Facebook Adds Tor Support

Facebook: 10 New Changes That Matter

Facebook has begun offering access to users through Tor, software that allows people to use the Internet anonymously.

Developed to protect US intelligence communication by the US Naval Research Laboratory in the mid-1990s and augmented by the Defense Advanced Research Projects Agency (DARPA), The Onion Routing (TOR) project was first released in 2002 and has become the gold standard for online anonymity.

It remains controversial only because some believe privacy can be made available to some but not to others, as if guns worked only for the good guys or encryption had a backdoor only the good guys could access. It is a tool that provides pretty good anonymity, for better or worse.

Tor has been used to protect intelligence and to expose it -- former NSA contractor Edward Snowden used Tor (in conjunction with Tails) to pass information on the National Security Agency's Prism system to the press. It has been used to protect individuals from abuse by political oppressors and violent stalkers; it has also been used to protect individuals who commit crimes.

[Should we love or fear a world of Internet-connected objects? Read The Internet of Things: 7 Scary Security Scenarios.]

Facebook wants to make it easier for Tor users to connect to its social network, an act that in some countries might pose problems. For example, Facebook has been banned in China since 2009, a consequence of government concerns about social media as a catalyst for such things as the ethnic riots in the Xinjiang region.

Tor users have been able to connect to Facebook in the past, but not without problems. Facebook security engineer Alec Muffett explains in a blog post that Tor presented problems for the company's security infrastructure: "Tor challenges some assumptions of Facebook's security mechanisms -- for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts such behaviour might suggest that a hacked account is being accessed through a 'botnet,' but for Tor this is normal."

Facebook has improved Tor access through a special URL, https://facebookcorewwwi.onion, that works only for Tor-enabled browsers. And it has taken the unusual step of providing an SSL certificate to affirm the authenticity of the Facebook onion address. This marks the first time a certificate authority has issued an SSL certificate for a Tor .onion address. 

There's an element of cognitive dissonance in all this: The notion of using anonymity software to access an account strongly tied to personal identity, at a service with a long history of privacy challenges, is full of contradictions.

But Facebook has been softening its stance on identity and moving to improve security, perhaps because its previous calls to share everything sound odd now that the NSA's efforts to gather everything have come to light. The social network recently acknowledged that drag queens should be able to use stage names as their Facebook identities and has allowed Facebook login to function anonymously in third-party apps. Like other companies offering cloud-based services in the wake of Snowden's revelations about the breadth of data gathering by government authorities, Facebook has had to take steps to restore faith in the security it provides to users.

Unfortunately, Tor might not be enough to protect Internet users from scrutiny. According to The Guardian, the NSA targets users of Tor and can generally identify them.

It's safe to assume that other governments are trying to do so as well and might be able to. Russia's Interior Ministry over the summer offered 3.9 million rubles (US$90,000 at current rates) for information that could defeat Tor, which has seen growing usage in that country.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).