-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/31/2014 07:58 AM, rysiek wrote:
1. HTTPS to TOR Hidden Service? Why?
- From the official announcement: "We decided to use SSL atop this service due in part to architectural considerations - for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link. As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's ''SSL Certificate Warning'' for that onion address and increases confidence that this service really is run by Facebook. Issuing an SSL certificate for a Tor implementation is - in the Tor world - a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion." Source: https://www.facebook.com/notes/protect-the-graph/making-connections-to-faceb...
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
They definitely have the processing power to brute-force a vanity .onion address - who-knows-how-many data centers around the world worth of processing power. We don't know how long they've been trying to generate a memorable one, either. It could have been weeks or months. Reportedly, Runa Sandvik and Steven Murdoch advised them on this project. Maybe they can shed some light on this. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Media devices have off switches. Your mind doesn't. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUU903AAoJED1np1pUQ8RkfSQP/iD+L6S8izlC3FwUhgCXchw3 or6SnSvr7hqsosdZvRD7RRuzP6OUb6/1wFt4M/ZQJP4B4qV2TYWKHjDbpB4XBuG/ QWmfK/nHAMHf7aYM0Ix7WW4/3SkEqEcw8Lej+3h+01p/h8+SXk9NVJnJmEBJYjX5 FVsp1n6x7XWPqbDLgc1yIaf/lqKf0CCEsSbOfakzzddKoYIdLiUeJCBaiyiG/hi3 nqnkZP/GX9dV4yP+/2Pzw6883RsZqFatJDJLMFlNIpXwMNirXKxWICHUa0ZA6P9+ tV7zs5eKxZNHkmK34hPvqsu2+UoqBLS/ugjuecpMu9OJcCprgosejIfTloqKpVzX cr4iLFjhxXuBu+PwuDYlOJP14jOUP7cKtdIBshExwajaM7BY7TOPZOQ7D2C6PL/s s/HmsN9FjLkUR5WLsLxTMmM/ooWh6jvEqwu+3QunegWIHs3LjkgzkXYoiASQVYiK 5R0CER2yyVa+P4YMzL/F5PxFFV6tblUxasgS6Ut75/Y/Y4dmomOY/6sbiACfJKyw QLM0ShiRnIiuUcVgRFOBWHV6ZHL21n6vrDRLzJzaGD2etTrLb+PPs98HDVmZIoiu Omfyz4i6/kZ/trGtzcYmn/sAo7UtSet3OBEEHEUPKWp17YcaKhObFc6PT7tyI3IO wKTn0Li+fygGiQmak4Q4 =d9Oc -----END PGP SIGNATURE-----