[liberationtech] FYI: Making Connections to Facebook more Secure

AntiTree antitree at gmail.com
Fri Oct 31 07:20:57 PDT 2014 

Facebook is using a wildcard for SSL. The following are a list of
domains/hosts the cert provides for. Notice the additional onion
addresses

Not Critical
DNS Name: *.facebook.com
DNS Name: facebook.com
DNS Name: *.fb.com
DNS Name: *.fbsbx.com
DNS Name: *.fbcdn.net
DNS Name: *.xx.fbcdn.net
DNS Name: *.xy.fbcdn.net
DNS Name: fb.com
DNS Name: facebookcorewwwi.onion
DNS Name: fbcdn23dssr3jqnq.onion
DNS Name: fbsbx2q4mvcl63pw.onion

I'm still wondering how one verifies ownership of a .onion domain? You
aren't going to look at the WHOIS record and send an email to the
technical contact on file or send an email to postmaster at xxx.onion. Do
large companies like FB have a fast track for getting odd requests?

On Fri, Oct 31, 2014 at 9:05 AM, AntiTree <antitree at gmail.com> wrote:
> I find the interesting part the fact that they got a CA to sign a .onion
> domain certificate. Is that normal?
>
> On Fri, Oct 31, 2014 at 8:39 AM, Nariman Gharib <nariman.gh at gmail.com>
> wrote:
>>
>> It's important to us at Facebook to provide methods for people to use
>> our site securely. People connect to Facebook in many different ways,
>> which is why we have implemented HTTPS across our service, and Perfect
>> Forward Secrecy, HSTS, and other technologies which help give people
>> more confidence that they are connected securely to Facebook.
>>
>>
>> That doesn't mean we can't improve yet further.
>>
>>
>> Consider Tor: Tor challenges some assumptions of Facebook's security
>> mechanisms - for example its design means that from the perspective of
>> our systems a person who appears to be connecting from Australia at
>> one moment may the next appear to be in Sweden or Canada. In other
>> contexts such behaviour might suggest that a hacked account is being
>> accessed through a "botnet", but for Tor this is normal.
>>
>>
>> Considerations like these have not always been reflected in Facebook's
>> security infrastructure, which has sometimes led to unnecessary
>> hurdles for people who connect to Facebook using Tor. To make their
>> experience more consistent with our goals of accessibility and
>> security, we have begun an experiment which makes Facebook available
>> directly over Tor network at the following URL:
>>
>>
>> https://facebookcorewwwi.onion/
>>
>>
>> [ NOTE: link will only work in Tor-enabled browsers ]
>>
>>
>> Facebook Onion Address
>>
>>
>> Facebook's onion address provides a way to access Facebook through Tor
>> without losing the cryptographic protections provided by the Tor
>> cloud.
>>
>>
>> The idea is that the Facebook onion address connects you to Facebook's
>> Core WWW Infrastructure - check the URL again, you'll see what we did
>> there - and it reflects one benefit of accessing Facebook this way:
>> that it provides end-to-end communication, from your browser directly
>> into a Facebook datacentre.
>>
>>
>> We decided to use SSL atop this service due in part to architectural
>> considerations - for example, we use the Tor daemon as a reverse proxy
>> into a load balancer and Facebook traffic requires the protection of
>> SSL over that link. As a result, we have provided an SSL certificate
>> which cites our onion address; this mechanism removes the Tor
>> Browser's "SSL Certificate Warning" for that onion address and
>> increases confidence that this service really is run by Facebook.
>> Issuing an SSL certificate for a Tor implementation is - in the Tor
>> world - a novel solution to attribute ownership of an onion address;
>> other solutions for attribution are ripe for consideration, but we
>> believe that this one provides an appropriate starting point for such
>> discussion.
>>
>>
>> Over time we hope to share some of the lessons that we have learned -
>> and will learn - about scaling and deploying services via the Facebook
>> onion address; we have many ideas and are looking forward to improving
>> this service.  A medium-term goal will be to support Facebook's
>> mobile-friendly website via an onion address, although in the meantime
>> we expect the service to be of an evolutionary and slightly flaky
>> nature.
>>
>>
>> We hope that these and other features will be useful to people who
>> wish to use Facebook's onion address.
>>
>>
>> Finally, we would like to extend our thanks to Ms. Runa Sandvik and to
>> Dr. Steven Murdoch of UCL for their kind assistance and generous
>> advice in the development of this project.
>>
>>
>> Alec Muffett is a Software Engineer for Security Infrastructure at
>> Facebook London.
>>
>>
>> SOURCE:
>> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>>
>>
>> --
>> PGP: 0xa53963936999cbb6
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
>> change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>
>

More information about the liberationtech mailing list