Facebook opens up to Tor users with new secure .onion address

For those who are concerned about their privacy post-Snowden, there are various ways to boost online privacy such as using the anonymizing Tor browser. Browsing the internet anonymously is something that scares the authorities -- there were reports just a couple of months ago that Comcast was threatening to cut off customers who chose to use Tor -- but now Facebook has opened up to the idea.

The social network -- often criticized for its own privacy policies -- has lifted its bans on using Tor, and has created a secure URL (https://facebookcorewwwi.onion/). This can be used to visit Facebook using any Tor-enabled browser and adds a few extra layers of protection for those looking to stay secure. While the idea of anonymity on Facebook may seem oxymoronic, there is a degree of logic.

One of the key benefits of using Tor is that it enables users to bypass locally enforced censorship and blocks, but until now Facebook has blocked access via Tor. The fact that Tor traffic bounced around the internet multiple times in a bid to disguise its origin, it was often flagged as suspicious by Facebook for appearing like botnet activity. This is no longer the case as the new URL opens up access to the security-minded.

Software engineer Alec Muffett explains that, "Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud". Accessing Facebook via Tor using the .onion address means connecting directly to Facebook's Core WWW Infrastructure (hence the URL). This allows for direct communication with Facebook, effectively sidestepping browsing restrictions that may have been put in place by local governments, and avoiding any surveillance that might be carried out on traffic that is permitted.

Facebook's Tor-friendly TLD is the first .onion address to be granted a SSL certificate. Muffett says:

We decided to use SSL atop this service due in part to architectural considerations - for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link. As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook. Issuing an SSL certificate for a Tor implementation is - in the Tor world - a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion.

Despite what some news reports say, this is not a way to stay anonymous on Facebook. You still log into your regular account and use it in the same way. What the .onion URL does is ensure that nothing happens to your data as it travels from your computer to Facebook and back.