Facebook, one of the companies most interested in mining personal data in the tech industry, announced that it now has an .onion address within the Tor network, which allows users to connect directly to its data center securely.
The .onion address is much like a regular web address, but you can only connect to it from within the Tor network and by using the Tor Browser. This Tor feature can give both a degree of anonymity (still being researched how good it actually is for that) for certain services, and also increased security against attacks.
Onion addresses are usually strings of random characters, rather than complete words, but it seems Facebook managed to brute-force the word "facebook" into it and then just generated the second half of the address many times until it got a few other words that would make sense. This is how the company came up with the following Onion address: https://facebookcorewwwi.onion/.
Facebook said that the name stands for Facebook Core WWW Infrastructure, alluding to the fact that users can connect from the Tor network directly to its data center.
“Facebook's onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," said the company in an online post.“The idea is that the Facebook onion address connects you to Facebook's Core WWW Infrastructure - check the URL again, you'll see what we did there - and it reflects one benefit of accessing Facebook this way: that it provides end-to-end communication, from your browser directly into a Facebook datacentre."
Although Facebook doesn't specifically mention who this feature is targeting, it's most likely not something to be used by the vast majority of Facebook users. The reason for that is there's no point in connecting to Facebook over Tor to stay anonymous if you're going to login with your real Facebook account and post personal information about yourself, pictures of yourself or your family, and so on. If you do that, you won't be anonymous anymore, defeating the entire point of using Facebook over Tor.
This feature is most likely going to be used by some people in countries with oppressive governments, who have been using Facebook accounts with pseudonyms already, trying to stay hidden from their governments but at the same time speaking their minds freely and trying to promote a certain cause through Facebook and to its massive online audience.
These are the type of users that would most benefit from using Facebook over Tor, because unlike pseudonyms, Tor could actually protect their identities and make it much harder or impossible for governments to hunt them down.
The question now is why Facebook would even want this type of user. Facebook, the platform, has been used for change in many countries, and Facebook must want to keep being a part of that, instead of seeing users flock to other more private and more secure platforms.
Facebook has already launched the "anonymous" Facebook login service, and the "Rooms" chat app where users can discuss topics without revealing their names -- a sort of competitor to Secret.ly. However, by now many people know that these services and apps aren't actually anonymous, but "pseudonymous." They don't reveal the user names directly, but through tracking, you could still be easily identified by Facebook. The only practical solution for real anonymity right now is Tor, so today's announcement marks the first time Facebook users can actually be anonymous.
The announcement is also part of a series of security updates to Facebook's infrastructure. Last year, Facebook discovered from the Snowden leaks that NSA was interposing between itself and its users, in order to spy on them or send them malware. Since then, Facebook has taken some measures to increase the security of its service, such as using Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS).
With PFS, the server basically rotates the private encryption keys on a regular basis (probably every few weeks in Facebook's case), so if one is stolen, the damage is minimal. HSTS is another highly important security policy more services should be adopting along with PFS. By using HSTS, sites can instruct browsers to only connect using HTTPS, which creates an encrypted connection. The attacker then can't perform a Man-In-The-Middle attack, such as the ones committed by the NSA.
Facebook may still not be the most privacy-friendly company in the world, but it seems it's at least trying to become better at securing its users' data against malicious attackers, whether those are individual bad actors or oppressive governments. The adoption of Tor could also encourage more people to start using Tor in general, which should lead to an increase in online private browsing.
Follow us @tomshardware, on Facebook and on Google+.
