More Tor .Onion Sites May Get Digital Certificates Soon

Trailrunner7 writes News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project's proxy service. Unlike any .onion domain before it, Facebook's would be verified by a legitimate digital signature, signed and issued by DigiCert. Late yesterday, Jeremy Rowley, DigiCert's vice president of business development and legal, explained his company's decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future. "Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook," Rowley explained. "Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com."

Wat?

[Ol Olsoc]

Is this April Fools Day in November?

Wait

[Anonymous Coward]

Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

Re:

[Anonymous Coward]

Wait, but don't people use tor because they care about their privacy? Why would they use facebook in the first place?!

1. you can put on facebook whatever you want, not just information about your last BM or your personal information

2. the purpose of certs is to *verify* the other end of the connection

3. the purpose of Tor is to anonymity the "connectee" - the person connecting to the service, not necessarily the service itself.

4. the purpose of .onion is more about providing a "hidden service"
http://en.wikipedia.org/wiki/.... [wikipedia.org]

So, #2 and #4 seem a little at odds with each other. #2 *can* b

Re:Wait

[jythie]

There is also another advantage of things like this, Tor becomes more effective as more people are using it for general tasks. I can recall a while back someone being caught for sending fake bomb threats via Tor. How did they find the person? They were the only one using Tor on their entire network and only used it at the same times the emails were sent.

So there is an advantage to people simply using Tor for their normal everyday activities like this.

Re:

[fluffy99]

Tor becomes more effective as more people are using it for general tasks.

Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity? Between cookies and other tracking methods, all those website already know who you are, regardless of how the traffic got there.

Re:

[NickFortune]

Tor becomes less effective when corporations are running the nodes. Nothing like funneling all your data through an untrusted proxy. Besides, didn't the NSA already show us that Tor does little to protect anonymity?

I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

The way I see if, if you're running Silk Road X.Y then it's probably worth their while to take the time and trouble needed to find you. If all you

Re:

[fluffy99]

I think they demonstrated that Tor can be beaten, but that doesn't necessarily imply that defeating it is simple or cost-effective for most cases.

My point was that it's much simpler when you have direct control over the node.

Yeah. If only there was a way to disable cookies and javascript in a web browser. You know, like the Tor browser does by default?

Cookies and javascript are not the only ways to track you. Doesn't Facebook require cookies to be enabled?

As much as Tor can help, there is no such thing as being perfectly anonymous on the internet. I certainly don't trust Facebook to protect it any more than I trust Google who also makes money by tracking and targeting me.

Re:

[NickFortune]

My point was that it's much simpler when you have direct control over the node.

Entry or exit? I mean sure, if you connect to Silk Road and you're unlucky enough to enter through an NSA node at one and and exit through another one, then you're probably toast. But as I understand it, the number of subverted nodes is still fairly small compared to the total number. Which brings us back to the GP's point about security increasing with the number of nodes.

Cookies and javascript are not the only ways to track

Re:

[Raumkraut]

It does if you're posting anything critical of $regime from within the borders of $regime.

Re:

[Anonymous Coward]

The real solution would be for some kind of DNS system to appear within TOR that instead of resolving hostnames to IPs it resolves hostnames to onionsites. So instead of p7geb3m31n12rkkr3m.onion (or was it p7geb3m32n12rkkr3m.onion?) you type facebook.onion and internally you would be at p7geb3m31n12rokr3m.onion. No clue how this would ever be operated without being gamed to hell and back, with 4chan constantly trying to redirect popular sites somewhere else, but at least then a "facebook.onion" ssl certif

Re:

[jythie]

The problem with namecoin is some already made that, and people love developing their own reduncent solutions instead.

It's a trap

[Anonymous Coward]

They want to track users by SSL session cache and use the information to ratmap even more users.

Why not use Verizon as your ISP as well

[Crashmarik]

I mean at the point you are using Facebook on TOR all you haven't done a thing for your privacy and just slowed your internet connection down. Might as well let Verizon label all your traffic as well.

To top it off I can't imagine why anyone would want to deal with sites that are using certificates on TOR. All they do is provide a nice well defined entity that can be leaned on, to get your information.

Re:

[Ksevio]

What about people in repressive countries that don't have open access to these sites? It would be good to be able to access Facebook or Twitter and know the connection is secure.

Re:Why not use Verizon as your ISP as well

[Crashmarik]

If you are worried about your government persecuting you Facebook is not the place to hangout. If you want to get your message out to social media get a friend in a less repressive country to post on your behalf. Posting on facebook from someplace like Syria or No Korea would be tantamount to signing your own death warrant.

Re:

[ChunderDownunder]

Creating a login, Winston Smith (not your real name), and using tor to access facebook isn't sufficiently anonymous?

Re:

[Ralph Wiggam]

If you want to get your message out to social media get a friend in a less repressive country to post on your behalf.

You don't see any problems with that plan?

Re:

[jythie]

Actually both twitter and facebook have been used in activism like this already, it is one of their appeals in repressive countries.

Re:

[NotInHere]

For hidden services, the address is also a public key, which is used to encrypt the connection one layer down. You don't need TLS in TLS, its bullshit. Tor should ship with a list of frequent hidden services (perhaps they can ask apk on how to make a host file engine ;) ? ).

Lessons previous learned:

[Severus Snape]

Lavabit.

You would need to be a fucking moron to not believe there is not a warrant drafted for the FISC court already. Trust in any US web stakeholders for any users privacy is fallacy. Never mind when getting up to illegal shenanigans found on .onion like Silk Road.

That's fucking stupid

[Anonymous Coward]

The protocol itself cryptographically ensures that you're talking to the same service every time. That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

Using a certificate hierarchy with TOR can only do one thing: Expose you.

Re:

[93 Escort Wagon]

That's why .onion addresses look funny: The cost of choosing parts of the name grows exponentially with the number of characters you want to choose. Taking over an .onion domain requires "choosing" the entire name, and that's impossible (infeasible to the point of impossibility).

So how did Facebook manage to get https://facebookcorewwwi.onion... [facebookcorewwwi.onion] ?

Re:

[Anonymous Coward]

They chose facebook*, created a bunch of matching addresses and selected the address which looked nicest. The corewwwi part is actually random. You can't create the private key which results in the same address as Facebook's. You could create another address that starts with facebook, but functionally that would be an entirely different address that would not give you the ability to intercept requests to Facebook's address.

Re:

[mysidia]

I don't mind DigiCert, as long as they will participate in Certificate Transparency.

Very soon; I will not want to trust anything issued by a Certificate authority that does not participate in Certificate Transparency [certificat...arency.org].

Well, anyway ...

[CaptainDork]

... I used the Tor browser to get to one of my burner Facebook accounts and it locked me. Such joy. I was coming at the site from another country, so Facebook had a major cow.

I went mainstream and gave Facebook a tummy rub and all is well, but it was a fun ride.

I still wonder what the Sam Hill any Facebook member would be doing on Tor, but you can bet your sweet ass that Facebook wants you no matter what route you take.

Re:

[Pope Hagbard]

I still wonder what the Sam Hill any Facebook member would be doing on Tor

The non-paranoid idea normally floated is that it's for getting into FB from a country that's censoring it.