Den 31 okt 2014 17:00 skrev "MrBiTs" <mrbits.dcf@gmail.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/31/2014 12:58 PM, rysiek wrote:
> > Hi all,
> >
> > so, you've probably seen this:
> > http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-direct-access-to-its-service-over-the-tor-network/
> >
> > Apart from being torn about the move (good on Facebook to support TOR, but I don't really feel like praising Facebook for
> > anything I guess), there are two WTFs here: https://facebookcorewwwi.onion/
> >
> > 1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
> >
> > 2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number
> > crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
> >
> > Am I missing something?
> >
>
> We're talking about it the entire morning. Nice news for a halloween.
>
> You got two great points. First of all I think they didn't catch the main point of TOR network. Otherwise, who's certifying SSL key?

You got those assumptions wrong, actually. But it isn't very intuitive to begin with, so nothing to feel sad about.

They use a load balancer, where traffic needs to be encrypted. Tor network - Facebook's Tor node - load balancer - SSL acceleration machine (?) - Facebook servers. That load balancer might sit outside Facebook's server halls.

> About second question, or they made a commercial agreement with people in TOR OR they are able to spoof any .onion address. My
> guess is for second one.

Vanity address. They bruteforced few dozen addresses with the first half (Facebook*), the second half was one of the lucky outputs.

If you're wondering if this makes Tor weak - not very, but partially yes. Bruteforcing the full address is waaay harder (about 80 bits), but Tor will still move forwards to making these addresses longer in the future with stronger algorithms.

> Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where
> you get anything but be anonymous? Do this make sense?

Public announcements while hiding your location?