It concerns me that they were able to brute force a key for facebookcorewwwi.onion. If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
Nothing, and it's interesting that they have enough computational power to do that for a relatively trivial project.
Meanwhile, whilst I applaud Facebook going above and beyond here, this doesn't set a good precedent.
Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden. If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
Secondly, by doing this, there's now a risk that other firms who want to be on the cutting edge of privacy will try to copycat this approach, even though it makes no sense and is very complex and expensive to set up. Worse, users might think it's some kind of "gold standard".
Thirdly, it doesn't actually solve any of the reasons why Tor traffic is routinely discriminated against and harassed: Tor is effectively a "bulletproof ISP" that shields a lot of abuse and hacking. Merely making a Tor hidden service specifically for Facebook doesn't solve that, at all.
There is a program called scallion [1] which can generate Vanity addresses like these. I am assuming that they searched for facebookwww?.onion and then just made up the acronym for the last character.
They are therefore trying to brute force the first 11 characters of the address. The author of scallion estimates one can achieve 520 MH/s with a AMD Radeon HD5770 GPU [2] which retails for $190 [3], they then give the formula for calculating the time (in seconds) to have a 50% chance of finding a matching URL:
2^(5length-1) / hashspeed
Which with a length of 11 and a hashspeed of 520M, would take about a year with the one GPU [4].
The total cost of the hardware to have a 50% chance of finding the vanity address "facebookwww?.onion" within a week would therefore be around $11 000 [5].
Imho, this is well within the realms of possibility for a company as large as Facebook and does not suggest a weakness in the .onion scheme.
Dustcore is very correct, correcting for my initial mistake, it would take 1.1 million years on a single GPU using scallion. Finding that sort of result in a month would require $2.6 billion worth of GPUs. Now I know facebook is known for spending billions on questionable purchases, but this would be a bit extreme even for them. How the hell have they managed this?
Actually, to me the first thought after seeing the URL was totally: "wow, I wonder what backronym they invented for the ugly wwwi suffix." And the others posts in this thread seem to confirm that this was the case, and that this prettification mechanism is actually quite common on Tor already.
Now, the other, more important for me observation is, that reportedly the TLS certificate is actually worth close to nothing, and giving false security, as a HNer claims to have got a valid cert issued for this very same facebook's .onion address already: https://news.ycombinator.com/item?id=8539066 -- if I understand correctly, cert issuers seem to happily accept any .onion URLs in "alternative addresses" in SSL certs without any verification. Anybody else could confirm/deny?
time ./shallot ^a -> 0.09 sec user
time ./shallot ^aa -> 0.12 sec user
time ./shallot ^aaa -> 0.12 sec user
time ./shallot ^aaaa -> 0.47 sec user
time ./shallot ^aaaaa -> 5.92 sec user
time ./shallot ^aaaaaa -> 118 sec user
Unfortunately OpenCL doesn't work with the nouveau drivers so I can't test scallion.
Who knows how much they spent trying to brute force that onion address.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
The .onion URL is created by hashing the public key (and possibly more information), and then it is stored in Tor's database of hidden service descriptors as noted by this[1]. This would indicate to me that if there's a hash conflict, such as the NSA trying to take over FB's .onion URL, the database of hidden service descriptors would reject the duplicate insertion to the database.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
IIRC it's 80bit truncated SHA-1, so it's not even close to feasible unless there's a substantial preimage attack against the function (and none are known). It's clearly feasible to find something close enough to the human eye for a phishing/spoofing attack, but that's hardly a problem exclusive to Tor.
Tor still uses SHA1? I understand clueless download sites (such as FossHub) and projects still using MD5 and SHA1, but I would hope projects that are supposed to be about security would've stopped using SHA1 a long time ago. If they dread moving to SHA2 because of its much slower performance, they should at least use BLAKE2 [1].
Even NSA-influenced NIST recommended against using SHA1 after Dec. 2013. And when NIST recommends a deadline for change, you know you should be doing that at least 3-5 years earlier to be safe against state sponsored/NSA attacks.
Although this will be useful, I hope users will keep in mind that identifying themselves while using Tor could make their other traffic less than anonymous. In the Tor Browser Bundle, compartmentalizing your traffic via frequent use of the 'New Identity' feature is usually a good idea.
Using this would also add to the data that one of the world's most aggressive advertisers and an NSA PRISM partner will have about you as a Facebook user.
One plus: at least the login page appears to load correctly without javascript enabled.
Edit to add: someone whose only interest is in not sharing their IP address/location with Facebook could access this URL via facebookcorewwwi.tor2web.org but the usual browser fingerprinting and potential tracking caveats apply
If you want more information on the specifics behind how FB did this, here is a really really informative mailing list conversation about it. Instead of coming up with facebookcorewwwi and then searching for it, they found a bunch of "facebook" first, and then picked the best one.
First, Tor protects the network communications. It separates where you are from where you are going on the Internet. What content and data you transmit over Tor is controlled by you. If you login to Google or Facebook via Tor, the local ISP or network provider doesn't know you are visiting Google or Facebook. Google and Facebook don't know where you are in the world. However, since you have logged into their sites, they know who you are. If you don't want to share information, you are in control."
While Facebook gets props for their astonishingly clever .onion address, it seems rather odd to promote unlinkability while continuing to enforce their legal names policy. I'd probably respect this a lot more if it was accompanied by setting up Tor exit nodes, which invites actual risk and things like FBI visits.
You can at least browse public Facebook posts without logging in. But I think the main point is to avoid local censorship, reducing Tor to a simple proxy.
They're not, they just want users on networks that block facebook.com, or try to perform MITM (by hijacking DNS or the switch from HTTP to HTTPS), to be able to reach them safely.
I think its much more likely that facebook is utilizing this to better track abuse. Its not always easy to tell if a user is using tor, and a statistically higher percentage of tor users are doing things facebook doesnt like.
By creating a entry point, they can more easily track and label users that even use that entry point, to better handle abuse.
Can the NSA 'tag' a specific user using Tor? If so, wouldn't using Facebook over Tor then provide them with a direct link between your FB identity and your other Tor activity?
Yes. If someone captures identifiable information then a user can be identified. This can be minimized by using SSL to connect to services. A service may share data so you should also use only a single service within a Tor session. That includes closing tabs to prevent ajax requests.
A new session can be created by restarting Tor or from the tor indicator if within TAILS.
Can someone help me understand the intended user experience?
As I currently understand it, you connect anonymously to Facebook, login and link your activities to your real life identity and Facebook turns over the information that you provide to whatever powerful government entity you are hiding from.
Probably because the latter half of your assertion, that "Facebook turns over the information you provide to whatever government entity you are hiding from" is a lie. This protects people who feel they need to hide the fact that they are connecting to Facebook from an observer/ISP.
No. It's a fully valid ceritifcate issued by DigiCert to
CN = *.facebook.com
O = "Facebook, Inc."
L = Menlo Park
ST = CA
C = US
with a bunch of altnames
DNS Name: *.facebook.com
DNS Name: facebook.com
DNS Name: *.fb.com
DNS Name: *.fbsbx.com
DNS Name: *.fbcdn.net
DNS Name: *.xx.fbcdn.net
DNS Name: *.xy.fbcdn.net
DNS Name: fb.com
DNS Name: facebookcorewwwi.onion
DNS Name: fbcdn23dssr3jqnq.onion
DNS Name: fbsbx2q4mvcl63pw.onion
.onion addresses don't work that way. but if you're asking about Facebook's SSL cert when accessing the login page via the .onion address, it's a 2048-bit DigiCert SHA-1 cert, and no ECC love..at least on the login page.
Heh, my first reaction was, 'shoot, they brute-forced an address!' and I see that a lot of others had the exact same idea. I wonder how tough that was to do—I'm guessing that they didn't use Shallot!
Looks like some sort of CA structure is going to be pretty vital to Tor…
CA structure is not vital to tor at all. All connections to hidden services are encrypted and authenticated end to end. the URL serves as the public key.
Huh.. I wonder if something like Cloudflare would offer something like this next? (Whether or not they might brute force vanity URLs is another matter)
not sure if you're trolling, but i wish cloudflare weren't so overtly hostile to tor users! i've already stopped using all but a few cloudflare sites for this reason.
Last I checked, Facebook doesn't work at all unless you are logged in.
So I can now tell Facebook my personal information and a list of associates securely, which it will then promptly share with any government interested.
I guess its the best way yet to illustrate the basic problem with Tor (no technology in the world can protect you from giving the bad guys your home address), but can't shake the feeling that this makes an utter mockery of the idea behind Tor.
[+] [-] mike-cardwell|11 years ago|reply
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
http://archives.seul.org/tor/talk/Oct-2014/msg00433.html
[+] [-] mike_hearn|11 years ago|reply
Meanwhile, whilst I applaud Facebook going above and beyond here, this doesn't set a good precedent.
Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden. If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
Secondly, by doing this, there's now a risk that other firms who want to be on the cutting edge of privacy will try to copycat this approach, even though it makes no sense and is very complex and expensive to set up. Worse, users might think it's some kind of "gold standard".
Thirdly, it doesn't actually solve any of the reasons why Tor traffic is routinely discriminated against and harassed: Tor is effectively a "bulletproof ISP" that shields a lot of abuse and hacking. Merely making a Tor hidden service specifically for Facebook doesn't solve that, at all.
[+] [-] tyho|11 years ago|reply
They are therefore trying to brute force the first 11 characters of the address. The author of scallion estimates one can achieve 520 MH/s with a AMD Radeon HD5770 GPU [2] which retails for $190 [3], they then give the formula for calculating the time (in seconds) to have a 50% chance of finding a matching URL: 2^(5length-1) / hashspeed Which with a length of 11 and a hashspeed of 520M, would take about a year with the one GPU [4]. The total cost of the hardware to have a 50% chance of finding the vanity address "facebookwww?.onion" within a week would therefore be around $11 000 [5].
Imho, this is well within the realms of possibility for a company as large as Facebook and does not suggest a weakness in the .onion scheme.
[1] https://github.com/lachesis/scallion
[2] https://github.com/lachesis/scallion#speed--performance
[3] https://www.amazon.com/dp/B0032F63TW
[4] http://www.wolframalpha.com/input/?i=%282^%285*11-1%29+%2F+5...
[5] http://www.wolframalpha.com/input/?i=%24190+*+%282^%285*11-1...
[edit]
Dustcore is very correct, correcting for my initial mistake, it would take 1.1 million years on a single GPU using scallion. Finding that sort of result in a month would require $2.6 billion worth of GPUs. Now I know facebook is known for spending billions on questionable purchases, but this would be a bit extreme even for them. How the hell have they managed this?
[+] [-] akavel|11 years ago|reply
Now, the other, more important for me observation is, that reportedly the TLS certificate is actually worth close to nothing, and giving false security, as a HNer claims to have got a valid cert issued for this very same facebook's .onion address already: https://news.ycombinator.com/item?id=8539066 -- if I understand correctly, cert issuers seem to happily accept any .onion URLs in "alternative addresses" in SSL certs without any verification. Anybody else could confirm/deny?
[+] [-] shawabawa3|11 years ago|reply
[+] [-] untrothy|11 years ago|reply
Bench marking Shallot on an Intel [email protected]:
Unfortunately OpenCL doesn't work with the nouveau drivers so I can't test scallion.Who knows how much they spent trying to brute force that onion address.
EDIT: Ok looks like they went the backronym route
[0] https://github.com/lachesis/scallion [1] https://github.com/katmagic/Shallot
[+] [-] Llevel|11 years ago|reply
The .onion URL is created by hashing the public key (and possibly more information), and then it is stored in Tor's database of hidden service descriptors as noted by this[1]. This would indicate to me that if there's a hash conflict, such as the NSA trying to take over FB's .onion URL, the database of hidden service descriptors would reject the duplicate insertion to the database.
[1] https://security.stackexchange.com/questions/23241/how-are-t...
[+] [-] nly|11 years ago|reply
IIRC it's 80bit truncated SHA-1, so it's not even close to feasible unless there's a substantial preimage attack against the function (and none are known). It's clearly feasible to find something close enough to the human eye for a phishing/spoofing attack, but that's hardly a problem exclusive to Tor.
[+] [-] jgrahamc|11 years ago|reply
Good thread on StackExchange about how to do that: http://security.stackexchange.com/questions/29772/how-do-you...
[+] [-] sgrenfro|11 years ago|reply
[+] [-] higherpurpose|11 years ago|reply
Even NSA-influenced NIST recommended against using SHA1 after Dec. 2013. And when NIST recommends a deadline for change, you know you should be doing that at least 3-5 years earlier to be safe against state sponsored/NSA attacks.
[1] - https://blake2.net/
[+] [-] justcommenting|11 years ago|reply
Using this would also add to the data that one of the world's most aggressive advertisers and an NSA PRISM partner will have about you as a Facebook user.
One plus: at least the login page appears to load correctly without javascript enabled.
Edit to add: someone whose only interest is in not sharing their IP address/location with Facebook could access this URL via facebookcorewwwi.tor2web.org but the usual browser fingerprinting and potential tracking caveats apply
[+] [-] driverdan|11 years ago|reply
Why? With data encrypted end to end the only people who know you've identified yourself are you and the end service.
[+] [-] steakejjs|11 years ago|reply
https://lists.torproject.org/pipermail/tor-talk/2014-October...
[+] [-] xnull|11 years ago|reply
"So I'm totally anonymous if I use Tor?
No.
First, Tor protects the network communications. It separates where you are from where you are going on the Internet. What content and data you transmit over Tor is controlled by you. If you login to Google or Facebook via Tor, the local ISP or network provider doesn't know you are visiting Google or Facebook. Google and Facebook don't know where you are in the world. However, since you have logged into their sites, they know who you are. If you don't want to share information, you are in control."
[+] [-] aestetix|11 years ago|reply
[+] [-] sp332|11 years ago|reply
[+] [-] frostmatthew|11 years ago|reply
They've recently announced they plan to ease the real name policy http://bits.blogs.nytimes.com/2014/10/01/facebook-agrees-to-...
[+] [-] nly|11 years ago|reply
They're not, they just want users on networks that block facebook.com, or try to perform MITM (by hijacking DNS or the switch from HTTP to HTTPS), to be able to reach them safely.
[+] [-] DanBlake|11 years ago|reply
By creating a entry point, they can more easily track and label users that even use that entry point, to better handle abuse.
[+] [-] junto|11 years ago|reply
[+] [-] kreneskyp|11 years ago|reply
A new session can be created by restarting Tor or from the tor indicator if within TAILS.
[+] [-] dataminded|11 years ago|reply
As I currently understand it, you connect anonymously to Facebook, login and link your activities to your real life identity and Facebook turns over the information that you provide to whatever powerful government entity you are hiding from.
Why would anyone do this?
[+] [-] evgen|11 years ago|reply
[+] [-] sinaa|11 years ago|reply
The attacker will not raise any flags anymore (since it could be you).
[+] [-] spacefight|11 years ago|reply
[+] [-] spindritf|11 years ago|reply
[+] [-] justcommenting|11 years ago|reply
[+] [-] iancarroll|11 years ago|reply
[+] [-] lorddoig|11 years ago|reply
[+] [-] justcommenting|11 years ago|reply
[+] [-] wtbob|11 years ago|reply
Looks like some sort of CA structure is going to be pretty vital to Tor…
[+] [-] tyho|11 years ago|reply
[+] [-] cordite|11 years ago|reply
[+] [-] justcommenting|11 years ago|reply
[+] [-] revelation|11 years ago|reply
So I can now tell Facebook my personal information and a list of associates securely, which it will then promptly share with any government interested.
I guess its the best way yet to illustrate the basic problem with Tor (no technology in the world can protect you from giving the bad guys your home address), but can't shake the feeling that this makes an utter mockery of the idea behind Tor.
[+] [-] justcommenting|11 years ago|reply
[+] [-] bhartzer|11 years ago|reply
[+] [-] balderdash|11 years ago|reply