Search Mailing List Archives
[liberationtech] FYI: Making Connections to Facebook more Secure
antitree at gmail.com
Fri Oct 31 06:05:21 PDT 2014
I find the interesting part the fact that they got a CA to sign a .onion
domain certificate. Is that normal?
On Fri, Oct 31, 2014 at 8:39 AM, Nariman Gharib <nariman.gh at gmail.com>
> It's important to us at Facebook to provide methods for people to use
> our site securely. People connect to Facebook in many different ways,
> which is why we have implemented HTTPS across our service, and Perfect
> Forward Secrecy, HSTS, and other technologies which help give people
> more confidence that they are connected securely to Facebook.
> That doesn't mean we can't improve yet further.
> Consider Tor: Tor challenges some assumptions of Facebook's security
> mechanisms - for example its design means that from the perspective of
> our systems a person who appears to be connecting from Australia at
> one moment may the next appear to be in Sweden or Canada. In other
> contexts such behaviour might suggest that a hacked account is being
> accessed through a "botnet", but for Tor this is normal.
> Considerations like these have not always been reflected in Facebook's
> security infrastructure, which has sometimes led to unnecessary
> hurdles for people who connect to Facebook using Tor. To make their
> experience more consistent with our goals of accessibility and
> security, we have begun an experiment which makes Facebook available
> directly over Tor network at the following URL:
> [ NOTE: link will only work in Tor-enabled browsers ]
> Facebook Onion Address
> Facebook's onion address provides a way to access Facebook through Tor
> without losing the cryptographic protections provided by the Tor
> The idea is that the Facebook onion address connects you to Facebook's
> Core WWW Infrastructure - check the URL again, you'll see what we did
> there - and it reflects one benefit of accessing Facebook this way:
> that it provides end-to-end communication, from your browser directly
> into a Facebook datacentre.
> We decided to use SSL atop this service due in part to architectural
> considerations - for example, we use the Tor daemon as a reverse proxy
> into a load balancer and Facebook traffic requires the protection of
> SSL over that link. As a result, we have provided an SSL certificate
> which cites our onion address; this mechanism removes the Tor
> Browser's "SSL Certificate Warning" for that onion address and
> increases confidence that this service really is run by Facebook.
> Issuing an SSL certificate for a Tor implementation is - in the Tor
> world - a novel solution to attribute ownership of an onion address;
> other solutions for attribution are ripe for consideration, but we
> believe that this one provides an appropriate starting point for such
> Over time we hope to share some of the lessons that we have learned -
> and will learn - about scaling and deploying services via the Facebook
> onion address; we have many ideas and are looking forward to improving
> this service. A medium-term goal will be to support Facebook's
> mobile-friendly website via an onion address, although in the meantime
> we expect the service to be of an evolutionary and slightly flaky
> We hope that these and other features will be useful to people who
> wish to use Facebook's onion address.
> Finally, we would like to extend our thanks to Ms. Runa Sandvik and to
> Dr. Steven Murdoch of UCL for their kind assistance and generous
> advice in the development of this project.
> Alec Muffett is a Software Engineer for Security Infrastructure at
> Facebook London.
> PGP: 0xa53963936999cbb6
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech