Facebook has made its site directly available on Tor to prevent access problems for people using the anonymity network and to provide an alternative method of accessing the social network securely.
Tor, short for The Onion Router, is software designed to offer users better privacy when browsing the Internet. It routes traffic through a network of worldwide servers in order to mask the user’s location. The system is widely used by people who don’t want to reveal their real IP address while browsing and it is also used by people to access services that are blocked by governments in some countries.
Facebook also allows access to the site via HTTPS (Hypertext Transfer Protocol Secure) and other technologies designed to give people more confidence that they are connected securely to the social network.
However, the way Tor works sometimes poses a problem for Facebook and its users, said Muffett.
“Tor challenges some assumptions of Facebook’s security mechanisms—for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts such behavior might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal,” he said.
The setup of Facebook’s security infrastructure has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor. To make the user experience better for Tor users, the site has been made available with an “onion” address.
A quick glance around Facebook on Tor showed no obvious differences with the regular Facebook site, though it was a bit slower, probably due to traffic routed through a couple of relays. Facebook expects the service “to be of an evolutionary and slightly flaky nature.”
“Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Muffett said, adding that the idea is that the .onion address lets people connect to Facebook’s Core WWW Infrastructure. It provides a direct connection from the browser into a Facebook data center.
Moreover, Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook’s onion address. This was done both for internal technical reasons and as a way for users to verify Facebook’s ownership of the onion address.
“Issuing an SSL certificate for a Tor implementation is—in the Tor world—a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion,” Muffett said.
Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time. In the medium term, Facebook plans to support a mobile friendly version of the site via an onion address.