https://facebookcorewwwi.onion/

Fri Oct 31 12:04:23 PDT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/31/2014 07:58 AM, rysiek wrote:

> 1. HTTPS to TOR Hidden Service? Why?

- From the official announcement:

"We decided to use SSL atop this service due in part to architectural
considerations - for example, we use the Tor daemon as a reverse proxy
into a load balancer and Facebook traffic requires the protection of
SSL over that link. As a result, we have provided an SSL certificate
which cites our onion address; this mechanism removes the Tor
Browser's ''SSL Certificate Warning'' for that onion address and
increases confidence that this service really is run by Facebook.
Issuing an SSL certificate for a Tor implementation is - in the Tor
world - a novel solution to attribute ownership of an onion address;
other solutions for attribution are ripe for consideration, but we
believe that this one provides an appropriate starting point for such
discussion."

Source:
https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237

> 2. How did they get to control 15 characters (I assume the "i" was
> random) in the .onion address? That's a *LOT* of number crunching.
> If they are able to do this, it means they are able (or are very
> close to) bascially spoof *any* .onion address.

They definitely have the processing power to brute-force a vanity
.onion address - who-knows-how-many data centers around the world
worth of processing power.  We don't know how long they've been trying
to generate a memorable one, either.  It could have been weeks or months.

Reportedly, Runa Sandvik and Steven Murdoch advised them on this
project.  Maybe they can shed some light on this.

- --
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Media devices have off switches. Your mind doesn't.