Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] FYI: Making Connections to Facebook more Secure

Nariman Gharib at
Fri Oct 31 05:39:50 PDT 2014

It’s important to us at Facebook to provide methods for people to use
our site securely. People connect to Facebook in many different ways,
which is why we have implemented HTTPS across our service, and Perfect
Forward Secrecy, HSTS, and other technologies which help give people
more confidence that they are connected securely to Facebook.

That doesn’t mean we can’t improve yet further.

Consider Tor: Tor challenges some assumptions of Facebook's security
mechanisms - for example its design means that from the perspective of
our systems a person who appears to be connecting from Australia at
one moment may the next appear to be in Sweden or Canada. In other
contexts such behaviour might suggest that a hacked account is being
accessed through a “botnet”, but for Tor this is normal.

Considerations like these have not always been reflected in Facebook's
security infrastructure, which has sometimes led to unnecessary
hurdles for people who connect to Facebook using Tor. To make their
experience more consistent with our goals of accessibility and
security, we have begun an experiment which makes Facebook available
directly over Tor network at the following URL:


[ NOTE: link will only work in Tor-enabled browsers ]

Facebook Onion Address

Facebook's onion address provides a way to access Facebook through Tor
without losing the cryptographic protections provided by the Tor

The idea is that the Facebook onion address connects you to Facebook's
Core WWW Infrastructure - check the URL again, you'll see what we did
there - and it reflects one benefit of accessing Facebook this way:
that it provides end-to-end communication, from your browser directly
into a Facebook datacentre.

We decided to use SSL atop this service due in part to architectural
considerations - for example, we use the Tor daemon as a reverse proxy
into a load balancer and Facebook traffic requires the protection of
SSL over that link. As a result, we have provided an SSL certificate
which cites our onion address; this mechanism removes the Tor
Browser's “SSL Certificate Warning” for that onion address and
increases confidence that this service really is run by Facebook.
Issuing an SSL certificate for a Tor implementation is - in the Tor
world - a novel solution to attribute ownership of an onion address;
other solutions for attribution are ripe for consideration, but we
believe that this one provides an appropriate starting point for such

Over time we hope to share some of the lessons that we have learned -
and will learn - about scaling and deploying services via the Facebook
onion address; we have many ideas and are looking forward to improving
this service.  A medium-term goal will be to support Facebook's
mobile-friendly website via an onion address, although in the meantime
we expect the service to be of an evolutionary and slightly flaky

We hope that these and other features will be useful to people who
wish to use Facebook's onion address.

Finally, we would like to extend our thanks to Ms. Runa Sandvik and to
Dr. Steven Murdoch of UCL for their kind assistance and generous
advice in the development of this project.

Alec Muffett is a Software Engineer for Security Infrastructure at
Facebook London.


PGP: 0xa53963936999cbb6

More information about the liberationtech mailing list