It concerns me that they were able to brute force a key for facebookcorewwwi.onion. If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
Nothing, and it's interesting that they have enough computational power to do that for a relatively trivial project.
Meanwhile, whilst I applaud Facebook going above and beyond here, this doesn't set a good precedent.
Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden. If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
Secondly, by doing this, there's now a risk that other firms who want to be on the cutting edge of privacy will try to copycat this approach, even though it makes no sense and is very complex and expensive to set up. Worse, users might think it's some kind of "gold standard".
Thirdly, it doesn't actually solve any of the reasons why Tor traffic is routinely discriminated against and harassed: Tor is effectively a "bulletproof ISP" that shields a lot of abuse and hacking. Merely making a Tor hidden service specifically for Facebook doesn't solve that, at all.
> Worse, users might think it's some kind of "gold standard".
That may be the worst unexpected consequence. Once onion services become more mainstream, I fear FB's example - no matter how well intentioned - will turn into an engineering nightmare. After all, after one of the best known online brands does something clever, you can expect copycats to follow.
First, we'll get clueless PHB types demanding long vanity names.
Second, some services will happen upon neat onion addresses and ride the wave. Their very existence will act as a goal post for the others.
Third, a vocal segment of users becomes accustomed to seeing "perfect" vanity names. After all, such name means that the entity behind the name has enough resources to actually get a proper vanity name.
Amidst all that, somewhere between stages #2 and #3, we will see (horribly misguided) vanity onion service name markets. A bit like domain name squatting from the late 90's, but with far worse consequences: at least with domain names the only thing transferred was the control over the DNS entry. Because onion service names are directly mapped to the private keys, selling a $VANITY.onion address is the same as selling a copy of the private key.
Right now? No. But in a near future? Possibly yes, if Firefox decides to include a built-in Tor client. [0]
Even if the article (and the slashdot thread I lifted it from) were vapourware right now, the idea clearly has been floated enough to make it an attractive option.
How do you differentiate between this and account takeovers though? If someone constantly lives in from California, and then someone elsegets their Gmail password and logs in through Tor, can you know it's actually a compromised account and not the registrant just deciding to use Tor?
> Firstly, Onion service are very slow. There is no need to pay this cost for a service whose ownership is not actually hidden.
As long as you don't have to use it, I don't see why offering users a choice is a problem.
>If the Tor project made it easier to reliably identify traffic from Tor exit nodes, Facebook could apply whatever rules they wanted to Tor traffic without needing to slow things down for everyone.
ExoneraTor does this quite well in my opinion, and I don't follow how/why you think this will slow things down for everyone. Surely you're not referring to the entire Tor network?
The main value in using this, in my opinion, is reducing the potential attack surface associated with MITM attacks--including CDNs--after your traffic exits Tor. Attacks on Facebook users involving Akamai have been documented by NSA, for example; Facebook is a PRISM partner, but this would arguably still stack the deck in favor of "going through the front door" to access Facebook user data.
Accessing an .onion address via Tor is slower than accessing a normal website via Tor. If this onion service is now the official way to access Facebook via Tor and direct access doesn't work well, then this is slowing things down.
Tor's current support for detecting usage is patchy. You can't query a random third party website for every login for a system like Facebook, so you need a list of IPs that can be refreshed quickly. But such lists tend to be incomplete or behind e.g. the "exit" flag doesn't mean what you'd intuitively expect, so it's sometimes possible for Tor traffic to turn up from an IP that is not identified as an exit.
Re: MITM security. Even if Facebook got lucky here, we're talking about an 80 bit identifier and brute forcing these has been demonstrated before, I believe. I'm not sure this is much of an upgrade over just regular SSL CA + HSTS pinning.
> If this onion service is now the official way to access Facebook via Tor and direct access doesn't work well, then this is slowing things down.
my take on the post was that it was presented as an option, and for users taking the time to access a site via tor, speed may not be the only (or even primary) consideration. i say that as someone who does ~95% of my browsing--both work and personal--via Tor.
> But such lists tend to be incomplete or behind e.g. the "exit" flag doesn't mean what you'd intuitively expect, so it's sometimes possible for Tor traffic to turn up from an IP that is not identified as an exit.
Doesn't the onion address solve this problem?
> I'm not sure this is much of an upgrade over just regular SSL CA + HSTS pinning.
Depends on your threat model, but I think it's a useful option and congratulate the Facebook team for offering it to users. I'd love to see Google, Twitter, and others start to compete on the extent to which they support TBB users.
You effectively use Tor 95% of the time? This surprises me, actually. I think if I used it that much I would unavoidably lose my anonymity.
Here is my worry -- Tor looks easy to use, but requires habit changes to actually be effective for anonymity. The habit changes that I am led to believe are required for any effective anonymity through Tor scream "NO NO NO NO NO!!!" at the idea of logging into javascript requiring, cookie placing, Facebook.
This seems to me like a situation where the illusion of anonymity might be worse than the reality of non-anonymity. Granted, it lets you bypass censorship. Granted, if you are very careful and, say, only use your Tor Browser to connect to Facebook and nothing else whatsoever... maybe. I just don't think I could trust myself to do it properly. And while I'm no Edward Snowden, I'm also not dumb.
Yes, you're right, it's just an option and presumably access via the regular web address will still work. It may be that the hidden service is a way to identify Tor traffic, but it shouldn't really be necessary to do that if Tor had the right support in it. And of course you cannot assume everyone who uses Facebook via Tor will know about this service, unless TBB itself is adjusted to force usage, in which case you're now changing Tor and could as well make exit identification 100% reliable.
> There is no need to pay this cost for a service whose ownership is not actually hidden.
DuckDuckGo is being irrational? Keybase? Riseup? Sorry, but I don't see how knowing the owner of a service can immediately disqualify the service from having the privilege of a hidden service. The only thing limiting Facebook is the stress that may be placed on so many connections at once on a single onion. It should not cost too much out of actual resources to run one single gateway, especially when Facebook is a very successful business and can afford to invest in something that may expand their audience even more.
I'm not saying anything for or against Facebook's ethics in general; I am a little hesitant given their history to trust them at all, but this is admittedly a huge step in shedding light on what Tor actually is. It's not just for drugs or child pornography; it can actually be used by the everyday Joe wanting to check on his friends and see if there's a party nearby. What people seem to miss is that Tor provides IP anonymity. Yes, encouraging users to be more careful about their browsing habits is a good thing, but if people want to give out their personal information, in the end that cannot be stopped. If the website owner wants to disclose his or her identity, that cannot be stopped. Tor provides anonymity of IP addresses and nothing else.
> DuckDuckGo is being irrational? Keybase? Riseup?
Yes.
There just isn't any really solid technical reason to do this. The closest I saw was something like "newspaper dropbox wants to force people to use Tor and an onion address is the easiest way to do that", but again, they could just identify traffic from exit nodes and block anything that isn't coming from there, if there were better tools for it.
There is a program called scallion [1] which can generate Vanity addresses like these. I am assuming that they searched for facebookwww?.onion and then just made up the acronym for the last character.
They are therefore trying to brute force the first 11 characters of the address. The author of scallion estimates one can achieve 520 MH/s with a AMD Radeon HD5770 GPU [2] which retails for $190 [3], they then give the formula for calculating the time (in seconds) to have a 50% chance of finding a matching URL:
2^(5length-1) / hashspeed
Which with a length of 11 and a hashspeed of 520M, would take about a year with the one GPU [4].
The total cost of the hardware to have a 50% chance of finding the vanity address "facebookwww?.onion" within a week would therefore be around $11 000 [5].
Imho, this is well within the realms of possibility for a company as large as Facebook and does not suggest a weakness in the .onion scheme.
Dustcore is very correct, correcting for my initial mistake, it would take 1.1 million years on a single GPU using scallion. Finding that sort of result in a month would require $2.6 billion worth of GPUs. Now I know facebook is known for spending billions on questionable purchases, but this would be a bit extreme even for them. How the hell have they managed this?
The url isn't facebookwww? though, it is facebookcorewww?. The additional 4 characters didn't have to be "core", but the fact that it is an english word and relevant adds significant difficulty to your estimates.
Actually, to me the first thought after seeing the URL was totally: "wow, I wonder what backronym they invented for the ugly wwwi suffix." And the others posts in this thread seem to confirm that this was the case, and that this prettification mechanism is actually quite common on Tor already.
Now, the other, more important for me observation is, that reportedly the TLS certificate is actually worth close to nothing, and giving false security, as a HNer claims to have got a valid cert issued for this very same facebook's .onion address already: https://news.ycombinator.com/item?id=8539066 -- if I understand correctly, cert issuers seem to happily accept any .onion URLs in "alternative addresses" in SSL certs without any verification. Anybody else could confirm/deny?
You got so lucky that you'll probably want to keep using that name forever. The longer it's used, the greater the probability of compromise of its secret key.
Which is why using TLS on top of the .onion address is brilliant: even if the secret key for the .onion address is compromised, the TLS certificate (which is rotated more often) will keep the connection safe. The worst that could happen would be someone hijacking the .onion address, but that would lead only to a DoS instead of the compromise that would happen without the redundant TLS layer.
And the certificate also helps validate that the .onion address is really from facebook: as someone observed elsewhere in this discussion, the certificate is also valid for the non-.onion addresses, so just examining its alternate names extension is enough to prove that the certificate owner could also get a valid certificate for www.facebook.com (meaning the certificate owner is very probably facebook itself).
Someone else said getting SSL certs for .onion in the SNI doesn't require ANY kind of validation.
So someone bruteforcing the .onion key could easily get their own valid SSL cert and have full access to the plaintext for anyone browsing the .onion site over SSL.
The security of facebook over onion is now only protected by the hash power required to brute force the vanity address, instead of the integrity of the SSL CA system or the power required in factoring an SSL key. Even the requirement to spoof DNS or perform actual man-in-the-middle-of-the-wire hijacks has vanished.
This is a good idea for other tor services too as that 1024 bit RSA is looking pretty shaky these days. Hopefully the tor devs will give it a bump to 2048 or move to Curve/Ed25519 soon, before this becomes a real problem.
Agreed. Likely they required facebook, and required that the rest of it would form words from some dictionary. I'd guess that the "i" at the end is a random alphanumeric (2⁵ possibilities). The positions of the words were likely arbitrary, since www comes after facebook.
Lets arbitrarily say they have a word list of 128 words, that they want words from, all four letters long.
This means we have 2⁷2⁷2⁵*4!/2 ~= 2²³ acceptable possibilities(the division because of the order of the random words).
I'm guessing they used something like scallion [0] or Shallot [1].
Bench marking Shallot on an Intel 3350P@3.10GHz:
time ./shallot ^a -> 0.09 sec user
time ./shallot ^aa -> 0.12 sec user
time ./shallot ^aaa -> 0.12 sec user
time ./shallot ^aaaa -> 0.47 sec user
time ./shallot ^aaaaa -> 5.92 sec user
time ./shallot ^aaaaaa -> 118 sec user
Unfortunately OpenCL doesn't work with the nouveau drivers so I can't test scallion.
Who knows how much they spent trying to brute force that onion address.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
The .onion URL is created by hashing the public key (and possibly more information), and then it is stored in Tor's database of hidden service descriptors as noted by this[1]. This would indicate to me that if there's a hash conflict, such as the NSA trying to take over FB's .onion URL, the database of hidden service descriptors would reject the duplicate insertion to the database.
> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.
IIRC it's 80bit truncated SHA-1, so it's not even close to feasible unless there's a substantial preimage attack against the function (and none are known). It's clearly feasible to find something close enough to the human eye for a phishing/spoofing attack, but that's hardly a problem exclusive to Tor.
Looks like Tor hidden services are now broken to me...
[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?
[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.
[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.
[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:
http://archives.seul.org/tor/talk/Oct-2014/msg00433.html