Facebook recently announced that it was providing access directly over the Tor network.
Its purpose was to let users access Facebook without losing the cryptographic protections provided by the Tor cloud.
Facebook is providing an SSL certificate which cites its onion address. It will add onion address support for its mobile site later. The Tor link will work only in Tor-enabled browsers.
Cheers and Tears
The initial response to Facebook’s announcement was overwhelmingly positive. However, some responders expressed concern over the use of JavaScript.
That’s “a huge no-no in Tor land,” commented Daniel Hagan.
JavaScript “eliminates any security protections one might have had using Tor.” Still, “I am very happy about this and sincerely thank you,” wrote Gee Faunk.
“Does this serve any purpose at all other than to create a database of all the privacy-conscious users?” asked Tom Karpiniec.
Using Tor for anonymity “absolutely runs counter to FB’s insistence that users only use their real names,” pointed out Euell Ooluu. “What gives, FB, this is just more marketing BS, because I’ll still be using my screen name”
The JavaScript Jig
JavaScript is a dynamic programming language commonly used as part of Web browsers and not to be confused with Java.
It is vulnerable to remote access attacks and often is targeted in cross-site scripting (XSS) attacks. Such attacks are a major security threat for agile environments, and are among the most common type of attacks against Web applications.
“Using a JavaScript front end is a step backwards,” Kevin O’Brien, vice president and a cofounder of Conjur, told TechNewsWorld. “If anonymous access and security are concerns, why would [Facebook access] ever have made it out of code review?”
Half a Loaf…
Vulnerabilities repeatedly have been reported in SSL, the latest being the SSL 3.0 vulnerability and Poodle attack that last month spurred US-CERT to issue an alert.
And who can forget the Heartbleed bug that bedeviled OpenSSL?
Further, SSL certificates can be, and have been, forged.
SSL certs aren’t used with Tor because of the risks associated with an untrustworthy certificate authority and spoofing, O’Brien pointed out.
Further, “SSL 3.0 has been obsolete since at least 1999,” he said, suggesting that perhaps Facebook means to use Transport Layer Security instead, as “most companies … refer to the two interchangeably.”
Although SSL has weaknesses, “if done well, [it] can add a good degree of security against certain types of attack,” Catherine Pearce, security consultant at Neohapsis, told TechNewsWorld. While SSL certs can be falsified, that “requires a higher grade of attacker than unencrypted or self-signed certificates do.”
Tor and the Law
Law enforcement agencies contend criminals use the Tor network to hide their nefarious activities.
They point to the Silk Road online market, which deals in drugs and other criminal pursuits. Itwas cracked by the FBI in 2013 butquickly regrouped.
The FBI last year also took down Freedom Hosting, which provided turnkey Tor hidden service sites that used a “.onion” suffix to conceal their geographic location, and was known to host a number of child porn sites.
It’s not as if law enforcement can’t track Tor users — it just has to keep an eye on who entered and exited the various Tor nodes.
“Since there are existing policies that require the use of real names on Facebook, generating information on who is using Tor would not require much effort,” O’Brien observed. “If the JavaScript or certificate flow were being used as virtual fingerprints, it would be trivial to prove that a particular Facebook user was a Tor user.”
However, “any technology that protects traffic is inherently dual use,” Pearce said. “A society which removes the privacy of its citizens in the name of stopping abuses by criminals treads a dangerous path, which has led to tyranny.”
Loading ...
