[liberationtech] FYI: Making Connections to Facebook more Secure

Fri Oct 31 06:05:21 PDT 2014

I find the interesting part the fact that they got a CA to sign a .onion
domain certificate. Is that normal?

On Fri, Oct 31, 2014 at 8:39 AM, Nariman Gharib <nariman.gh at gmail.com>
wrote:

> It's important to us at Facebook to provide methods for people to use
> our site securely. People connect to Facebook in many different ways,
> which is why we have implemented HTTPS across our service, and Perfect
> Forward Secrecy, HSTS, and other technologies which help give people
> more confidence that they are connected securely to Facebook.
>
>
> That doesn't mean we can't improve yet further.
>
>
> Consider Tor: Tor challenges some assumptions of Facebook's security
> mechanisms - for example its design means that from the perspective of
> our systems a person who appears to be connecting from Australia at
> one moment may the next appear to be in Sweden or Canada. In other
> contexts such behaviour might suggest that a hacked account is being
> accessed through a "botnet", but for Tor this is normal.
>
>
> Considerations like these have not always been reflected in Facebook's
> security infrastructure, which has sometimes led to unnecessary
> hurdles for people who connect to Facebook using Tor. To make their
> experience more consistent with our goals of accessibility and
> security, we have begun an experiment which makes Facebook available
> directly over Tor network at the following URL:
>
>
> https://facebookcorewwwi.onion/
>
>
> [ NOTE: link will only work in Tor-enabled browsers ]
>
>
> Facebook Onion Address
>
>
> Facebook's onion address provides a way to access Facebook through Tor
> without losing the cryptographic protections provided by the Tor
> cloud.
>
>
> The idea is that the Facebook onion address connects you to Facebook's
> Core WWW Infrastructure - check the URL again, you'll see what we did
> there - and it reflects one benefit of accessing Facebook this way:
> that it provides end-to-end communication, from your browser directly
> into a Facebook datacentre.
>
>
> We decided to use SSL atop this service due in part to architectural
> considerations - for example, we use the Tor daemon as a reverse proxy
> into a load balancer and Facebook traffic requires the protection of
> SSL over that link. As a result, we have provided an SSL certificate
> which cites our onion address; this mechanism removes the Tor
> Browser's "SSL Certificate Warning" for that onion address and
> increases confidence that this service really is run by Facebook.
> Issuing an SSL certificate for a Tor implementation is - in the Tor
> world - a novel solution to attribute ownership of an onion address;
> other solutions for attribution are ripe for consideration, but we
> believe that this one provides an appropriate starting point for such
> discussion.
>
>
> Over time we hope to share some of the lessons that we have learned -
> and will learn - about scaling and deploying services via the Facebook
> onion address; we have many ideas and are looking forward to improving
> this service.  A medium-term goal will be to support Facebook's
> mobile-friendly website via an onion address, although in the meantime
> we expect the service to be of an evolutionary and slightly flaky
> nature.
>
>
> We hope that these and other features will be useful to people who
> wish to use Facebook's onion address.
>
>
> Finally, we would like to extend our thanks to Ms. Runa Sandvik and to
> Dr. Steven Murdoch of UCL for their kind assistance and generous
> advice in the development of this project.
>
>
> Alec Muffett is a Software Engineer for Security Infrastructure at
> Facebook London.
>
>
> SOURCE:
> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>
>
> --
> PGP: 0xa53963936999cbb6
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141031/134512f1/attachment.html>