Facebook has made its site available to users of the Tor network, creating an odd mix of anonymity and accountability.
On the face of it, Facebook over Tor doesn’t seem to make much sense: if you feel the need to obscure your Internet connection, it doesn’t seem likely you’d want to post publicly under your own name.
Still, Facebook seems to think it’s a worthwhile goal. It says it’s had to take a novel approach as normally Tor connections appear to show a rapidly changing physical location, something that would usually trigger security alerts on Facebook.
To get around this, Facebook has set up a dedicated address for Tor browsers at https://facebookcorewwwi.onion/. It says this doesn’t point to the ordinary website, but rather directly to a Facebook datacentre. The idea is there’ll be an end-to-end encryption, though of course anything you post will still be subject to your usual privacy settings.
Facebook says that the way it’s set up the connection requires it to use Secure Socket Layer protection as well and because of this:
we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser’s “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook. Issuing an SSL certificate for a Tor implementation is – in the Tor world – a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion.
The company notes the service will be “of an evolutionary and slightly flaky nature” at first, but plans to improve it and eventually add support for the mobile-friendly edition of Facebook is planned.
Several commentators have already questioned how Facebook was able to create such a specific Tor address, something that would raise security concerns as somebody able to do that could theoretically create a bogus connection to any URL of their choice.
However, Facebook’s Alec Muffet says that the company simply created a random bunch of addresses starting with “Facebook” and then selected the best looking one, with a result he describes as “tremendously fortunate.”