It concerns me that they were able to brute force a key for facebookcorewwwi.onion. If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
Nothing, and it's interesting that they have enough computational power to do that for a relatively trivial project.
Meanwhile, whilst I applaud Facebook going above and beyond here, this doesn't set a good precedent.
Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden. If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
Secondly, by doing this, there's now a risk that other firms who want to be on the cutting edge of privacy will try to copycat this approach, even though it makes no sense and is very complex and expensive to set up. Worse, users might think it's some kind of "gold standard".
Thirdly, it doesn't actually solve any of the reasons why Tor traffic is routinely discriminated against and harassed: Tor is effectively a "bulletproof ISP" that shields a lot of abuse and hacking. Merely making a Tor hidden service specifically for Facebook doesn't solve that, at all.
> Worse, users might think it's some kind of "gold standard".
That may be the worst unexpected consequence. Once onion services become more mainstream, I fear FB's example - no matter how well intentioned - will turn into an engineering nightmare. After all, after one of the best known online brands does something clever, you can expect copycats to follow.
First, we'll get clueless PHB types demanding long vanity names.
Second, some services will happen upon neat onion addresses and ride the wave. Their very existence will act as a goal post for the others.
Third, a vocal segment of users becomes accustomed to seeing "perfect" vanity names. After all, such name means that the entity behind the name has enough resources to actually get a proper vanity name.
Amidst all that, somewhere between stages #2 and #3, we will see (horribly misguided) vanity onion service name markets. A bit like domain name squatting from the late 90's, but with far worse consequences: at least with domain names the only thing transferred was the control over the DNS entry. Because onion service names are directly mapped to the private keys, selling a $VANITY.onion address is the same as selling a copy of the private key.
Right now? No. But in a near future? Possibly yes, if Firefox decides to include a built-in Tor client. [0]
Even if the article (and the slashdot thread I lifted it from) were vapourware right now, the idea clearly has been floated enough to make it an attractive option.
How do you differentiate between this and account takeovers though? If someone constantly lives in from California, and then someone elsegets their Gmail password and logs in through Tor, can you know it's actually a compromised account and not the registrant just deciding to use Tor?
Still, you have to admit it kind of defeats the whole purpose of Tor if a user must use their real IP and/or give up their mobile phone number in order to use it. I agree with the restrictions, but it kind of makes me wonder why a legitimate Tor user would bother to use Gmail in this case.
It means you can log in without that provider knowing where you physically are. Useful for people in, say, Pakistan who might otherwise get "trial by metadata and punishment by Reaper drone".
But yes it's a very specialised use case. Most people won't care. Fully anonymous accounts will require something like Bitcoin proof of sacrifice or multi jurisdictional identity escrow. But the problem for those is that there's far more demand from abusive users than legitimate users, so it's hard to make a business case for providing such support.
I'm guessing the spammers generated millions of dormant accounts using TOR or a public hotspot/cantenna before Google implemented this. But I'm also guessing that el goog has an automated system to notice the patterns.
Ranting, but to this day, I still can't use google search reliably over TOR, meanwhile the spammers and adversarial people who scour Google's results for whatever purpose have almost certainly hacked the captcha, otherwise they would stop their grokking of the SERPs and rethink their retrieval methods, like get a channel bank of dial up modems, redialing once they get to a captcha. On certain TOR exits there is no captcha, so I assume they're probably new nodes or light traffic nodes. The captcha block page even says this: your computer is sending us a lot of queries. Here's one such unblocked node. It's in the ukraine, ~10MBPS, uptime of 31 days. It's about middle of the road in terms of bandwidth and has a somewhat short uptime.
https://atlas.torproject.org/#details/31D01A8CD3799E0CB6A56D...
In my spare time, I run an exit node, but what I'm really doing is using my switches mirror port into my WAN connection to capture 100% of all TOR traffic for SEO purposes, and to find what and how people are hacking, etc....
It's ironic that google fights for the right to index everyone's content [see germany news et al] but the reverse? Oh no, no way! The SEOs will figure out our secret sauce and use Google to steal the best ranking content. And yes, I realize Google's guidelines are for the good of the web, I'm just ranting.
It defeats the purpose of hiding your identity from the endpoint, but that is not the only use-case for Tor. Some people live in places where connecting to Facebook is blocked or where doing so places them in danger, it is this group that is being served here.
> Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden.
As long as you don't have to use it, I don't see why offering users a choice is a problem.
>If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
ExoneraTor does this quite well in my opinion, and I don't follow how/why you think this will slow things down for everyone. Surely you're not referring to the entire Tor network?
The main value in using this, in my opinion, is reducing the potential attack surface associated with MITM attacks--including CDNs--after your traffic exits Tor. Attacks on Facebook users involving Akamai have been documented by NSA, for example; Facebook is a PRISM partner, but this would arguably still stack the deck in favor of "going through the front door" to access Facebook user data.
Accessing an .onion address via Tor is slower than accessing a normal website via Tor. If this onion service is now the official way to access Facebook via Tor and direct access doesn't work well, then this is slowing things down.
Tor's current support for detecting usage is patchy. You can't query a random third party website for every login for a system like Facebook, so you need a list of IPs that can be refreshed quickly. But such lists tend to be incomplete or behind e.g. the "exit" flag doesn't mean what you'd intuitively expect, so it's sometimes possible for Tor traffic to turn up from an IP that is not identified as an exit.
Re: MITM security. Even if Facebook got lucky here, we're talking about an 80 bit identifier and brute forcing these has been demonstrated before, I believe. I'm not sure this is much of an upgrade over just regular SSL CA + HSTS pinning.
> If this onion service is now the official way to access Facebook via Tor and direct access doesn't work well, then this is slowing things down.
my take on the post was that it was presented as an option, and for users taking the time to access a site via tor, speed may not be the only (or even primary) consideration. i say that as someone who does ~95% of my browsing--both work and personal--via Tor.
> But such lists tend to be incomplete or behind e.g. the "exit" flag doesn't mean what you'd intuitively expect, so it's sometimes possible for Tor traffic to turn up from an IP that is not identified as an exit.
Doesn't the onion address solve this problem?
> I'm not sure this is much of an upgrade over just regular SSL CA + HSTS pinning.
Depends on your threat model, but I think it's a useful option and congratulate the Facebook team for offering it to users. I'd love to see Google, Twitter, and others start to compete on the extent to which they support TBB users.
You effectively use Tor 95% of the time? This surprises me, actually. I think if I used it that much I would unavoidably lose my anonymity.
Here is my worry -- Tor looks easy to use, but requires habit changes to actually be effective for anonymity. The habit changes that I am led to believe are required for any effective anonymity through Tor scream "NO NO NO NO NO!!!" at the idea of logging into javascript requiring, cookie placing, Facebook.
This seems to me like a situation where the illusion of anonymity might be worse than the reality of non-anonymity. Granted, it lets you bypass censorship. Granted, if you are very careful and, say, only use your Tor Browser to connect to Facebook and nothing else whatsoever... maybe. I just don't think I could trust myself to do it properly. And while I'm no Edward Snowden, I'm also not dumb.
Yes, you're right, it's just an option and presumably access via the regular web address will still work. It may be that the hidden service is a way to identify Tor traffic, but it shouldn't really be necessary to do that if Tor had the right support in it. And of course you cannot assume everyone who uses Facebook via Tor will know about this service, unless TBB itself is adjusted to force usage, in which case you're now changing Tor and could as well make exit identification 100% reliable.
> There is no need to pay this cost for a service whose ownership is not actually hidden.
DuckDuckGo is being irrational? Keybase? Riseup? Sorry, but I don't see how knowing the owner of a service can immediately disqualify the service from having the privilege of a hidden service. The only thing limiting Facebook is the stress that may be placed on so many connections at once on a single onion. It should not cost too much out of actual resources to run one single gateway, especially when Facebook is a very successful business and can afford to invest in something that may expand their audience even more.
I'm not saying anything for or against Facebook's ethics in general; I am a little hesitant given their history to trust them at all, but this is admittedly a huge step in shedding light on what Tor actually is. It's not just for drugs or child pornography; it can actually be used by the everyday Joe wanting to check on his friends and see if there's a party nearby. What people seem to miss is that Tor provides IP anonymity. Yes, encouraging users to be more careful about their browsing habits is a good thing, but if people want to give out their personal information, in the end that cannot be stopped. If the website owner wants to disclose his or her identity, that cannot be stopped. Tor provides anonymity of IP addresses and nothing else.
> DuckDuckGo is being irrational? Keybase? Riseup?
Yes.
There just isn't any really solid technical reason to do this. The closest I saw was something like "newspaper dropbox wants to force people to use Tor and an onion address is the easiest way to do that", but again, they could just identify traffic from exit nodes and block anything that isn't coming from there, if there were better tools for it.
There is a program called scallion [1] which can generate Vanity addresses like these. I am assuming that they searched for facebookwww?.onion and then just made up the acronym for the last character.
They are therefore trying to brute force the first 11 characters of the address. The author of scallion estimates one can achieve 520 MH/s with a AMD Radeon HD5770 GPU [2] which retails for $190 [3], they then give the formula for calculating the time (in seconds) to have a 50% chance of finding a matching URL:
2^(5length-1) / hashspeed
Which with a length of 11 and a hashspeed of 520M, would take about a year with the one GPU [4].
The total cost of the hardware to have a 50% chance of finding the vanity address "facebookwww?.onion" within a week would therefore be around $11 000 [5].
Imho, this is well within the realms of possibility for a company as large as Facebook and does not suggest a weakness in the .onion scheme.
Dustcore is very correct, correcting for my initial mistake, it would take 1.1 million years on a single GPU using scallion. Finding that sort of result in a month would require $2.6 billion worth of GPUs. Now I know facebook is known for spending billions on questionable purchases, but this would be a bit extreme even for them. How the hell have they managed this?
The url isn't facebookwww? though, it is facebookcorewww?. The additional 4 characters didn't have to be "core", but the fact that it is an english word and relevant adds significant difficulty to your estimates.
Actually, to me the first thought after seeing the URL was totally: "wow, I wonder what backronym they invented for the ugly wwwi suffix." And the others posts in this thread seem to confirm that this was the case, and that this prettification mechanism is actually quite common on Tor already.
Now, the other, more important for me observation is, that reportedly the TLS certificate is actually worth close to nothing, and giving false security, as a HNer claims to have got a valid cert issued for this very same facebook's .onion address already: https://news.ycombinator.com/item?id=8539066 -- if I understand correctly, cert issuers seem to happily accept any .onion URLs in "alternative addresses" in SSL certs without any verification. Anybody else could confirm/deny?
You got so lucky that you'll probably want to keep using that name forever. The longer it's used, the greater the probability of compromise of its secret key.
Which is why using TLS on top of the .onion address is brilliant: even if the secret key for the .onion address is compromised, the TLS certificate (which is rotated more often) will keep the connection safe. The worst that could happen would be someone hijacking the .onion address, but that would lead only to a DoS instead of the compromise that would happen without the redundant TLS layer.
And the certificate also helps validate that the .onion address is really from facebook: as someone observed elsewhere in this discussion, the certificate is also valid for the non-.onion addresses, so just examining its alternate names extension is enough to prove that the certificate owner could also get a valid certificate for www.facebook.com (meaning the certificate owner is very probably facebook itself).
Someone else said getting SSL certs for .onion in the SNI doesn't require ANY kind of validation.
So someone bruteforcing the .onion key could easily get their own valid SSL cert and have full access to the plaintext for anyone browsing the .onion site over SSL.
The security of facebook over onion is now only protected by the hash power required to brute force the vanity address, instead of the integrity of the SSL CA system or the power required in factoring an SSL key. Even the requirement to spoof DNS or perform actual man-in-the-middle-of-the-wire hijacks has vanished.
This is a good idea for other tor services too as that 1024 bit RSA is looking pretty shaky these days. Hopefully the tor devs will give it a bump to 2048 or move to Curve/Ed25519 soon, before this becomes a real problem.
Agreed. Likely they required facebook, and required that the rest of it would form words from some dictionary. I'd guess that the "i" at the end is a random alphanumeric (2⁵ possibilities). The positions of the words were likely arbitrary, since www comes after facebook.
Lets arbitrarily say they have a word list of 128 words, that they want words from, all four letters long.
This means we have 2⁷2⁷2⁵*4!/2 ~= 2²³ acceptable possibilities(the division because of the order of the random words).
I'm guessing they used something like scallion [0] or Shallot [1].
Bench marking Shallot on an Intel 3350P@3.10GHz:
time ./shallot ^a -> 0.09 sec user
time ./shallot ^aa -> 0.12 sec user
time ./shallot ^aaa -> 0.12 sec user
time ./shallot ^aaaa -> 0.47 sec user
time ./shallot ^aaaaa -> 5.92 sec user
time ./shallot ^aaaaaa -> 118 sec user
Unfortunately OpenCL doesn't work with the nouveau drivers so I can't test scallion.
Who knows how much they spent trying to brute force that onion address.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
The .onion URL is created by hashing the public key (and possibly more information), and then it is stored in Tor's database of hidden service descriptors as noted by this[1]. This would indicate to me that if there's a hash conflict, such as the NSA trying to take over FB's .onion URL, the database of hidden service descriptors would reject the duplicate insertion to the database.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
IIRC it's 80bit truncated SHA-1, so it's not even close to feasible unless there's a substantial preimage attack against the function (and none are known). It's clearly feasible to find something close enough to the human eye for a phishing/spoofing attack, but that's hardly a problem exclusive to Tor.
That is extremely lucky. That's, what, 82 bits if you'd chosen the whole thing?
A more manageable 61 bits for 12 characters or so, from my recollection. Did you pile a dictionary attack on top of that?
I don't believe this does "break hidden services". That's just a truncated key fingerprint, not the key, and a collision would I suspect (but haven't checked) be a loudly visible error.
>That's just a truncated key fingerprint, not the key, and a collision would I suspect (but haven't checked) be a loudly visible error.
Actually, a name collision would still mean hijacking the traffic, even if they don't have the same private key. The last HS to announce "owns" the name.
Tor still uses SHA1? I understand clueless download sites (such as FossHub) and projects still using MD5 and SHA1, but I would hope projects that are supposed to be about security would've stopped using SHA1 a long time ago. If they dread moving to SHA2 because of its much slower performance, they should at least use BLAKE2 [1].
Even NSA-influenced NIST recommended against using SHA1 after Dec. 2013. And when NIST recommends a deadline for change, you know you should be doing that at least 3-5 years earlier to be safe against state sponsored/NSA attacks.
Even using MD5 for .onion URL generation would be pretty safe. While MD5 is completely and utterly broken when it comes to collision resistance, there aren't any (public) preimage attacks that indicate that cracking it is feasible[0].
The move to slower hash functions is really only important when you're dealing with passwords because the input is enumerable enough to bruteforce to begin with. In general, having a fast cryptographic hash function is extremely desirable, and, for applications where the input is essentially random (nonces and randomly generated keys etc) it's fine.
Agree. I never understood why onion names are so short; they're not even the full SHA-1 hash:
> The .onion name is computed as follows: first the SHA1 hash of the DER-encoded ASN.1 public key is calculated. Afterwards the first half of the hash is encoded to Base32 and the suffix ".onion" is added. Therefore .onion names can only contain the digits 2-7 and the letters a-z and are exactly 16 characters long.
Then move to I2P where there are inanely long .b32.i2p hashes. I believe Tor stuck to sixteen to balance ease of use with security. I2P decided not to truncate their hashes since they already have memorable short.i2p entries in downloadable hosts files.
.onion addresses aren't particularly memorable anyway (Facebook's nonwithstanding). They wouldn't have to go to insane lengths like I2P does, but it seems like not cutting the SHA-1 in half would make it much stronger. I just feel like in striking a balance, they should err on the side of huge security margins. On the other hand, I don't really have an intuition for the strength of the current addresses, so it's not meant as criticism as much as a quest for understanding.
Although I agree it isn't cakewalk to memorise an onion URL, it is possible and many people do it usually by grouping or mnemonics. I'm not against any change/improvement to the current address generation system in Tor; there are certainly other better possibilities for both security and scalability.
Although this will be useful, I hope users will keep in mind that identifying themselves while using Tor could make their other traffic less than anonymous. In the Tor Browser Bundle, compartmentalizing your traffic via frequent use of the 'New Identity' feature is usually a good idea.
Using this would also add to the data that one of the world's most aggressive advertisers and an NSA PRISM partner will have about you as a Facebook user.
One plus: at least the login page appears to load correctly without javascript enabled.
Edit to add: someone whose only interest is in not sharing their IP address/location with Facebook could access this URL via facebookcorewwwi.tor2web.org but the usual browser fingerprinting and potential tracking caveats apply
suppose you see an article in your news feed while using the hidden service and click on it; facebook still has a good chance of learning about your browsing habits that way, even if you start from a hidden service. facebook might then learn which exit your non-hidden-service traffic exits to, and from there, it might have information to offer to advertisers about the identities of tor users using a given exit around the same time.
even just having a strong authenticator of your real identity active on tor at a given time may be concerning, depending on your threat model.
If you want more information on the specifics behind how FB did this, here is a really really informative mailing list conversation about it. Instead of coming up with facebookcorewwwi and then searching for it, they found a bunch of "facebook" first, and then picked the best one.
First, Tor protects the network communications. It separates where you are from where you are going on the Internet. What content and data you transmit over Tor is controlled by you. If you login to Google or Facebook via Tor, the local ISP or network provider doesn't know you are visiting Google or Facebook. Google and Facebook don't know where you are in the world. However, since you have logged into their sites, they know who you are. If you don't want to share information, you are in control."
While Facebook gets props for their astonishingly clever .onion address, it seems rather odd to promote unlinkability while continuing to enforce their legal names policy. I'd probably respect this a lot more if it was accompanied by setting up Tor exit nodes, which invites actual risk and things like FBI visits.
You can at least browse public Facebook posts without logging in. But I think the main point is to avoid local censorship, reducing Tor to a simple proxy.
There is no difference from accessing Facebook from .com and .onion in that case. If the main point would be to avoid local censorship, they would have a bigger effect if they instead of focusing power on running a hidden service, spent the effort on running an exit node.
They're not, they just want users on networks that block facebook.com, or try to perform MITM (by hijacking DNS or the switch from HTTP to HTTPS), to be able to reach them safely.
I think its much more likely that facebook is utilizing this to better track abuse. Its not always easy to tell if a user is using tor, and a statistically higher percentage of tor users are doing things facebook doesnt like.
By creating a entry point, they can more easily track and label users that even use that entry point, to better handle abuse.
Can the NSA 'tag' a specific user using Tor? If so, wouldn't using Facebook over Tor then provide them with a direct link between your FB identity and your other Tor activity?
Yes. If someone captures identifiable information then a user can be identified. This can be minimized by using SSL to connect to services. A service may share data so you should also use only a single service within a Tor session. That includes closing tabs to prevent ajax requests.
A new session can be created by restarting Tor or from the tor indicator if within TAILS.
Note that, although you are right that you should usually use https on tor, it does NOT APPLY to hidden services. Hidden Services are end-to-end encrypted, regardless of whether you use http or https. That is also why a site like Silk Road simply used http: it was a hidden service.
The reason for this is that it never leaves the Tor network. Traffic from a tor client to a hidden service goes (encrypted) through relays, but never exits. Basically you are entering a validation of the public key when you type in the .onion address, so nobody can tamper with the connection.
Can someone help me understand the intended user experience?
As I currently understand it, you connect anonymously to Facebook, login and link your activities to your real life identity and Facebook turns over the information that you provide to whatever powerful government entity you are hiding from.
Probably because the latter half of your assertion, that "Facebook turns over the information you provide to whatever government entity you are hiding from" is a lie. This protects people who feel they need to hide the fact that they are connecting to Facebook from an observer/ISP.
Maybe my phrasing was overly strong. As I understand it, there are no guarantees that the information that we put into a service like Facebook can be kept out of the government's hands. Whether or not Facebook is doing it willingly, is not relevant to my question.
What is the value in using tor to connect anonymously to a system that ties back to your real life identity?
The tie is only temporal, and it's still anonymized.
The only concession is that now the government you're avoiding might know you use Tor, if Facebook tells them.
----
Here's the usage case: you're a foreign national visiting a country with a restrictive firewall, like China's. Now you can continue to communicate with people back home.
Facebook already had your information, in this scenario, so nothing has changed except that they know people from China are desperate for their services. That's only good, in my book.
I have a facebook account that uses an online handle and does not have my real name or my birthday. I am now locked out of it, because I tried to login to it just _once_ through TOR. I could still have logged in, but I could not get past the identity checks. Now I am still locked out, even on the clearnet.
No. It's a fully valid ceritifcate issued by DigiCert to
CN = *.facebook.com
O = "Facebook, Inc."
L = Menlo Park
ST = CA
C = US
with a bunch of altnames
DNS Name: *.facebook.com
DNS Name: facebook.com
DNS Name: *.fb.com
DNS Name: *.fbsbx.com
DNS Name: *.fbcdn.net
DNS Name: *.xx.fbcdn.net
DNS Name: *.xy.fbcdn.net
DNS Name: fb.com
DNS Name: facebookcorewwwi.onion
DNS Name: fbcdn23dssr3jqnq.onion
DNS Name: fbsbx2q4mvcl63pw.onion
Thanks - learned something that you can put anything in the alt names list. So digicert is not checking those to be valid domains and controlled by the cert requester?
But does TBB check for revocations? I bet the answer is no because otherwise it'd be sending the sites you visit to CA's via OCSP and Tor would never want that. So I think you still win.
You could still get a full revocation list (via Tor or not). In fact using OCSP over Tor should be safe? FB sees some-exit-node, sends you a cert, CA sees some-other-or-same-but-not-provably-you requesting status of FBs cert. Unless FB sent you a specially craftet, session-spesific cert, CA would only see that "someone" checked the status of FBs cert. And with no immediate link between "you" and "someone"? Much as DNS over Tor is safe (but DNS over udp isn't)?
No - each name is checked before issuance. .onion is an interesting one though since there isn't WHOIS info. The only check there is to download Tor and check that FB controls the service.
Or to give the CA a copy of the private key to establish ownership of the onion. This would be more trustworthy IMO since there would be no chance of phishing lookalikes or something akin to the "onion cloner" MITM attack.
EDIT: Or simply redirecting myownfacebook420.onion to facebook.com, because that can VERY easily be done. Just add a HiddenServicePort 80 facebook.com:80 to the torrc.
Depends, multidomain certs aren't horribly expensive. Non-EV multidomain certs usually start around $100 and cover 3-5 domains in the "base" certificate and you can pay $10-20/year more domains. EV multidomain certs start around $300 and usually cover 3 domains and additional domains are +80/year
.onion addresses don't work that way. but if you're asking about Facebook's SSL cert when accessing the login page via the .onion address, it's a 2048-bit DigiCert SHA-1 cert, and no ECC love..at least on the login page.
If by "soon" you mean November of next year, then you are correct. There is also a RFC in process to get .onion and a few similar pseudo-tlds recognized/protected.
Heh, my first reaction was, 'shoot, they brute-forced an address!' and I see that a lot of others had the exact same idea. I wonder how tough that was to do—I'm guessing that they didn't use Shallot!
Looks like some sort of CA structure is going to be pretty vital to Tor…
CA structure is not vital to tor at all. All connections to hidden services are encrypted and authenticated end to end. the URL serves as the public key.
Huh.. I wonder if something like Cloudflare would offer something like this next? (Whether or not they might brute force vanity URLs is another matter)
not sure if you're trolling, but i wish cloudflare weren't so overtly hostile to tor users! i've already stopped using all but a few cloudflare sites for this reason.
I was not aware that cloudflare was hostile to tor users. I mean, I know they apparently bother my friend who uses a VPS with checking if he is human or not.
Sure, but Cloudfare is where you go when you have already had malicious users causing trouble. It doesn't seem crazy that it would be a huge problem for Cloudfare hosted sites (and as such, the block).
Sites that want Tor users should do well and avoid services like Cloudfare, but for sites that don't care it's a very effective way to cut out malicious actors.
It's not nice in a freedom sort of way, but for ad supported sites Tor traffic is worthless and there is little incentive to try and cater towards it.
They manage abuse by expecting networks to handle malicious users, and blocking entire networks that fail to do so. Tor doesn't handle abuse by design so gets blocked a lot. It's not being singled out our treated specially in that regard.
Last I checked, Facebook doesn't work at all unless you are logged in.
So I can now tell Facebook my personal information and a list of associates securely, which it will then promptly share with any government interested.
I guess its the best way yet to illustrate the basic problem with Tor (no technology in the world can protect you from giving the bad guys your home address), but can't shake the feeling that this makes an utter mockery of the idea behind Tor.
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
http://archives.seul.org/tor/talk/Oct-2014/msg00433.html