November 1, 2014 at 20:12Facebook, hidden services and https certificates
- Transfer
Facebook recently revealed to the world the existence of a hidden tor service that provides more secure access to their site. Users and journalists have been asking Tor for comments on this. Before you is their answers and thoughts.
It seemed to me that there was no need for this explanation until I heard a question from the journalist - why Tor users will not use Facebook. Leaving aside the attitude of Facebook to privacy and their rules related to the use of real names, and whether you need to tell Facebook something about your person, the main thing here is that anonymity does not end only with an attempt to hide from the site you are visiting.
There is no reason to show your provider if you are using Facebook. There is no reason for a Facebook hoster or any internet-tracking agency to know if you use Facebook. And if you voluntarily disclose some of your data on Facebook, there is still no reason for them to automatically find out which city you are in today.
In addition, there are places in the world where Facebook is not available. Once upon a time, I was talking to a security person on Facebook who told me a funny story. When he first learned about Tor, he hated and was afraid of him, because he was “obviously” intended to destroy the Facebook business model - to learn everything about all users. Then suddenly Iran blocked Facebook, after which most of the users of the service moved to Tor to visit Facebook, and the person turned into a Tor fan, because without it all these users would simply be cut off. Other countries, such as China, introduced similar measures after this incident. And this change in relation to Tor from “Tor is a privacy tool that allows users to control their data” to “Tor is a communication tool that allows users to choose for themselves,the variety of uses of Tor . Whatever use of Tor you come up with, somewhere there is a person who uses it in an unexpected way for you.
I think it was great on Facebook to add a .onion address. There are times when there are no alternatives to using these addresses: for example, the article “ using hidden services with good intentions ”, or the upcoming decentralized services such as Ricochet chat, where each user is a hidden service, so there is no central point where you could connect to wiretap or pressure. But we didn’t especially advertise these addresses, at least not as much as some resonant cases like “they want to close my site” did.
Hidden services have many security features. Firstly, thanks to the Tor device, it’s hard to figure out exactly where the service is located. Secondly, since the address of the service is also a hash of its key, identification is automatic. If you enter an .onion address, your Tor client ensures that you are connecting to a service with a private key corresponding to that address. Thirdly, the dialogue process takes place with encryption, even if traffic is not encrypted at the application level.
Therefore, I am pleased with such a step on the part of Facebook - it will help disseminate information about why people may need to arrange their hidden service, and help people think about options for using such services.
Another nice bonus - Facebook is serious about its users coming to them through Tor. Hundreds of thousands of people have been using Facebook this way for several years, but nowadays, when a project like Wikipedia prohibits Tor users from editing materials, such a large site decides that it is not against the fact that its users are more secure.
In addition, I would like to say that I would be very upset if Facebook after several problems with trolls decided to prohibit the use of their primary address through Tor. We must be vigilant and help Facebook continue to provide access to our site through both addresses.
The address of the hidden Facebook service is facebookcorewwwi.onion. It does not look like a random public key hash. Many wondered how they managed to force such a long name.
In the beginning, a lot of lines were simply generated starting with “facebook”. Then they selected from these lines those whose second half was the most beautiful. They chose corewwwi, about which you can even compose a good explanation of what it means.
In this regard, I will explain - there is no way to generate the exact name that you need. To do this, you would have to brute force all 80 bits. For further reading, we recommend the “Birthday Attack” . For those who want to help Tor, we recommend reading the articles “ hidden services need a little love ” and “Tor 224 offer . "
Facebook not only raised a hidden service, they also received a certificate for https for this service, signed by Digicert. This led to heated discussions in the certificate and browser communities of people - they are trying to decide what names to get certificates for. The dialogue is still ongoing, and here are my thoughts on this issue.
For certificates: we, people from the community of security experts on the Internet, teach people that https is necessary, and http is dangerous. Therefore, it makes sense that the user wants to see https in front of the address.
Cons: All of this security is already built into Tor, so by campaigning for people to pay Digicert, we are promoting this business model, while we should be promoting an alternative to it.
Pros: In general, in this case, https provides some advantage - if the tor service is not on the same server as the site itself. Of course, this "last mile" between the service and the site passes through the internal networks of the company, but nonetheless.
Cons: if one site receives a certificate, this will lead the user to think about its need, and they will ask him for other services. I care if such a tendency starts, that to raise a hidden service you need to pay Digicert money, or your users will not take it seriously. Especially when hidden services, taking care of their anonymity, will have problems obtaining certificates.
One alternative is to embed a condition in Tor Browser so that it does not show a frightening pop-up window for addresses in the .onion zone working over https. A more interesting option is to make hidden services themselves generate self-signed https certificates using their private onion key and teach Tor Browser to confirm them - in general, introduce a decentralized system for issuing certificates for .onion addresses, since they are already automatically are identified. Then it will not be necessary to deal with nonsense with the usual procedure for obtaining certificates.
You can also imagine a model of behavior where a user can tell his Tor Browser that this .onion address is Facebook. Or more bluntly - distribute a list of links to "known" hidden addresses with Tor Browser, in the manner of your own list of certificates. Then the question will be - which sites to include in this list.
Therefore, I have not yet decided which direction the discussion should go. I sympathize with the approach “we accustomed users to the need for https, let's not confuse them”, but I also worry that getting a certificate is not a necessary step for the service.
In terms of design and security, hidden services need some more love. We plan to improve the design, but do not have enough developers and funding to implement them. We talked with Facebook engineers this week about the reliability and scalability of hidden services, and we're glad that Facebook is considering whether to help us develop hidden services.
And finally, since it’s about talking to people about the .onion site’s security features, doesn’t this mean that the name “hidden service” is no longer the most suitable. Initially, we called them “services with a hidden location,” which quickly reduced to “hidden services.” But protecting the location of a service is just one of many features. Maybe we should announce a competition for the best new name for these secure services? Even “onion service” would be the best option if it makes people understand what it is.
Part One: Yes, there are no contradictions in visiting Facebook via Tor
It seemed to me that there was no need for this explanation until I heard a question from the journalist - why Tor users will not use Facebook. Leaving aside the attitude of Facebook to privacy and their rules related to the use of real names, and whether you need to tell Facebook something about your person, the main thing here is that anonymity does not end only with an attempt to hide from the site you are visiting.
There is no reason to show your provider if you are using Facebook. There is no reason for a Facebook hoster or any internet-tracking agency to know if you use Facebook. And if you voluntarily disclose some of your data on Facebook, there is still no reason for them to automatically find out which city you are in today.
In addition, there are places in the world where Facebook is not available. Once upon a time, I was talking to a security person on Facebook who told me a funny story. When he first learned about Tor, he hated and was afraid of him, because he was “obviously” intended to destroy the Facebook business model - to learn everything about all users. Then suddenly Iran blocked Facebook, after which most of the users of the service moved to Tor to visit Facebook, and the person turned into a Tor fan, because without it all these users would simply be cut off. Other countries, such as China, introduced similar measures after this incident. And this change in relation to Tor from “Tor is a privacy tool that allows users to control their data” to “Tor is a communication tool that allows users to choose for themselves,the variety of uses of Tor . Whatever use of Tor you come up with, somewhere there is a person who uses it in an unexpected way for you.
Part two: we are pleased to see an increase in the use of hidden services
I think it was great on Facebook to add a .onion address. There are times when there are no alternatives to using these addresses: for example, the article “ using hidden services with good intentions ”, or the upcoming decentralized services such as Ricochet chat, where each user is a hidden service, so there is no central point where you could connect to wiretap or pressure. But we didn’t especially advertise these addresses, at least not as much as some resonant cases like “they want to close my site” did.
Hidden services have many security features. Firstly, thanks to the Tor device, it’s hard to figure out exactly where the service is located. Secondly, since the address of the service is also a hash of its key, identification is automatic. If you enter an .onion address, your Tor client ensures that you are connecting to a service with a private key corresponding to that address. Thirdly, the dialogue process takes place with encryption, even if traffic is not encrypted at the application level.
Therefore, I am pleased with such a step on the part of Facebook - it will help disseminate information about why people may need to arrange their hidden service, and help people think about options for using such services.
Another nice bonus - Facebook is serious about its users coming to them through Tor. Hundreds of thousands of people have been using Facebook this way for several years, but nowadays, when a project like Wikipedia prohibits Tor users from editing materials, such a large site decides that it is not against the fact that its users are more secure.
In addition, I would like to say that I would be very upset if Facebook after several problems with trolls decided to prohibit the use of their primary address through Tor. We must be vigilant and help Facebook continue to provide access to our site through both addresses.
Part Three: The address is a bit pompous, and so what
The address of the hidden Facebook service is facebookcorewwwi.onion. It does not look like a random public key hash. Many wondered how they managed to force such a long name.
In the beginning, a lot of lines were simply generated starting with “facebook”. Then they selected from these lines those whose second half was the most beautiful. They chose corewwwi, about which you can even compose a good explanation of what it means.
In this regard, I will explain - there is no way to generate the exact name that you need. To do this, you would have to brute force all 80 bits. For further reading, we recommend the “Birthday Attack” . For those who want to help Tor, we recommend reading the articles “ hidden services need a little love ” and “Tor 224 offer . "
Part Four: What do we think of the https certificate for the .onion address?
Facebook not only raised a hidden service, they also received a certificate for https for this service, signed by Digicert. This led to heated discussions in the certificate and browser communities of people - they are trying to decide what names to get certificates for. The dialogue is still ongoing, and here are my thoughts on this issue.
For certificates: we, people from the community of security experts on the Internet, teach people that https is necessary, and http is dangerous. Therefore, it makes sense that the user wants to see https in front of the address.
Cons: All of this security is already built into Tor, so by campaigning for people to pay Digicert, we are promoting this business model, while we should be promoting an alternative to it.
Pros: In general, in this case, https provides some advantage - if the tor service is not on the same server as the site itself. Of course, this "last mile" between the service and the site passes through the internal networks of the company, but nonetheless.
Cons: if one site receives a certificate, this will lead the user to think about its need, and they will ask him for other services. I care if such a tendency starts, that to raise a hidden service you need to pay Digicert money, or your users will not take it seriously. Especially when hidden services, taking care of their anonymity, will have problems obtaining certificates.
One alternative is to embed a condition in Tor Browser so that it does not show a frightening pop-up window for addresses in the .onion zone working over https. A more interesting option is to make hidden services themselves generate self-signed https certificates using their private onion key and teach Tor Browser to confirm them - in general, introduce a decentralized system for issuing certificates for .onion addresses, since they are already automatically are identified. Then it will not be necessary to deal with nonsense with the usual procedure for obtaining certificates.
You can also imagine a model of behavior where a user can tell his Tor Browser that this .onion address is Facebook. Or more bluntly - distribute a list of links to "known" hidden addresses with Tor Browser, in the manner of your own list of certificates. Then the question will be - which sites to include in this list.
Therefore, I have not yet decided which direction the discussion should go. I sympathize with the approach “we accustomed users to the need for https, let's not confuse them”, but I also worry that getting a certificate is not a necessary step for the service.
Part five: what else needs to be done?
In terms of design and security, hidden services need some more love. We plan to improve the design, but do not have enough developers and funding to implement them. We talked with Facebook engineers this week about the reliability and scalability of hidden services, and we're glad that Facebook is considering whether to help us develop hidden services.
And finally, since it’s about talking to people about the .onion site’s security features, doesn’t this mean that the name “hidden service” is no longer the most suitable. Initially, we called them “services with a hidden location,” which quickly reduced to “hidden services.” But protecting the location of a service is just one of many features. Maybe we should announce a competition for the best new name for these secure services? Even “onion service” would be the best option if it makes people understand what it is.