Tor, the onion router, is a method of preserving privacy by allowing users to surf the web anonymously. But by its very raison d’etre it has never played well with social networks, which like to know who their users are. Facebook is breaking new ground by implementing a Tor address that privacy hounds can use to update their statuses, share cat videos and do everything else that Facebookers enjoy doing.
Facebook's security infrastructure has sometimes “led to unnecessary hurdles” for people who connect to Facebook using Tor, the company said, so it set out to make their experience “more consistent with our goals of accessibility and security.”
“Tor challenges some assumptions of Facebook's security mechanisms — for example its design means that from the perspective of our systems, a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” explained Alec Muffett, a software engineer for security infrastructure at Facebook London, in a post. “In other contexts, such behavior might suggest that a hacked account is being accessed through a botnet, but for Tor this is normal.”
Tor-enabled browsers can now connect to the social network using Facebook's onion address, which provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud.
“The idea is that the Facebook onion address connects you to Facebook's Core WWW infrastructure,” Muffett said. “It provides end-to-end communication from your browser directly into a Facebook data center.”
The company used SSL in making the Tor support happen, and provides an SSL certificate.
The certificate “cites our onion address; this mechanism removes the Tor Browser's ‘SSL Certificate Warning’ for that onion address and increases confidence that this service really is run by Facebook,” Muffett noted. “Issuing an SSL certificate for a Tor implementation is — in the Tor world — a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion.”
Facebook is planning to continue to scale and deploy services via the Facebook onion address; Muffett said that a medium-term goal will be to support Facebook's mobile-friendly website via an onion address.