Insights For Success

Strategy, Innovation, Leadership and Security

Why use Facebook over the TOR secure network

GeneralEdward KiledjianComment

When people think about the TOR network, they either think its a means for criminals to buy illicit products or for fugitives trying to hide their online activities from the law. Tor is much more than that. It is a mechanism to protect your online activities when needed.

Sitting at home, my packets bounce through dozens of different routers before they arrive at their final destination. I just performed a traceroute and had 11 hops between my computer and the Facebook site. Facebook has implemented a handful of security tools to protect your communication with it, but ultimately anyone in that chain knows where my packets are coming from and where they are going. Facebook also knows my source IP which allows it to pinpoint my (fairly accurate) location. 

There have been many highly publicized cases where twitter handed over location and IP information to law enforcement. It is safe to assume Facebook is in the same boat. Anything these companies can log could be turned over. 

ISPs monitor what you do on the Internet and sell the information for marketing purposes
— Sans Institute Security Lab

Even if you log into Facebook and they know you are, by using TOR with Facebook, you prevent your ISP or Facebook's upstream ISP from cataloging your behaviour and then selling it for marketing purposes. You also prevent Facebook from knowing exactly where you are (unless you've given them the permission to use your smartphone's GPS). 

Tor can’t solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don’t want the sites you visit to see your identifying information.
— TOR project

Prior to Facebook implementing a TOR presence (https://facebookcorewwwi.onion/), accessing it usually meant you had a slow performing site that typically didn't render properly. This access issue stemmed from the fact that the Facebook's site management system viewed all TOR traffic as malicious botnet traffic and treated it accordingly. (Accessing Cloudflare protected sites or many Google properties via TOR will see you be given a challenge, to prove you are not a bot trying to attack their systems). 

Cloudflare captcha challenge when you access my site via a TOR enabled browser.

Cloudflare captcha challenge when you access my site via a TOR enabled browser.

But Facebook understood that there are people that needed to use their service without leaking identification information like IP address, physical location or access route. You could be a Tibetan freedom supporter but still need to communicate with your Facebook community in the diaspora. You are less worried about Facebook knowing you and are more concerned about others knowing that you are accessing Facebook.

I tested the new site and compared it to using the regular Facebook site via TOR and the new purpose built solution is much better. In this case better means faster, more responsive and works as expected.

Facebook supporting TOR also legitimizes TOR and allows others to follow in its footsteps more easily. As an example, it was the first time a major Certificate Authority (Digicert) issued an encryption certificate allowing a site to setup an HTTS connection.

Now to be fair, this generated a tone of debate inside the security community because technically TOR offers secure communication by default without needing a certificate from a Certificate Authority.  Many security researchers saw this as a cash grab by certificate authorities but others supported it as a move towards a more private internet. Since we (the security community finally) have  brainwashed people into thinking https good - http bad, we don't want to start breaking that important habit.

Benefits of a .onion address

A .onion address is the equivalent of a .com on the normal web except it brings with it 3 main benefits.

  1. A TOR service uses TOR circuit technology which makes locating the endpoint very difficult.
  2. The .onion address is a hash of the site key which means it is self authenticating. When you visit a .onion address, your browser automatically authenticates that you are actually talking to the site you think you are talking to.
  3. There is a process called rendezvous which provides end to end encryption for all traffic using a tor service even for unencrypted apps. This is why the communicate had a heated debate when Facebook implemented a TLS certificate for its TOR site.

How did Facebook get its .onion address?

In the above list, item 2 says the .onion address is a hash of the site key. Then how did Facebook manage to get something as memorable as https://facebookcorewwwi.onion/ ?

After all typical TOR hidden service addresses don't look that "normal". The TOR hidden service address for the DuckDuckGo search engine is http://3g2upl4pq6kufc4m.onion/  It isn't as easy to remember as the Facebook one is it?

They didn't bribe anyone and they didn't break the rules. They actually tested thousands of keys. They started testing keys where the hash of the first 40 bits would generate "facebook". Once they found this, they used the remainder to find keys that would generate memorable works (in this case settling on "corewwwi").

So Facebook played by the rules and still got what it wanted, a memorable TOR hidden service address.

    Securely Access Facebook via TOR on Android

    As more and more of Facebook's customers access the site via mobile device, the security team decided to accommodate them and did the unthinkable: Facebook added TOR access to its mobile app using the wonderfully simple TOR gateway Orbot

    To use this feature, download Orbot :

    • from the developer as an APK
    • from FDroid
    • from the Google Play store

    Once it is installed and activated, go back to the facebook app and browser the settings screen until you see App Settings then turn on the TOR functionality.

    Only weirdos would use TOR for Facebook. Right?

    On April 22, Facebook announced that 1M people had used Facebook via TOR during a 30 day cycle. 

    This growth is a reflection of the choices that people make to use Facebook over Tor, and the value that it provides them.
    — Facebook blog entry

    1M users is just a small sliver compares to Facebook's overall user population but it is still 1M people that probably wouldn't have been able to use their service. And use of TOR for Facebook has been increasing steadily since its launch.

    TOR is slower

    The one complaint I hear from TOR users is that TOR is slower than the "normal" web and this is true. When driving from A to B, the fastest route is always the direct one. If you take 12 detours, your trip will be much longer. The same is true for TOR traffic. To protect the identity of the source and destination, every packet is whirled through many different TOR nodes across the world and encrypted/decrypted. This is a necessity but does slow down browsing.

    Donate to the TOR project

    The TOR project is a 501(c)(3) USA not for profit research organization and it depends on donations to keep going. If you believe in what they are doing, why not throw a couple of dollars their way and help them continue making TOR faster, better and more stable

    Donate here


    Facebook TOR mobile login webpage

    Facebook TOR mobile login webpage

    You will still be challenged to validate the browser if its the first time you are using it to log in or you configured your TOR browser to automatically clear all data after each session. Using the mobile app via OrBot on Android prevents this.

    You will still be challenged to validate the browser if its the first time you are using it to log in or you configured your TOR browser to automatically clear all data after each session. Using the mobile app via OrBot on Android prevents this.