Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Communications Encryption Facebook Privacy

More Tor .Onion Sites May Get Digital Certificates Soon 52

Trailrunner7 writes News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project's proxy service. Unlike any .onion domain before it, Facebook's would be verified by a legitimate digital signature, signed and issued by DigiCert. Late yesterday, Jeremy Rowley, DigiCert's vice president of business development and legal, explained his company's decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future. "Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook," Rowley explained. "Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com."
This discussion has been archived. No new comments can be posted.

More Tor .Onion Sites May Get Digital Certificates Soon

Comments Filter:
  • Is this April Fools Day in November?
  • by Anonymous Coward

    Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

    • by Anonymous Coward

      Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

      1. you can put on facebook whatever you want, not just information about your last BM or your personal information

      2. the purpose of certs is to *verify* the other end of the connection

      3. the purpose of Tor is to anonymity the "connectee" - the person connecting to the service, not necessarily the service itself.

      4. the purpose of .onion is more about providing a "hidden service"
      http://en.wikipedia.org/wiki/.... [wikipedia.org]

      So, #2 and #4 seem a little at odds with each other. #2 *can* b

      • Re:Wait (Score:5, Informative)

        by jythie ( 914043 ) on Friday November 07, 2014 @10:37PM (#48338781)
        There is also another advantage of things like this, Tor becomes more effective as more people are using it for general tasks. I can recall a while back someone being caught for sending fake bomb threats via Tor. How did they find the person? They were the only one using Tor on their entire network and only used it at the same times the emails were sent.

        So there is an advantage to people simply using Tor for their normal everyday activities like this.
        • Tor becomes more effective as more people are using it for general tasks.

          Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity? Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.

          • Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity?

            I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

            The way I see if, if you're running Silk Road X.Y then it's probably worth their while to take the time and trouble needed to find you. If all you

            • I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

              My point was that it's much simpler when you have direct control over the node.

              Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?

              Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?

              As much as Tor can help, there is no such thing as being perfectly anonymous on the internet. I certainly don't trust Facebook to protect it any more than I trust Google who also makes money by tracking and targeting me.

              • My point was that it's much simpler when you have direct control over the node.

                Entry or exit? I mean sure, if you connect to Silk Road and you're unlucky enough to enter through an NSA node at one and and exit through another one, then you're probably toast. But as I understand it, the number of subverted nodes is still fairly small compared to the total number. Which brings us back to the GP's point about security increasing with the number of nodes.

                Cookies and javascript are not the only ways to track

  • by Anonymous Coward

    They want to track users by SSL session cache and use the information to ratmap even more users.

  • by Crashmarik ( 635988 ) on Friday November 07, 2014 @07:09PM (#48338121)

    I mean at the point you are using Facebook on TOR all you haven't done a thing for your privacy and just slowed your internet connection down. Might as well let Verizon label all your traffic as well.

    To top it off I can't imagine why anyone would want to deal with sites that are using certificates on TOR. All they do is provide a nice well defined entity that can be leaned on, to get your information.

    • by Ksevio ( 865461 )
      What about people in repressive countries that don't have open access to these sites? It would be good to be able to access Facebook or Twitter and know the connection is secure.
      • by Crashmarik ( 635988 ) on Friday November 07, 2014 @07:16PM (#48338147)

        If you are worried about your government persecuting you Facebook is not the place to hangout. If you want to get your message out to social media get a friend in a less repressive country to post on your behalf. Posting on facebook from someplace like Syria or No Korea would be tantamount to signing your own death warrant.

        • Creating a login, Winston Smith (not your real name), and using tor to access facebook isn't sufficiently anonymous?

        • If you want to get your message out to social media get a friend in a less repressive country to post on your behalf.

          You don't see any problems with that plan?

        • by jythie ( 914043 )
          Actually both twitter and facebook have been used in activism like this already, it is one of their appeals in repressive countries.
      • For hidden services, the address is also a public key, which is used to encrypt the connection one layer down. You don't need TLS in TLS, its bullshit. Tor should ship with a list of frequent hidden services (perhaps they can ask apk on how to make a host file engine ;) ? ).

  • by Severus Snape ( 2376318 ) on Friday November 07, 2014 @07:17PM (#48338153)

    Lavabit.

    You would need to be a fucking moron to not believe there is not a warrant drafted for the FISC court already. Trust in any US web stakeholders for any users privacy is fallacy. Never mind when getting up to illegal shenanigans found on .onion like Silk Road.

  • by Anonymous Coward on Friday November 07, 2014 @07:34PM (#48338225)

    The protocol itself cryptographically ensures that you're talking to the same service every time. That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

    Using a certificate hierarchy with TOR can only do one thing: Expose you.

    • That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

      So how did Facebook manage to get https://facebookcorewwwi.onion... [facebookcorewwwi.onion] ?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        They chose facebook*, created a bunch of matching addresses and selected the address which looked nicest. The corewwwi part is actually random. You can't create the private key which results in the same address as Facebook's. You could create another address that starts with facebook, but functionally that would be an entirely different address that would not give you the ability to intercept requests to Facebook's address.

  • Well, anyway ... (Score:4, Informative)

    by CaptainDork ( 3678879 ) on Friday November 07, 2014 @10:18PM (#48338741)

    ... I used the Tor browser to get to one of my burner Facebook accounts and it locked me. Such joy. I was coming at the site from another country, so Facebook had a major cow.

    I went mainstream and gave Facebook a tummy rub and all is well, but it was a fun ride.

    I still wonder what the Sam Hill any Facebook member would be doing on Tor, but you can bet your sweet ass that Facebook wants you no matter what route you take.

    • I still wonder what the Sam Hill any Facebook member would be doing on Tor

      The non-paranoid idea normally floated is that it's for getting into FB from a country that's censoring it.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...