Facebook, hidden services and https certificates
Facebook recently revealed to the world the presence of a hidden tor-service, which provides more secure access to their site. Users and journalists asked comments from Tor developers on this issue. Here are their answers and reflections.
It seemed to me that there was no need for this explanation until I heard from a journalist a question - why Tor users would not use Facebook. Leaving aside Facebook’s attitude to privacy and their rules related to the use of real names, and whether you need to tell Facebook about your person, the main thing here is that anonymity does not end with just trying to hide from the site you are on.
There is no reason to show your provider whether you use Facebook. There is no reason for the Facebook host or any Internet tracking agency to know whether you are using Facebook. And if you voluntarily disclose some of your data to Facebook, there is still no reason for them to automatically find out which city you are in today.
In addition, there are places in the world where Facebook is unavailable. A long time ago, I was talking to a Facebook security man who told me a funny story. When he first learned about Tor, he hated and was afraid of him, because he was “obviously” meant to destroy the business model of Facebook - to learn everything about all users. Then, suddenly, Iran blocked Facebook, after which most of the users of the service moved to Tor to visit Facebook, and the person turned into a Tor fan, because without it, all these users would simply be cut off. Other countries, such as China, after this case, introduced similar measures. And this change in attitude to Tor from “Tor is a privacy tool that allows users to control their data” to “Tor is a communication tool that allows users to choose which sites they want to visit” is an excellent example of the variety of ways Tor can be used . Whatever you use Tor did not come up, somewhere there is a person who uses it in an unexpected way for you.
')
I think it’s very cool for Facebook to add a .onion address to itself. There are cases when there are no alternatives for using these addresses: for example, the article “ Using hidden services with good intentions ”, or upcoming decentralized chat services like Ricochet, where each user is a hidden service, so there is no central point where you could connect for eavesdropping or pressure. But we didn’t particularly advertise these addresses, at least not as much as some resonant cases like “my site want to close” did.
Hidden services have many security features. First, thanks to the Tor device, it’s hard to figure out exactly where the service is located. Secondly, since the address of the service is at the same time the hash of its key , identification occurs automatically. If you enter a .onion address, your Tor client ensures that you are connecting to a service that has a private key corresponding to that address. Third, the dialogue process occurs with encryption, even if at the application level traffic is not encrypted.
Therefore, I am pleased with such a move by Facebook - it will help spread information about why people may need to arrange their hidden service, and help people think about the options for using such services.
Another nice bonus is that Facebook takes seriously its users coming to them through Tor. Hundreds of thousands of people have been using Facebook this way for several years now, but nowadays, when a project like Wikipedia bans editing materials to Tor users , such a large site decides that it doesn’t mind its users being more secure.
In addition, I would like to say that I would be very upset if Facebook, after several problems with trolls, decided to prohibit using their main address via Tor. We need to be vigilant and help Facebook continue to provide access to its site through both addresses.
The address of the hidden Facebook service is facebookcorewwwi.onion. It does not look like a random public key hash. Many were interested in how they managed to try to force such a long name.
First it was just generated a lot of lines, starting with “facebook”. Then they chose from these lines such, the second half of which was the most beautiful. They chose “corewwwi”, about which one can even compose a good explanation of what it means.
In this regard, I will explain - it is not possible to generate the exact name that you need. To do this would have to brute force all 80 bits. For further reading, we recommend “Attack of birthdays” . For those who want to help Tor, we recommend reading the articles “ hidden services need a little love ” and “ offer on Tor 224 ”.
Facebook not only raised the hidden service, they also received a certificate for https to this service, signed by Digicert. This has led to heated discussions in communities of people involved in certificates and browsers - they are trying to decide what names you can get certificates. The dialogue is ongoing, and here are my thoughts on this issue.
For certificates: we, people from the community of security specialists on the Internet, teach people that https is necessary, and http is dangerous. Therefore, it makes sense that users want to see https in front of the address.
Cons: In Tor, all this security is already built in, so by campaigning people to pay Digicert, we are promoting this business model, while we have to promote an alternative to it.
Pro: Generally, in this case https gives some advantage - if the tor-service is not on the same server as the site itself. Of course, this “last mile” between the service and the site passes through the company's internal networks, but nonetheless.
Against: if one site receives a certificate, it will lead the user to think about its necessity, and they will ask him for other services. I’m worried if such a trend will not start, that in order to raise the hidden service you have to pay Digicert money, or your users will not take it seriously. Especially when hidden services that care about their anonymity will have problems obtaining certificates.
One alternative is to embed a condition in the Tor Browser so that it does not show a frightening pop-up window for addresses in the .onion zone that work via https. A more interesting option is to make the hidden services generate self-signed https certificates themselves using their private onion key and teach the Tor Browser to confirm them - in general, enter a decentralized system of issuing certificates for .onion addresses, since they are so automatically are identified. Then you will not have to deal with this nonsense with the usual procedure for obtaining certificates.
You can also imagine this behavior when the user can tell his Tor Browser that this .onion address is Facebook. Or more straightforwardly - distribute the list of links of “known” hidden addresses along with Tor Browser, in the manner of your own list of certificates. Then the question will arise - which sites to include in this list.
Therefore, I have not yet decided in which direction the discussion should go. I sympathize with the approach “we have taught users the need for https, let's not confuse them,” but I also worry that obtaining a certificate does not become a necessary step for the service.
In terms of design and security, hidden services need some more love. We plan to improve the design, but do not have enough developers and funding to implement them. We talked with Facebook engineers this week about the reliability and scalability of hidden services, and we are glad that Facebook is thinking about whether or not to help us in the development of hidden services.
And finally, since we are talking about telling people about the properties of .onion sites related to security - does this mean that the name “hidden service” is no longer the most appropriate. Initially, we called them “services with a hidden location”, which quickly declined to “hidden services”. But protecting the location of a service is only one of many properties. Maybe we should announce a contest for the best new name for these protected services? Even a “bulbous service” would be the best option if it makes people understand what it is.
Part One: Yes, there are no contradictions in visiting Facebook through Tor
It seemed to me that there was no need for this explanation until I heard from a journalist a question - why Tor users would not use Facebook. Leaving aside Facebook’s attitude to privacy and their rules related to the use of real names, and whether you need to tell Facebook about your person, the main thing here is that anonymity does not end with just trying to hide from the site you are on.
There is no reason to show your provider whether you use Facebook. There is no reason for the Facebook host or any Internet tracking agency to know whether you are using Facebook. And if you voluntarily disclose some of your data to Facebook, there is still no reason for them to automatically find out which city you are in today.
In addition, there are places in the world where Facebook is unavailable. A long time ago, I was talking to a Facebook security man who told me a funny story. When he first learned about Tor, he hated and was afraid of him, because he was “obviously” meant to destroy the business model of Facebook - to learn everything about all users. Then, suddenly, Iran blocked Facebook, after which most of the users of the service moved to Tor to visit Facebook, and the person turned into a Tor fan, because without it, all these users would simply be cut off. Other countries, such as China, after this case, introduced similar measures. And this change in attitude to Tor from “Tor is a privacy tool that allows users to control their data” to “Tor is a communication tool that allows users to choose which sites they want to visit” is an excellent example of the variety of ways Tor can be used . Whatever you use Tor did not come up, somewhere there is a person who uses it in an unexpected way for you.
')
Part Two: We are pleased to see an expansion in the use of hidden services.
I think it’s very cool for Facebook to add a .onion address to itself. There are cases when there are no alternatives for using these addresses: for example, the article “ Using hidden services with good intentions ”, or upcoming decentralized chat services like Ricochet, where each user is a hidden service, so there is no central point where you could connect for eavesdropping or pressure. But we didn’t particularly advertise these addresses, at least not as much as some resonant cases like “my site want to close” did.
Hidden services have many security features. First, thanks to the Tor device, it’s hard to figure out exactly where the service is located. Secondly, since the address of the service is at the same time the hash of its key , identification occurs automatically. If you enter a .onion address, your Tor client ensures that you are connecting to a service that has a private key corresponding to that address. Third, the dialogue process occurs with encryption, even if at the application level traffic is not encrypted.
Therefore, I am pleased with such a move by Facebook - it will help spread information about why people may need to arrange their hidden service, and help people think about the options for using such services.
Another nice bonus is that Facebook takes seriously its users coming to them through Tor. Hundreds of thousands of people have been using Facebook this way for several years now, but nowadays, when a project like Wikipedia bans editing materials to Tor users , such a large site decides that it doesn’t mind its users being more secure.
In addition, I would like to say that I would be very upset if Facebook, after several problems with trolls, decided to prohibit using their main address via Tor. We need to be vigilant and help Facebook continue to provide access to its site through both addresses.
Part three: the address is a bit pompous, and so what
The address of the hidden Facebook service is facebookcorewwwi.onion. It does not look like a random public key hash. Many were interested in how they managed to try to force such a long name.
First it was just generated a lot of lines, starting with “facebook”. Then they chose from these lines such, the second half of which was the most beautiful. They chose “corewwwi”, about which one can even compose a good explanation of what it means.
In this regard, I will explain - it is not possible to generate the exact name that you need. To do this would have to brute force all 80 bits. For further reading, we recommend “Attack of birthdays” . For those who want to help Tor, we recommend reading the articles “ hidden services need a little love ” and “ offer on Tor 224 ”.
Part Four: What do we think about the https certificate for the .onion address?
Facebook not only raised the hidden service, they also received a certificate for https to this service, signed by Digicert. This has led to heated discussions in communities of people involved in certificates and browsers - they are trying to decide what names you can get certificates. The dialogue is ongoing, and here are my thoughts on this issue.
For certificates: we, people from the community of security specialists on the Internet, teach people that https is necessary, and http is dangerous. Therefore, it makes sense that users want to see https in front of the address.
Cons: In Tor, all this security is already built in, so by campaigning people to pay Digicert, we are promoting this business model, while we have to promote an alternative to it.
Pro: Generally, in this case https gives some advantage - if the tor-service is not on the same server as the site itself. Of course, this “last mile” between the service and the site passes through the company's internal networks, but nonetheless.
Against: if one site receives a certificate, it will lead the user to think about its necessity, and they will ask him for other services. I’m worried if such a trend will not start, that in order to raise the hidden service you have to pay Digicert money, or your users will not take it seriously. Especially when hidden services that care about their anonymity will have problems obtaining certificates.
One alternative is to embed a condition in the Tor Browser so that it does not show a frightening pop-up window for addresses in the .onion zone that work via https. A more interesting option is to make the hidden services generate self-signed https certificates themselves using their private onion key and teach the Tor Browser to confirm them - in general, enter a decentralized system of issuing certificates for .onion addresses, since they are so automatically are identified. Then you will not have to deal with this nonsense with the usual procedure for obtaining certificates.
You can also imagine this behavior when the user can tell his Tor Browser that this .onion address is Facebook. Or more straightforwardly - distribute the list of links of “known” hidden addresses along with Tor Browser, in the manner of your own list of certificates. Then the question will arise - which sites to include in this list.
Therefore, I have not yet decided in which direction the discussion should go. I sympathize with the approach “we have taught users the need for https, let's not confuse them,” but I also worry that obtaining a certificate does not become a necessary step for the service.
Part five: what else needs to be done?
In terms of design and security, hidden services need some more love. We plan to improve the design, but do not have enough developers and funding to implement them. We talked with Facebook engineers this week about the reliability and scalability of hidden services, and we are glad that Facebook is thinking about whether or not to help us in the development of hidden services.
And finally, since we are talking about telling people about the properties of .onion sites related to security - does this mean that the name “hidden service” is no longer the most appropriate. Initially, we called them “services with a hidden location”, which quickly declined to “hidden services”. But protecting the location of a service is only one of many properties. Maybe we should announce a contest for the best new name for these protected services? Even a “bulbous service” would be the best option if it makes people understand what it is.
Source: https://habr.com/ru/post/242175/
All Articles