Friday, Facebook announced that the popular social network will be available to users of the Tor anonymizing browser. To eliminate warnings that might prevent users from accessing the .onion service, help users identify the service, and help reduce the likelihood of spoofing attacks, DigiCert issued a digital certificate to Facebook’s .onion address. DigiCert supports the goals of both Tor and Facebook in this endeavor and is proud to issue certificates for use with these services.
The Tor project helps users browse the web anonymously—and service providers, like Facebook, have a strong interest in identifying their service to Tor users. Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook. Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com.
According to privacy and security researcher, Runa Sandvik (who also is a Tor advocate and volunteer), this action represents the first publicly trusted SSL Certificate issued for the Tor browser and its .onion top-level domain. This action also helps solve other security architectural issues resulting from incongruities between Facebook’s policies and the way Tor operates. For example, when users have previously connected to Facebook via Tor, they could receive “SSL Certificate Warning” messages and were unable to reliably verify that they were connecting to the authentic Facebook site. Also, users were often locked out when connecting over Tor because of the infrastructure of routing users around the world. In these cases, Facebook would treat users as “hacked’ since their location would vary throughout the world. Using the .onion address prevents the lock-out from occurring.
According to Facebook Security Engineer Alec Muffett:
“Over time we hope to share some of the lessons that we have learned - and will learn - about scaling and deploying services via the Facebook onion address; we have many ideas and are looking forward to improving this service. A medium-term goal will be to support Facebook's mobile-friendly website via an onion address, although in the meantime we expect the service to be of an evolutionary and slightly flaky nature.
We hope that these and other features will be useful to people who wish to use Facebook's onion address."
As a company that has long supported the Tor Project in its efforts to provide a secure internet where people can freely express their ideas, DigiCert is continuing to work with Tor and Facebook on how best to support this project moving forward. We are confident that SSL/TLS has the ability to support many more communities and users looking to benefit from authenticated and encrypted internet use, including possibly in conjunction with the Tor browser, and we’re open to working with other organizations that advance the goal of secure browsing.
Overall, this is a positive move for enabling greater security on the web and we commend Facebook and the Tor Project for their forward-thinking mindset.
One final note: We’ve had other folks contact us about getting a .onion certificate. We think there is value in any efforts to provide SSL/TLS security for Tor, but only if the right security controls can be put in place. Right now, we are in the process of evaluating how best to implement strong validation policies before possibly offering such certificates beyond the one for Facebook. We’re also exploring some possibilities with standards bodies. We’ll report more about these efforts in the future.