https://facebookcorewwwi.onion/

Natanael natanael.l at gmail.com
Fri Oct 31 09:07:51 PDT 2014 

Den 31 okt 2014 17:00 skrev "MrBiTs" <mrbits.dcf at gmail.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/31/2014 12:58 PM, rysiek wrote:
> > Hi all,
> >
> > so, you've probably seen this:
> >
http://venturebeat.com/2014/10/31/facebook-announced-it-is-now-providing-direct-access-to-its-service-over-the-tor-network/
> >
> > Apart from being torn about the move (good on Facebook to support TOR,
but I don't really feel like praising Facebook for
> > anything I guess), there are two WTFs here:
https://facebookcorewwwi.onion/
> >
> > 1. HTTPS to TOR Hidden Service? Why? /that's the smaller one/
> >
> > 2. How did they get to control 15 characters (I assume the "i" was
random) in the .onion address? That's a *LOT* of number
> > crunching. If they are able to do this, it means they are able (or are
very close to) bascially spoof *any* .onion address.
> >
> > Am I missing something?
> >
>
> We're talking about it the entire morning. Nice news for a halloween.
>
> You got two great points. First of all I think they didn't catch the main
point of TOR network. Otherwise, who's certifying SSL key?

You got those assumptions wrong, actually. But it isn't very intuitive to
begin with, so nothing to feel sad about.

They use a load balancer, where traffic needs to be encrypted. Tor network
- Facebook's Tor node - load balancer - SSL acceleration machine (?) -
Facebook servers. That load balancer might sit outside Facebook's server
halls.

> About second question, or they made a commercial agreement with people in
TOR OR they are able to spoof any .onion address. My
> guess is for second one.

Vanity address. They bruteforced few dozen addresses with the first half
(Facebook*), the second half was one of the lucky outputs.

If you're wondering if this makes Tor weak - not very, but partially yes.
Bruteforcing the full address is waaay harder (about 80 bits), but Tor will
still move forwards to making these addresses longer in the future with
stronger algorithms.

> Why in hell somebody in TOR network will access facecrap? If TOR intent
to give anonymous networking, why to use a service where
> you get anything but be anonymous? Do this make sense?

Public announcements while hiding your location?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2911 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20141031/bcdfa2e9/attachment-0001.txt>

More information about the cypherpunks mailing list