But Facebook understood that there are people that needed to use their service without leaking identification information like IP address, physical location or access route. You could be a Tibetan freedom supporter but still need to communicate with your Facebook community in the diaspora. You are less worried about Facebook knowing you and are more concerned about others knowing that you are accessing Facebook.
I tested the new site and compared it to using the regular Facebook site via TOR and the new purpose built solution is much better. In this case better means faster, more responsive and works as expected.
Facebook supporting TOR also legitimizes TOR and allows others to follow in its footsteps more easily. As an example, it was the first time a major Certificate Authority (Digicert) issued an encryption certificate allowing a site to setup an HTTS connection.
Now to be fair, this generated a tone of debate inside the security community because technically TOR offers secure communication by default without needing a certificate from a Certificate Authority. Many security researchers saw this as a cash grab by certificate authorities but others supported it as a move towards a more private internet. Since we (the security community finally) have brainwashed people into thinking https good - http bad, we don't want to start breaking that important habit.
Benefits of a .onion address
A .onion address is the equivalent of a .com on the normal web except it brings with it 3 main benefits.
- A TOR service uses TOR circuit technology which makes locating the endpoint very difficult.
- The .onion address is a hash of the site key which means it is self authenticating. When you visit a .onion address, your browser automatically authenticates that you are actually talking to the site you think you are talking to.
- There is a process called rendezvous which provides end to end encryption for all traffic using a tor service even for unencrypted apps. This is why the communicate had a heated debate when Facebook implemented a TLS certificate for its TOR site.
How did Facebook get its .onion address?
In the above list, item 2 says the .onion address is a hash of the site key. Then how did Facebook manage to get something as memorable as https://facebookcorewwwi.onion/ ?
After all typical TOR hidden service addresses don't look that "normal". The TOR hidden service address for the DuckDuckGo search engine is http://3g2upl4pq6kufc4m.onion/ It isn't as easy to remember as the Facebook one is it?
They didn't bribe anyone and they didn't break the rules. They actually tested thousands of keys. They started testing keys where the hash of the first 40 bits would generate "facebook". Once they found this, they used the remainder to find keys that would generate memorable works (in this case settling on "corewwwi").
So Facebook played by the rules and still got what it wanted, a memorable TOR hidden service address.
Securely Access Facebook via TOR on Android
As more and more of Facebook's customers access the site via mobile device, the security team decided to accommodate them and did the unthinkable: Facebook added TOR access to its mobile app using the wonderfully simple TOR gateway Orbot.
To use this feature, download Orbot :
- from the developer as an APK
- from FDroid
- from the Google Play store
Once it is installed and activated, go back to the facebook app and browser the settings screen until you see App Settings then turn on the TOR functionality.