Hi all, so, you've probably seen this: http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-dir... Apart from being torn about the move (good on Facebook to support TOR, but I don't really feel like praising Facebook for anything I guess), there are two WTFs here: https://facebookcorewwwi.onion/ 1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/ 2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address. Am I missing something? -- Pozdr rysiek
On Fri, Oct 31, 2014 at 03:58:18PM +0100, rysiek wrote:
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
Am I missing something?
they were searching for the facebook prefix, with anything that makes sense as a postfix: https://lists.torproject.org/pipermail/tor-talk/2014-October/035412.html at least this is how i generate pgp vanity ids. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/31/2014 12:58 PM, rysiek wrote:
Hi all,
so, you've probably seen this: http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-dir...
Apart from being torn about the move (good on Facebook to support TOR, but I don't really feel like praising Facebook for anything I guess), there are two WTFs here: https://facebookcorewwwi.onion/
1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
Am I missing something?
We're talking about it the entire morning. Nice news for a halloween. You got two great points. First of all I think they didn't catch the main point of TOR network. Otherwise, who's certifying SSL key? About second question, or they made a commercial agreement with people in TOR OR they are able to spoof any .onion address. My guess is for second one. Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where you get anything but be anonymous? Do this make sense? In other hands, this is Chewbacca... - -- echo 920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P | dc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUU64lAAoJEG7IGPwrPKWrj0MIAIz3Cd+4Hy9vyMGh/NdbjOm2 YDh8d3VtzbBjVEBAu2ZmmPAnpbQ8JFR5Xr/Kv3w1czQ6cqXSO4V88FElLuJ+bG+/ iAEx8ElIfQF78g9Hh1RyR+nsHMpMudNMQZCFkjfK69pJllAXHW4qHFHP336yHpli Bpg8sg4EMfXxjnlJUoh/AA/6qw7GGOI+1qeFPBvFjHqxbvoi2doy0Jy2CsMi/D6A XYm3ntusWCQkvp/bYMJQ9trBTCXEGAVsKuPEE/35dWIb06Lp9CL1RVK1IAPF7Sdi wvxWcYzS/uWP44eF+5s3SRvhKKC0bv45h7xw9n0X8utvOPvJrDE+mngvKVgYelE= =oifW -----END PGP SIGNATURE-----
Den 31 okt 2014 17:00 skrev "MrBiTs"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 10/31/2014 12:58 PM, rysiek wrote:
Hi all,
so, you've probably seen this:
Apart from being torn about the move (good on Facebook to support TOR,
but I don't really feel like praising Facebook for
anything I guess), there are two WTFs here: https://facebookcorewwwi.onion/
1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
Am I missing something?
We're talking about it the entire morning. Nice news for a halloween.
You got two great points. First of all I think they didn't catch the main
http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-dir... point of TOR network. Otherwise, who's certifying SSL key? You got those assumptions wrong, actually. But it isn't very intuitive to begin with, so nothing to feel sad about. They use a load balancer, where traffic needs to be encrypted. Tor network - Facebook's Tor node - load balancer - SSL acceleration machine (?) - Facebook servers. That load balancer might sit outside Facebook's server halls.
About second question, or they made a commercial agreement with people in TOR OR they are able to spoof any .onion address. My guess is for second one.
Vanity address. They bruteforced few dozen addresses with the first half (Facebook*), the second half was one of the lucky outputs. If you're wondering if this makes Tor weak - not very, but partially yes. Bruteforcing the full address is waaay harder (about 80 bits), but Tor will still move forwards to making these addresses longer in the future with stronger algorithms.
Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where you get anything but be anonymous? Do this make sense?
Public announcements while hiding your location?
On Fri, Oct 31, 2014 at 3:43 PM, MrBiTs
You got two great points. First of all I think they didn't catch the main point of TOR network. Otherwise, who's certifying SSL key?
the security you get from an .onion address isn't all that great, you know. new hidden service names will be a lot longer. also having some certification that it is actually run by them is useful (but ... but ... ca trust! i don't give a fuck right now)
Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where you get anything but be anonymous? Do this make sense?
there are enough reasons for people to use this - while people apparently have their accounts locked when they try to log in through this, i assume that is a kink they will deal with better in the future. in a hostile network, i'd trust a tls secured hidden service more than anything else i have at my disposal also, facebook may be crap but it is just another platform to be used to communicate with people - you may not want what you post associated with your network location or your person - a lot of people also use twitter "anonymously" in the same way, why discriminate platforms it is all the same shit (i said to a fellow gmail user) not everything is about hiding - if you wanted that, say goodbye to modern society
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/31/2014 08:43 AM, MrBiTs wrote:
Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where you get anything but be anonymous? Do this make sense?
Whether we on the cypherpunks list like it or not, people organize protests and direct action on Facebook. That is one of the reasons why FB gets filtered occasionally around the world. While this does not provide much in the way of anonymity, it does provide censorship circumvention to those who want it. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Media devices have off switches. Your mind doesn't. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUU93KAAoJED1np1pUQ8RkdK4QAIksKOHNvK0SfWcNivGP2oGy JOTO7PtoytUaRohBzptTSDqDliVLDfPHQfMZIWfCotqywKlSCy138BkpJuI+lBO0 nkomFXNHdsAeWZZyt9QjpzLWaVTnFBNjetxGMxzklCBhviPF5xMZNbj3zQIwjxjV J63gjbC8gPLJOFXndOELKTuECgK96KWlrWPMhHkI8bOcTi+mgUVfOK9WIUOipWfd zndZJx4ViaX5Di45WW1Q2FLMNBSxRcXFc/v6XjwK2supUUjYqrQ6wLRLq3IF9W8T A35Q8lUSRlKDlW3nlvAKQ25u7Cfoaes2gGXS5R7X6+k6S2ehBIvrC3F25oSLvjq6 Vk+cqR37NcGkw2xfH0VdpOSaKr0kVHH18wOq86wAjdlv8umauzfIQtU2vSCA4ci/ 5iiu1HuNuXNCg44M4nRsaT7eMxV5koY6QOh1MQ82sCUXJLx6uaseF03N3uPKle+6 B3M/lSX5cLqtd3afvDSLjIwZW7xTFQTKB8p3hWBmRDp+HJ9zmM5sbhsqh+AKyLxU zDfFRR1M6nweqyZdZCWStB4TwBSaW983IbRH4HFvNR1TE1mJU8XbIQ8ttrKZxnG+ Xyey11oL7cIJOlU9qGBtLyqO0rcY22q9yZPkDPwuuhsiX1bgGgGELkZjRw9WQ40F cDL09SuWchu7XwbnCHvb =LGrs -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Including anti-surveillance rallies, which is about as ironic as you can get. On 10/31/14 12:06 PM, The Doctor wrote:
On 10/31/2014 08:43 AM, MrBiTs wrote:
Why in hell somebody in TOR network will access facecrap? If TOR intent to give anonymous networking, why to use a service where you get anything but be anonymous? Do this make sense?
Whether we on the cypherpunks list like it or not, people organize protests and direct action on Facebook. That is one of the reasons why FB gets filtered occasionally around the world. While this does not provide much in the way of anonymity, it does provide censorship circumvention to those who want it.
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJUVBNrAAoJEOrRfDwkjbpTJHgIAKq3E9pnmQB3TQedoqFDGwa8 9BBOqLRZOpLkWi85H59C7XCDNYPRhIDc9+rz/WF57BGH5CS2vuIVd5PRvWfM6udD pAwXYHJIOAgqjE01+sOMKUM6Ay3OeDQJEVAohPH/w09jT9r/pdDUUl60ARlEUmGX IqOpZZ5tiyS4EqcKDgG8phswfenbPff/BXK6ukl46Mp3Un7keJ8bbIU2PI8XWkAR 9zQMhtjqKG6zIzMadtp2SxjB87pyq9hdPpKztYU8BL2hj4ELnms5bSph8/DMfQBM qgcHdOZTiVYEVQWrl+gN6C+94i5VrcI8Dxv+JHoX7kjxoG6WSuMIMqmdCiITiao= =TiF+ -----END PGP SIGNATURE-----
Dnia sobota, 1 listopada 2014 08:56:33 rysiek pisze:
Dnia piątek, 31 października 2014 15:55:41 aestetix pisze:
Including anti-surveillance rallies, which is about as ironic as you can get.
Here, that's from the Polish Pirate Party.
Welp, sending a PNG directly to the list was a brainfart, sorry guys, won't happen again. -- Pozdr rysiek
Technically, it's easier to crunch "something with the word facebook and otherwise consisting only of words, whether meaningful or not" than it is to spoof a desired address. That is, they could have crunched the above and resulted in a list like: elffacebookfarts.onion bottlefacebookerr.onion facebookifred.onion facebookcorewwwi.onion And of course, the last one is the best fit. Mind you, the entropy in onion addresses is a tad low, so it's been suggested before I believe that spoofing them isn't impossible in the long run..just hard. On 31/10/14 14:58, rysiek wrote:
Hi all,
so, you've probably seen this: http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-dir...
Apart from being torn about the move (good on Facebook to support TOR, but I don't really feel like praising Facebook for anything I guess), there are two WTFs here: https://facebookcorewwwi.onion/
1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
Am I missing something?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/31/2014 07:58 AM, rysiek wrote:
1. HTTPS to TOR Hidden Service? Why?
- From the official announcement: "We decided to use SSL atop this service due in part to architectural considerations - for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link. As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's ''SSL Certificate Warning'' for that onion address and increases confidence that this service really is run by Facebook. Issuing an SSL certificate for a Tor implementation is - in the Tor world - a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion." Source: https://www.facebook.com/notes/protect-the-graph/making-connections-to-faceb...
2. How did they get to control 15 characters (I assume the "i" was random) in the .onion address? That's a *LOT* of number crunching. If they are able to do this, it means they are able (or are very close to) bascially spoof *any* .onion address.
They definitely have the processing power to brute-force a vanity .onion address - who-knows-how-many data centers around the world worth of processing power. We don't know how long they've been trying to generate a memorable one, either. It could have been weeks or months. Reportedly, Runa Sandvik and Steven Murdoch advised them on this project. Maybe they can shed some light on this. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Media devices have off switches. Your mind doesn't. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUU903AAoJED1np1pUQ8RkfSQP/iD+L6S8izlC3FwUhgCXchw3 or6SnSvr7hqsosdZvRD7RRuzP6OUb6/1wFt4M/ZQJP4B4qV2TYWKHjDbpB4XBuG/ QWmfK/nHAMHf7aYM0Ix7WW4/3SkEqEcw8Lej+3h+01p/h8+SXk9NVJnJmEBJYjX5 FVsp1n6x7XWPqbDLgc1yIaf/lqKf0CCEsSbOfakzzddKoYIdLiUeJCBaiyiG/hi3 nqnkZP/GX9dV4yP+/2Pzw6883RsZqFatJDJLMFlNIpXwMNirXKxWICHUa0ZA6P9+ tV7zs5eKxZNHkmK34hPvqsu2+UoqBLS/ugjuecpMu9OJcCprgosejIfTloqKpVzX cr4iLFjhxXuBu+PwuDYlOJP14jOUP7cKtdIBshExwajaM7BY7TOPZOQ7D2C6PL/s s/HmsN9FjLkUR5WLsLxTMmM/ooWh6jvEqwu+3QunegWIHs3LjkgzkXYoiASQVYiK 5R0CER2yyVa+P4YMzL/F5PxFFV6tblUxasgS6Ut75/Y/Y4dmomOY/6sbiACfJKyw QLM0ShiRnIiuUcVgRFOBWHV6ZHL21n6vrDRLzJzaGD2etTrLb+PPs98HDVmZIoiu Omfyz4i6/kZ/trGtzcYmn/sAo7UtSet3OBEEHEUPKWp17YcaKhObFc6PT7tyI3IO wKTn0Li+fygGiQmak4Q4 =d9Oc -----END PGP SIGNATURE-----
participants (8)
-
aestetix -
Cathal Garvey -
MrBiTs -
mroq qorm -
Natanael -
rysiek -
stef -
The Doctor