Facebook recently announced that it was providing access directly over the Tor network.
Its purpose was to let users access Facebook without losing the cryptographic protections provided by the Tor cloud.
Facebook is providing an SSL certificate which cites its onion address. It will add onion address support for its mobile site later. The Tor link will work only in Tor-enabled browsers.
Cheers and Tears
That’s “a huge no-no in Tor land,” commented Daniel Hagan.
“Does this serve any purpose at all other than to create a database of all the privacy-conscious users?” asked Tom Karpiniec.
Using Tor for anonymity “absolutely runs counter to FB’s insistence that users only use their real names,” pointed out Euell Ooluu. “What gives, FB, this is just more marketing BS, because I’ll still be using my screen name”
It is vulnerable to remote access attacks and often is targeted in cross-site scripting (XSS) attacks. Such attacks are a major security threat for agile environments, and are among the most common type of attacks against Web applications.
Half a Loaf…
Vulnerabilities repeatedly have been reported in SSL, the latest being the SSL 3.0 vulnerability and Poodle attack that last month spurred US-CERT to issue an alert.
And who can forget the Heartbleed bug that bedeviled OpenSSL?
Further, SSL certificates can be, and have been, forged.
SSL certs aren’t used with Tor because of the risks associated with an untrustworthy certificate authority and spoofing, O’Brien pointed out.
Further, “SSL 3.0 has been obsolete since at least 1999,” he said, suggesting that perhaps Facebook means to use Transport Layer Security instead, as “most companies … refer to the two interchangeably.”
Although SSL has weaknesses, “if done well, [it] can add a good degree of security against certain types of attack,” Catherine Pearce, security consultant at Neohapsis, told TechNewsWorld. While SSL certs can be falsified, that “requires a higher grade of attacker than unencrypted or self-signed certificates do.”
Tor and the Law
Law enforcement agencies contend criminals use the Tor network to hide their nefarious activities.
The FBI last year also took down Freedom Hosting, which provided turnkey Tor hidden service sites that used a “.onion” suffix to conceal their geographic location, and was known to host a number of child porn sites.
It’s not as if law enforcement can’t track Tor users — it just has to keep an eye on who entered and exited the various Tor nodes.
However, “any technology that protects traffic is inherently dual use,” Pearce said. “A society which removes the privacy of its citizens in the name of stopping abuses by criminals treads a dangerous path, which has led to tyranny.”