Hacker News new | comments | ask | show | jobs | submit login

Please explain it to me if I'm wrong, but doesn't logging into Facebook on Tor defeat the purpose of Tor?

Tor does not only allow anonymity of identity, it also can provide anonymity of location and anonymity of destination.

If you are in a country or organization that would prefer you not visit Facebook, this can be useful.

If you would prefer that Facebook not know your location and IP address, this can be useful.

No, you retain all of the properties of Tor hidden services: censorship resistance, authenticated end-to-end encryption, onion routing that hides your source IP.

Obviously if you log into a Facebook account with your real-world identity then all actions performed on the site will be linked with it, but that is expected.

I think his point is that if you are using Facebook, you are still limited by the level of trust you have with them. That should be quite low for any privacy conscious internet user. That you are using a different IP and a pseudonym might be a hoop for them to jump through through to figure your identity out should be considered in the context that they are likely already collecting data about you without your consent from many different sources. When it comes to jumping through these kinds of hoops, Facebook is a circus lion.

When I was traveling in China, I would have had no access to Facebook if it weren’t for Tor. All I needed was my USB drive with a Tor + Linux and I could access the free Internet from any computer. Providing anonymity of identity is just one of the many uses of tor. [1]

[1] https://www.torproject.org/about/torusers.html.en

Why doesn't China block Tor? Isn't it easy as blocking all known public IP addresses?

It doesn't make sense to not allow the user to access certain sites, but allow Tor that can easily bypass that protection.

there are non public ip addresses and the tor team spends quite some time fighting the big firewall in various ways.

talk from the 23c3 about tor and china: https://www.youtube.com/watch?v=P6A7jLpL3Rs

No, not really: even if you could block all the known tor relays there are still the bridges that are exactly meant for this situation: bridges are like normal relays but their full list is not disclosed so it shouldn't be possible to block them entirely. This is probably what he has been using.


If your plan was to remain anonymous on FB, it would. But that's not what their .onion service is for.

The ingenuiety of the hidden service is that FB basically inverted Tor's idea. Tor is really good at bypassing restrictive net filters, while at the same time it hides your browsing destination. So in effect FB turned a Tor address into their own highly resilient web proxy. Where a proxy normally provides a guarded way out of a network, the hidden service provides an otherwise untraceable way in.

Now, technically it is ~possible to identify FB-Tor traffic from regular Tor traffic. At least in some sense. Because the address is inside the .onion network, there are only half as many routing hops between the client and the server. So if you, as a well funded governmental adversary, first identify nearly all Tor traffic, you can then see which clients receive their responses notably faster than the rest.

These faster roundtrips are very likely using hidden services. If you then drill down even further, I am sure you should be able to identify a reasonably large fraction of your own subjects who are clearly accessing FB and thus stepping around the nationally imposed censure.

For the record, Alec didn't consider the above traffic analysis attack particularly feasible. And we both agreed that the straightforward solution is to get a lot more traffic for hidden services in general. Once FB is not the sole huge site with a hidden service, their traffic cannot stand out.

What? Hidden services use 6 hops compared to regular traffic's three. They are slower.

Oh sorry, the context was missing.

This came up in a discussion we had. FB is proposing (and funding) development that would make hidden services faster. One of the measures would be to make [some?] hidden services reachable over 3 hops only.

A quick search does not bring anything on the topic up, but it can easily be that I try to search for wrong key words.

https://tor.stackexchange.com/questions/9485/decrease-number... links to some proposals for doing so. I thought I remembered something on the Tor blog about that, but didn't find it.

But anyway, why would a hidden service with 3 hops look different than a clearnet site visited over tor and 3 hops?

Normally it wouldn't. But as I understand, in FB's case the last hop will be served by a fleet of extremely well connected, high-bandwidth edge nodes. And I would be sorely surprised if they didn't have peering agreements in practically all internet exchanges.

So under the faster onion routing, when accessing FB.onion your roundtrip is total of 6 hops. Hops 3 and 4 will be made to an edge node network, so the "last hop in" and "first hop out" will be, on average, faster. Even if the circuit was reconfigured midway through the session, the fast innermost hop would still exist.[~]

It's just another timing attack, with passive traffic analysis. I wonder how much one could do with active attacks.

~: I have no knowledge how FB has configured their Tor network connectivity, but I do know that the private key is not held on a single termination point. (The traffic volume is too much for a standalone node.) Hence I am making an educated guess that their onion address is advertised from multiple edge systems.

But there's still no difference between visiting FB.onion under a 3-hop system and visiting Google or Netflix or any of the many sites that have distributed servers.

(I suppose that different protocols are being used that have different times, but that seems negligible; wouldn't bet on that though.)

In that case it looks like I have misunderstood the last hop for hidden services.

When using a public site over Tor, the connection looks like this:

1. User connects to a relatively nearby entry node (guard) [hop #1]

2. Guard node routes the packet via a relay [hop #2]

3. Relay routes the packet to an exit node [hop #3]

4. Exit node routes the packet out of the Tor network, and has responsibility for finding the actual destination. Even for a globally available high-traffic site the route from exit node to the nearest edge node has to travel across a couple of networks.

Now, under the proposed 3-hop hidden service protocol - when user accesses a hidden service, I had understood that the "exit node" is replaced by the hidden service itself. So the connection would look like this:

1. User connects to a nearby guard node [hop #1]

2. Guard node routes the packet to a relay [hop #2]

3. Relay node routes the packet to the hidden service [hop #3]

4. There is no step four. The packet has been delivered to its destination network.

For a random hidden service this probably wouldn't matter much, but if/when the third hop is provided by a globally accessible edge network, the latency between relay and final destination should be quite good.

With the elimination of post-Tor routing steps, and with the constantly better latency from relay to the hidden service, I expect the overall latency for this particular Tor circuit to be measurably lower. After all, there are no public hops beyond the circuit termination nodes. So from traffic analysis point of view, Tor/FB traffic should stand out from other Tor traffic.

And I think I found some references, at last. Search for "Direct Onion Services: Fast-but-not-hidden services" draft discussion on tor-dev archives.

I gave a link above.

Anyway, skipping the third hop would decrease user anonymity, because you'd only need two relays to cooperate to identify the user and who they're connecting to. Regular tor requires all three to cooperate.

The proposal uses a rendezvous point instead of an exit node, but that shouldn't affect speed as far as I see.

Not if the user merely intends to get past a firewall the country has... their purpose isn't anonymity, but free communication, unfortunately they must don anonymity to achieve free communication.

But if one of your friends is not really your friend, and you won't know until it's too late, they'll know you got past the firewall and that could be enough to get you into troubles. You better have to stay fully anonymous, which limits what you do on Facebook. You probably want different accounts for different groups and an empty timeline in every account.

It may be that it just isn't that strictly enforced for a variety of reasons. China allows a number of VPN services that bypass the firewall to function. My guess is that it isn't a huge deal because the vast majority of people don't care enough to go out of their way to bypass the firewall; the social effects of having that firewall are still in place.

Start enforcing it heavily and the people that DO use those services may start protesting or moving into activist roles.

Which also tends to be the subset of people that have studied abroad, various repatriated huaqiao and college students at some of the more metropolitan colleges and I guess tech people/white collar workers.

Cracking down on college students seems like a really dumb idea.

And yet, that hasn't stopped them in the past.


I think this is a good reminder of why they would want to keep people just barely satisfied. China will go that far, but it's an expensive point to make.

Since Tiananmen, the party has basically bargained that people will accept economic progress as a substitute for political freedom. Now that the rapid growth of the last two decades is starting to slow down, we'll have to see how the CCP and Chinese people respond.

If you assume that Facebook will comply with whatever entity you're trying to avoid, by using Onion, it sounds like a pretty bad idea to me, yes. In theory you could probably use a separate browser and Tor session for Facebook, and for your other browsing - making it a little harder to associate your Facebook login with your Tor session (ip). Sounds like a terrible idea, though.

Now, for some of the reasons why you'd want to use Facebook via Tor, it might not matter much - using Facebook might be bad enough (eg: it could be considered subverting state censorship) -- so if Facebook is already colluding with your adversary, just having a Facebook account might be enough to give you problems.

It might be enough for a legal veneer of plausible deny-ability, although I doubt it: Eg, perhaps you're a drone pilot and you login to Facebook via Tor, and paste in a gpg-encrypted, ascii-armored text-message to a journalist on Facebook. You could claim someone must've hacked your account. Or you could collude with someone else, and "borrow" their account. I don't think it'd keep you out prison though.

There are several advantages of Facebook over Tor. One of them is that your ISP is unable to see who what site you are talking to, and that Facebook is unable to see your source IP address.


They make money from knowing who people are, and selling that. This cleaves the driving tor concept by deanonymizing users.

For anybody as large as Facebook, if enough people go for it, the remaining slice of the pie will be really small (because not all have tor, but many of those that have, have Fb).

Derive conclusions accordingly.

Not really, if your expected adversary is your local nation state that wants to watch your Internet traffic for domestic political dissent (Iran, Ethiopia, China, etc).

According to the article, facebook has a .onion domain.

The article says its https://www.facebookcorewwwi.onion

Interestingly, since Onion addresses are derived from the public key of the host server, Facebook had to basically brute force this address.

The process is described in "Part three" here: https://blog.torproject.org/blog/facebook-hidden-services-an...

"The short answer is that for the first half of it ('facebook'), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted."

"Then they had some keys whose name started with 'facebook', and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The 'corewwwi' one looked best to them — meaning they could come up with a story about why that's a reasonable name for Facebook to use — so they went with it."

(Corrected: Hash of public key not private key per itsbenweeks below)

I thought Onion addresses were a hash of the public key, not the private key.

Ah, you are correct, thank you:

..."a base32 encoding of a 10-octet hash of Bob's service's public key" https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt...

But how did they allocate the carefully selected key and avoid others generating the same one in the meantime?

They "allocated" the key by using it. Others are not more likely to generate the key they found than any other specific key. This is statistically unlikely due to the extremely huge number of possible keys.

Well, did they generate keys they liked and then tried to use them immediately, hoping nobody had generated the same key in the meantime, or did they generate only keys they would like and "registered" them all but kept just one? If so, what happens to allocated but unused keys? What I'm trying to figure out is:

1. race condition?

2. waste of key space?

There's nowhere to register the key, tor is decentralized. They simply start conducting their business using the key they found. There's no waste of key space for the unused keys, merely a minuscule chance of collision with other random users. I guess you could think of attempting to find hash collisions as a race condition of sorts, but it is a very long race for the attacker.

So do we know the hash? I guess we don't or it would be easy for someone to pretend to be Facebook.

Yes, the hash is "facebookcorewwwi", this is the hash of the public key of one of the keypairs facebook generated. We can't pretend to be facebook without knowledge of the corresponding private key, however.

To make this more clear, most tor hidden service sites that don't have loads of computing power to bruteforce a vanity domain have uris that look like http://3g2upl4pq6kufc4m.onion

1. You can't generate vanity you like, but you can generate billions of keys and choose one you like the most.

2. You can't "register" key. If some person manage to generate key with same vanity he can use same address as facebook, but practically this is nearly impossible. And if that happen this can be easily detected by facebook so they can just change official key.

FB will know you logged in. But your ISP will not.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact