Blog Post

Facebook becomes directly accessible through Tor’s anonymity network

Facebook has made it easier to access the social network through multiple layers of encryption and without disclosing your true location, by allowing direct access as a hidden service through Tor’s anonymity-focused browser.

Tor sometimes comes up against the security mechanisms of sites — such as Facebook and banking sites — that its users are trying to visit. Because it bounces browsing traffic between a number of nodes, so as to obscure the user’s actual location, it can sometimes display the same characteristics as techniques hackers use to hide their identity.

Working with Tor Project advocate Runa Sandvik and Steven Murdoch – the developer who originated the Tor Browser – [company]Facebook[/company] solved the problem by creating a .onion address for the social network. These addresses can only be accessed through Tor’s network, and are often used for anonymous, hidden “deep web” services.

As Facebook software engineer Alec Muffett said in a Friday post:

The idea is that the Facebook onion address connects you to Facebook’s Core WWW Infrastructure […] and it reflects one benefit of accessing Facebook this way: that it provides end-to-end communication, from your browser directly into a Facebook datacentre.

Muffett also explained that Facebook now provides an SSL security certificate that cites its .onion address: “Issuing an SSL certificate for a Tor implementation is — in the Tor world — a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion.” The .onion address doesn’t provide access to Facebook’s mobile-optimized site, by the way.

An awful lot of Tor users are privacy-minded people who wouldn’t touch Facebook with a ten-foot pole, but problems with accessing such services are a hindrance to Tor’s wider adoption, or at least to more everyday Tor usage.

This move is a good one for those who want to grant themselves a bit more privacy (and a bit less speed) as they use the web, though Tor is not entirely bulletproof. Also, Facebook still has a real-names policy, so at least in terms-of-service terms we’re not talking about leading an anonymous online life.