Facebook.com is one of the most frequently accessed URLs in the world, but on Friday the social network unveiled a new one: facebookcorewwwi.onion.
That address serves up a version of Facebook’s service accessible only via the Tor anonymity software. Tor users include dissidents trying to avoid censorship, criminals, and U.S. government workers who need to escape scrutiny from foreign security services.
Facebook says it launched the site to better serve people who already access its services via Tor but are sometimes blocked by its automatic security controls. The organization behind Tor says hundreds of thousands of people access the site this way, for example from within Iran and China, countries where government authorities block Facebook access.
The new .onion site will prevent Tor users from being blocked and also offers additional security. Security experts that advised Facebook on its new service say it shows how Web companies can help people preserve their security and anonymity online.
If you access Facebook’s .onion address, your Internet service provider or authorities won’t be able to tell that you did so. That could be useful to people trying to share news of protests from inside a country where the Internet is monitored and censored, such as Syria. Once you are logged onto Facebook, the company will log your activity as normal.
“People can now access Facebook over Tor without leaving the Tor network,” says Steven Murdoch, a research fellow at University College London who advised the company on its new service. “Traffic is protected all the way from the user to Facebook and so is safer.”
The Tor software works by connecting to a network of computers around the world known as “nodes.” When you access a website via Tor, your data hops between three of those nodes in encrypted form before traveling to the operator’s server. Data sent back to you by that server gets the same treatment.
Tor software for website operators allows them to create a .onion address – known as a “hidden service” – and obscure the true identity and location of their servers. By using that, Facebook is the only major Web company to join what is dubbed the “dark Web.” Previously, the highest profile examples of dark Web sites were the New Yorker’s Strongbox for anonymous tips, and the notorious but now defunct Silk Road marketplace, where people paid for illicit goods, including drugs, using the digital currency Bitcoin.
Facebook also operates its .onion service in a novel way that should make it more secure than other parts of the dark Web. Connections to the social network’s hidden site are encrypted using the SSL protocol (visible to a user as a padlock in a browser’s address bar), protecting data against attacks by someone controlling a node in the Tor network.
Facebook uses an SSL certificate from an established certificate authority for its .onion address to vouch for its authenticity. Such a certificate has never been obtained for an .onion site before, says Runa Sandvik, a security researcher who contributes to the Tor Project and advised Facebook on its new service. She says that Facebook’s novel approach could be a model for sites that wish to provide a higher level of security and privacy to people who want it. “I hope that other tech companies follow Facebook and set up Tor hidden services for their platforms,” she says.
Facebook says it plans to be open about its technical implementation of the new site and its experiences with it. “We hope to share some of the lessons that we have learned, and will learn, about scaling and deploying services via the Facebook onion address,” Facebook security engineer Alec Muffett wrote Friday in a blog post announcing the new service.