[liberationtech] Facebook available as a Tor hidden service

Jonathan Wilkes jancsika at yahoo.com
Fri Oct 31 13:00:50 PDT 2014 

Hi Rob,
     I made a scathing criticism of a poor UI decision in the TBB, and it came out the other end of your euphemism carwash as "really hard to figure out".

I have a very hard time believing you'd be as gracious in describing some aspect of Facebook's UI that "(advises)" to check some configuration box for enhanced security which isn't default behavior.  Furthermore, if users of Facebook ended up getting pwned time and again, I also doubt you'd blame the set of all users who fail to check that optional box.

So why is it the hidden service ops' responsibility to refrain from using javascript as a default design decision when the developers of the overlay aren't even willing to do it for TBB?  Those ops are users of the Tor overlay, and they are obviously catering to the TBB users who don't disable Javascript.


I don't fault you for implicitly distrusting Facebook, but it's even worse to implicitly soften criticism of TBB.  If you truly believe that using javascript with Tor is bad, then please imagine that Facebook develops and funds the TBB and direct your criticism and patches to TBB accordingly.


-Jonathan



On Friday, October 31, 2014 1:47 PM, Robert W. Gehl <lists at robertwgehl.org> wrote:
 


Hi, Jonathan -- 

I do know the default, and I did change them to allow for
      first-party scripts. I agree that TBB's NoScript defaults are
      really hard to figure out (in comparison to NoScript in vanilla
      Firefox -- which admittedly is still a complicated setup).
      However, I assumed that if Facebook wanted to have a hidden
      service, they'd account for the fact that at the very least
      third-party JS is a no-no (and many Tor users also don't want to
      allow any scripts). 

>From what I could tell, the verification system I went to to
      confirm my ID relied on third party scripts (it looked like Google
      scripts). It was a system in which I had to identify pictures of
      "friends". No pictures loaded. 

Moreover, the .onion Facebook will probably always say that the
      account is locked due to logging in from a "strange" location, so
      there will be that issue.

In the end, I don't get why FB is doing this, other than to look
      hip.

- Rob



On 10/31/2014 11:40 AM, Jonathan Wilkes wrote:

Hi Rob,
You do know TBB's defaults regarding scripts, right?  If it's a conundrum with no easy answer for Tor devs, it's a conundrum for Facebook as well.  So please do get on Tor Talk list and criticise TBB for having an "(advised)" yet non-default setting for blocking all scripts.
>
>I understand the conundrum, and I agree that there isn't an easy
        answer, but that default setting in TBB is batshit insane.  It
        is _the_ source of the conundrum.  If script-blocking were
        turned on by default Facebook wouldn't even waste time trying to
        design a hidden service like this.
>
>-Jonathan
>
>
>
>
>On Friday, October 31, 2014 12:13 PM, Robert W. Gehl <lists at robertwgehl.org> wrote:
> 
>
>
>I tried to login (with a fake account I maintain for just such a purpose). "Your account is temporarily locked," it says. I get that; it appears I'm trying to login from a strange location.
>
>To proceed, I have to ID pictures of friends. Ok,
                      I say. But the page with friends' photos doesn't
                      load, probably because I have Javascript off
                      (common practice with the Tor Browser). Fail.
>
>Let's say people take this seriously -- to do so,
                      they will have to use Javascript, which is a bad
                      move when using Tor.
>
>It seems to me that this would just inculcate bad
                      security habits for any would-be Dark Web users.
>
>- Rob
>
>On 10/31/2014 08:14 AM, Steve Weis wrote:
>
>Facebook is now available as a Tor hidden service at this .onion address:
>>https://facebookcorewwwi.onion/ 
>>
>>
>>Blog post is here:
>>
>>https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>>
>>
>>
>>
>>
>
>-- 
>Liberationtech is public & archives are searchable
                on Google. Violations of list guidelines will get you
                moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
>
>
>
>


-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141031/d239f442/attachment.html>

More information about the liberationtech mailing list