Facebook, hidden services, and https certs

Today Facebook unveiled its hidden service that lets users access their website more safely. Users and journalists have been asking for our response; here are some points to help you understand our thinking.

Part one: yes, visiting Facebook over Tor is not a contradiction

I didn't even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn't ever use Facebook. Putting aside the (still very important) questions of Facebook's privacy habits, their harmful real-name policies, and whether you should or shouldn't tell them anything about you, the key point here is that anonymity isn't just about hiding from your destination.

There's no reason to let your ISP know when or whether you're visiting Facebook. There's no reason for Facebook's upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there's still no reason to let them automatically discover what city you're in today while you do it.

Also, we should remember that there are some places in the world that can't reach Facebook. Long ago I talked to a Facebook security person who told me a fun story. When he first learned about Tor, he hated and feared it because it "clearly" intended to undermine their business model of learning everything about all their users. Then suddenly Iran blocked Facebook, a good chunk of the Persian Facebook population switched over to reaching Facebook via Tor, and he became a huge Tor fan because otherwise those users would have been cut off. Other countries like China followed a similar pattern after that. This switch in his mind between "Tor as a privacy tool to let users control their own data" to "Tor as a communications tool to give users freedom to choose what sites they visit" is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there's a person out there who uses it for something you haven't considered.

Part two: we're happy to see broader adoption of hidden services

I think it is great for Tor that Facebook has added a .onion address. There are some compelling use cases for hidden services: see for example the ones described at using Tor hidden services for good, as well as upcoming decentralized chat tools like Ricochet where every user is a hidden service, so there's no central point to tap or lean on to retain data. But we haven't really publicized these examples much, especially compared to the publicity that the "I have a website that the man wants to shut down" examples have gotten in recent years.

Hidden services provide a variety of useful security properties. First — and the one that most people think of — because the design uses Tor circuits, it's hard to discover where the service is located in the world. But second, because the address of the service is the hash of its key, they are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address. A third nice feature is that the rendezvous process provides end-to-end encryption, even when the application-level traffic is unencrypted.

So I am excited that this move by Facebook will help to continue opening people's minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services.

Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today's era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it's ok for their users to want more safety.

As an addendum to that optimism, I would be really sad if Facebook added a hidden service, had a few problems with trolls, and decided that they should prevent Tor users from using their old https://www.facebook.com/ address. So we should be vigilant in helping Facebook continue to allow Tor users to reach them through either address.

Part three: their vanity address doesn't mean the world has ended

Their hidden service name is "facebookcorewwwi.onion". For a hash of a public key, that sure doesn't look random. Many people have been wondering how they brute forced the entire name.

The short answer is that for the first half of it ("facebook"), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted.

Then they had some keys whose name started with "facebook", and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The "corewwwi" one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it.

So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with "facebook" and end with pronouncable syllables, but that's not brute forcing all of the hidden service name (all 80 bits).

For those who want to explore the math more, read about the "birthday attack". And for those who want to learn more (please help!) about the improvements we'd like to make for hidden services, including stronger keys and stronger names, see hidden services need some love and Tor proposal 224.

Part four: what do we think about an https cert for a .onion address?

Facebook didn't just set up a hidden service. They also got an https certificate for their hidden service, and it's signed by Digicert so your browser will accept it. This choice has produced some feisty discussions in the CA/Browser community, which decides what kinds of names can get official certificates. That discussion is still ongoing, but here are my early thoughts on it.

In favor: we, the Internet security community, have taught people that https is necessary and http is scary. So it makes sense that users want to see the string "https" in front of them.

Against: Tor's .onion handshake basically gives you all of that for free, so by encouraging people to pay Digicert we're reinforcing the CA business model when maybe we should be continuing to demonstrate an alternative.

In favor: Actually https does give you a little bit more, in the case where the service (Facebook's webserver farm) isn't in the same location as the Tor program. Remember that there's no requirement for the webserver and the Tor process to be on the same machine, and in a complicated set-up like Facebook's they probably shouldn't be. One could argue that this last mile is inside their corporate network, so who cares if it's unencrypted, but I think the simple phrase "ssl added and removed here" will kill that argument.

Against: if one site gets a cert, it will further reinforce to users that it's "needed", and then the users will start asking other sites why they don't have one. I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it's sketchy — especially since hidden services that value their anonymity could have a hard time getting a certificate.

One alternative would be to teach Tor Browser that https .onion addresses don't deserve a scary pop-up warning. A more thorough approach in that direction is to have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway. Then you don't have to go through the nonsense of pretending to see if they could read email at the domain, and generally furthering the current CA model.

We could also imagine a pet name model where the user can tell her Tor Browser that this .onion address "is" Facebook. Or the more direct approach would be to ship a bookmark list of "known" hidden services in Tor Browser — like being our own CA, using the old-fashioned /etc/hosts model. That approach would raise the political question though of which sites we should endorse in this way.

So I haven't made up my mind yet about which direction I think this discussion should go. I'm sympathetic to "we've taught the users to check for https, so let's not confuse them", but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service. Let us know if you have other compelling arguments for or against.

Part five: what remains to be done?

In terms of both design and security, hidden services still need some love. We have plans for improved designs (see Tor proposal 224) but we don't have enough funding and developers to make it happen. We've been talking to some Facebook engineers this week about hidden service reliability and scalability, and we're excited that Facebook is thinking of putting development effort into helping improve hidden services.

And finally, speaking of teaching people about the security features of .onion sites, I wonder if "hidden services" is no longer the best phrase here. Originally we called them "location-hidden services", which was quickly shortened in practice to just "hidden services". But protecting the location of the service is just one of the security features you get. Maybe we should hold a contest to come up with a new name for these protected services? Even something like "onion services" might be better if it forces people to learn what it is.

Anonymous

November 04, 2014

Permalink

Facebook joining the onion web is a major plus for tor:

. More people will begin to hear about Tor and more companies will start to use it like Facebook > more Tor users > more anonymity for the whole network

. More contributions will come to Tor, like funding and devs who want to help, including from Facebook of course

. It will give some sort of legitimacy to Tor, and especially to the onion web, weakening the adversary's argument that Tor is "only used by criminals", as they will no longer be able to use that arguments for they will be calling Facebookers "criminals" something which Facebook itself will not accept

"protected services" is too heavy on the tongue, and "hidden web" and "dark web" also includes i2p and other anonymity software, so the best name is "onion web".

Anonymous

November 05, 2014

Permalink

If I type facebookcorewwwi.onion at my Tails browser at the first connection it is changed to facebook.com

Actually, you have an entry point to facebook, but you browse all the time with a regular .com address.

Anonymous

November 06, 2014

In reply to by Anonymous (not verified)

Permalink

Not in my TAILS, could it be your htttps everywhere plugin? it's not redirecting me to facebook.com, it's still facebookcorewwwi.onion

Anonymous

November 05, 2014

Permalink

Why not use NameCoin instead of developing our own pet-name system? There are already provisions for .onion and .i2p addresses to be mapped to human readable .bit names in a cryptographically secure way. It's secure, decentralized, and globally unique. Sure, it costs money, but global names are a scarce resource after all. Read "Squaring Zokoo's Triangle" by Aaron Schwartz.

Anonymous

November 08, 2014

Permalink

I definitely prefer adding https to onion websites, more protection(s) is always more preferred. because we're in a cat/mouse game with the adversaries, and full foolproof everlasting anonymity is impossible (I know what I'm talking about...), it's really all about making it much harder and time consuming to be deanonymized, because after all:"technology will always fail you" - the Moscow rules.

Anonymous

November 08, 2014

Permalink

One unmentioned benefit of wide spread usage of hidden services is that it makes traffic analysis of all Tor users harder.

Imagine in future, darkweb-everywhere getting merged into https-everywhere and into Tor Browser and new major websites creating a hidden service alternative. Then good luck to NSA figuring out what all these terrorists are doing on Tor :)

Anonymous

November 11, 2014

Permalink

Microsoft Outlook also does a similar thing to Facebook in that it makes you "verify your account" if you try to sign-in from a "different, location, device" etc. All in the name of "security" of course ;) At least you can still set up an Outlook account using Tor :)

Anonymous

November 11, 2014

Permalink

there is way too much blind trust in centralised ssl/tls "verification"!

forcing people to allow untrusted third parties to block their stuff is leaning a huge backdoor open to censorship!

what if a CA is compromised by court order or corporate takeover?

If users are using ssl/tls over tor and anyone's browser does any direct requests to a CA to check certificates that would leak the users IP to the CA.

and if what they are using is facebook? .. facebook might even OWN a CA
(if they do they would have access to whatever gets logged there!)

btw none of this has anything to do with encryption ... they need to let people encrypt what they want when they want and stop forcing people to open up some pretty serious risks everyone seems to be ignoring!

(don't let censorship sneak in via the back door!)

Anonymous

November 11, 2014

Permalink

if anything causes a browser to to a direct request to a CA to check a certificate, the CA would be able to log the users IP .. (stating the obvious)

TLS and anonymity are contradictions as long as they keep trying to fool people into thinking ssl is some kind of "magic bullet" for everything.

It certainly has its uses but there are also risks associated with the centralised verification (as with anything that could enable unknown or untrusted companies to block things - think about misuse for sneaky forms of CENSORSHIP - what is there to prevent CA's from being bullied or compromised by court orders or takeovers?)

and the fact that too many things try to force such centralised verification to be used for everything - even when its obviously inappropriate, just to be able to use the encryption in the browser seems rather suspicious in itself..

if it was really about security (from the user perspective) those browser warnings would more clearly explain what was checked and by whom rather than just say "untrusted/unsafe/etc" with UI designed to scare users rather than encourage them to read or think about what they SHOULD consider before deciding what to do next - if something says "untrusted" a user should always think about WHAT, BY WHOM and FOR WHAT PURPOSE .. without considering those additional questions the term is meaningless and actually very dangerous.

maybe users blindly trusting that some magic will "take care of it" is "security" from the perspective of the nsa/chinese government/whatever perspective.. but any attempt to force on everyone something so centralised capable of being misused to block anything public is potentially dangerous and people do need to consider those other risks.

(the censorship threats are still out there - and getting sneakier - wake up before its too late!)

re facebook via tor using a .onion certificate
.. think about browsers doing direct requests to CAs

surely that WOULD leak the user's IP to the CA... and facebook might even own a CA!

Anonymous

November 12, 2014

Permalink

So before Facebook landing with an onion URL was it impossible to visit using TOR? What did it change?

Thanks,

Anonymous

December 06, 2014

Permalink

"Part four: what do we think about an https cert for a .onion address?"

Using HTTPS in addition to Tor does, according to the Electronic Frontier Foundation, add additional security/anonymity to a user's connection. The following EFF link is an interactive graphic which shows the effect of using Tor alone, Tor + HTTPS, HTTPS alone or neither.

https://www.eff.org/pages/tor-and-https

Peter Wills

Anonymous

December 23, 2014

Permalink

I think there is an exploit there.
1) You have to enable javascript to sign up.
2) After signing up facebook ask me to confirm my identity with a mobile phone number or legal documentation of my identity.

You can't report things "anonymously" if you give a mobile phone number or fax copies of your ID.

I suppose this will be censored by you so called freedom lovers again though.