Facebook Lifts Tor Ban, Creates Accessible Onion

Last week, Facebook officially announced they would be removing their ban on incoming traffic based out of Tor relay, and even has plans to set up their very own onion that users can connect to if they need to update their status from a Tor based machine.


Photo: Gil C / Shutterstock

Access to Facebook from Tor-enabled browsers has been blocked for a number of years, with the social media company claiming concerns that the service could be used to launch unauthorized attacks on their servers.

The company has since been working with Tor to create a safe channel that both sides of the equation could feel secure with, customizing its system not to set off alarm bells when it receives a connection that appears to come from three different countries at once.

Much of the encryption technology that Tor relies on to keep the identity of its users anonymous utilizes the same techniques that Facebook flags as potential attacks, including IP ghosting, multiple proxy servers installed down the line, and randomizing data to make it look like it’s coming from a botnet instead of a single computer.

“Tor challenges some assumptions of Facebook’s security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” Facebook senior engineer Alec Muffett said in announcing the move.

“In other contexts such behavior might suggest that a hacked account is being accessed through a ‘botnet’, but for Tor this is normal.”

Facebook also says they’ll be including increased SSL protections on each data stream to its Tor onion, creating a certificate that should be able to prevent users from being redirected to malicious sites laden with phishing software and infected links.

“We decided to use SSL atop this service due in part to architectural considerations – for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link.

As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser’s “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook.”

Though of course, if you’re using Tor to sign into a server that contains pretty much all of your identifying information on one page, you’re sort of defeating the purpose of keeping yourself anonymous in the first place. If your primary concern when browsing the net is to remove any data that might leave a breadcrumb trail back to who you actually are, the idea of connecting to an onion at Facebook seems to directly contradict that effort from the get-go.

Regardless of how much sense it makes, it’s good to see that Facebook is adopting newer technologies that err on the side of caution than anything else.

Anyone looking to access the freshly-minted onion can find the site at the URL: https://facebookcorewwwi.onion.