Facebook on Friday began offering a way for security and Privacy conscious users to connect to its social networking service using the anonymizing service running on the Tor network, by launching a .onion address. This is really a historic move of the social network.
Tor Browser is an open source project, launched in 2002, designed to increase the anonymity of your activities on the Internet by not sharing your identifying information such as your IP address and physical location with websites and your service providers. Browsing and data exchange over a network is made through encrypted connections between computers.
The social network just created a special URL – https://facebookcorewwwi.onion – that will allow users running Tor-enabled browsers to connect Facebook's Core WWW Infrastructure. Hidden services accessed through the Tor network allow both the Web user and website to remain anonymous. Do note that the Tor link will only work on Tor-enabled browsers.
"Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Alec Muffett, a software engineer with Facebook's security infrastructure group, said in a blog post. "It provides end-to-end communication, from your browser directly into a Facebook datacenter."
Facebook has previously been criticised by Tor users as the company's security features treated Tor as a botnet — a collection of computers designed to attack the site. Users were able to access their Facebook account before today, but it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all.
Back in 2013, the social network assured Tor users that the company would work with Tor service on a possible solution. Now, after a year, we can see a great move from Facebook's side with the launch of a dedicated Tor access address. However, the company said that the Tor network may poses some risks as the .onion address is described as an "experiment" by the social network.
"Tor challenges some assumptions of Facebook's security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada," Alec Muffett said.
"In other contexts such behaviour might suggest that a hacked account is being accessed through a "botnet", but for Tor this is normal. Considerations like these have not always been reflected in Facebook's security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor."
Furthermore, the company also offers encryption using SSL over Tor with a certificate that cites the unique Tor address, so that users won't have to deal with SSL certificate warnings and can therefore be assured they are connecting to a secure and real Facebook, preventing users from being redirected to fake sites.
Runa Sandvik, a security researcher who was consulted by Facebook on the project and previously worked at the Tor Project, tweeted, "The launch of the Facebook Tor hidden service also marks the first time a CA has issued a legitimate SSL cert for a .onion address."