Onion services
Concealed services
Hush services
Covert services
Freeing services
Freed services
Liberating services
Cloaked services
Cloak services
Clandestine services
Reformed services
Progressive services
Balanced services
Demanded services

=======================================================
WEB ENCOMPASSING TERMS:
----------------Preferred Names---------------------
Stealth web
Humane web
Cipher web
Sub web
Neutral web
Cured web
-------------------Other Options-----------------
Private web
Onion web
Discreet web
Concealed web
Hush web
Covert web
Freeing web
Freed web
Cloaked web
Cloak web
Cryptic web
Reformed web
Fair web
Balanced web

-LinkSt8

Asker

October 31, 2014

Permalink

Here is one more argument against "normal" certificates for onion domains. The problem is that they come with an OCSP responder address. Thus, the browser will go and contact that responder, potentially deanonymizing you. What Facebook should have done is to have OCSP response stapled - without it, the situation is even worse than unencrypted http.

Asker

November 01, 2014

Permalink

How about modifying the Tor Browser, so that although all traffic in reality is sent through plain HTTP over Tor for .onion, the browser displays it as https://, with the padlock, so that users feel assured it is encrypted properly. Maybe even treat it is as HTTPS with regard to mixed content and referer and such, while still not in fact being it.

That would avoid the overhead of running both Tor's and HTTPS's encryption/end-to-end-authentication, and avoid enforcing the commercial CA model, while still avoiding confusion from users.

Should not be done in that way. Better make different padlock showing at pages which accessed securely via hidden service. And learn users about that.

Asker

November 01, 2014

Permalink

As for naming challenges, I see two obvious paths.

A) rebrand "location-hidden service" and the .onion pseudo TLD to "tor service" and .tor (whilst retaining backward accessibility to .onion) (*)

B) yes, go with "onion network service" and leave all else unchanged.

(*) there is likely a big "dont brand stuff" argument, which is largely based on the concept of "ownership". The community who contribute to the code own the code, but it is copylefted with a very permissive license (thus forkable), and the network ownership is distributed amongst those who contribute to it (relays, bridges, directories etc.). So, I see the branding/ownership argument as poor.

Finally, I think that it is *excellent* that Facebook has added a .onion address. I completely disagree with their business model, and dont use their product, but their addition to the tor network will add to the legitimacy of the network in the eyes of the poorly educated, and may even improve the education of that community.

Asker

November 01, 2014

Permalink

Isn't one argument in favor of using https for hidden services that it allows authentication of clients through client certificates? (Obviously, this isn't an argument that is relevant to the facebook case).

Asker

November 01, 2014

Permalink

"Then they had some keys whose name started with "facebook", and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The "corewwwi" one looked best to them..."

I find that story difficult to believe. Just how many conotations did they have to read through to find corewwwi? It surely must have been millions, billions, or more?

Asker

November 01, 2014

Permalink

I'm not great with C, but I would love to help out with the designs for the new onion services. What would be the best way to help?