Den 31 okt 2014 17:00 skrev "MrBiTs" <[1]mrbits.dcf@gmail.com>:
   >
   > -----BEGIN PGP SIGNED MESSAGE-----
   > Hash: SHA256
   >
   > On 10/31/2014 12:58 PM, rysiek wrote:
   > > Hi all,
   > >
   > > so, you've probably seen this:
   > >
   [2]http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-provi
   ding-direct-access-to-its-service-over-the-tor-network/
   > >
   > > Apart from being torn about the move (good on Facebook to support
   TOR, but I don't really feel like praising Facebook for
   > > anything I guess), there are two WTFs here:
   [3]https://facebookcorewwwi.onion/
   > >
   > > 1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
   > >
   > > 2. How did they get to control 15 characters (I assume the "i" was
   random) in the .onion address? That's a *LOT* of number
   > > crunching. If they are able to do this, it means they are able (or
   are very close to) bascially spoof *any* .onion address.
   > >
   > > Am I missing something?
   > >
   >
   > We're talking about it the entire morning. Nice news for a halloween.
   >
   > You got two great points. First of all I think they didn't catch the
   main point of TOR network. Otherwise, who's certifying SSL key?

   You got those assumptions wrong, actually. But it isn't very intuitive
   to begin with, so nothing to feel sad about.

   They use a load balancer, where traffic needs to be encrypted. Tor
   network - Facebook's Tor node - load balancer - SSL acceleration
   machine (?) - Facebook servers. That load balancer might sit outside
   Facebook's server halls.

   > About second question, or they made a commercial agreement with
   people in TOR OR they are able to spoof any .onion address. My
   > guess is for second one.

   Vanity address. They bruteforced few dozen addresses with the first
   half (Facebook*), the second half was one of the lucky outputs.

   If you're wondering if this makes Tor weak - not very, but partially
   yes. Bruteforcing the full address is waaay harder (about 80 bits), but
   Tor will still move forwards to making these addresses longer in the
   future with stronger algorithms.

   > Why in hell somebody in TOR network will access facecrap? If TOR
   intent to give anonymous networking, why to use a service where
   > you get anything but be anonymous? Do this make sense?

   Public announcements while hiding your location?

References

   1. mailto:mrbits.dcf@gmail.com
   2. http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-direct-access-to-its-service-over-the-tor-network/
   3. https://facebookcorewwwi.onion/