Facebook is often criticised over privacy concerns, but the social network just made a historic move in the name of security and anonymity. The social network just created a dedicated Tor link that ensures people who visit the site from the anonymous web browser won’t be mistaken for botnets. This is a big deal, mostly because it’s Facebook.
Before I say anything else, this is the Tor address, and if you’re a Tor user who also uses Facebook, you should start using it immediately: https://facebookcorewwwi.onion/
Now about that big deal claim. Today’s news means that Facebook is the first website with a Certificate Authority to launch a dedicated Tor URL and certified connection through the browser. While you may think of Facebook as the pioneer of invading your digital privacy, the company has done a much better job pioneering better security methods on the internet. This is not surprising, since so many people use Facebook and a compromised Facebook accounts can do real damage. It is good news to know that this behemoth is using some of its mountains of cash to make the internet a safer place.
As for the new Tor URL itself, the need was clearly there. Over the years, Facebook has received tons of complaints from users who said that the site doesn’t work right in the Tor browser. For instance, fonts were all over the place, and ads were weird. Facebook, meanwhile, realises that Tor’s method of routing connections through several computers in order to preserve the users’ anonymity compromises some of the many important security measures the site has already implemented (e.g. HTTPS, Perfect Forward Security, HSTS, etc.). Namely, Facebook’s security measures often think that users logging into the site through Tor are not actual humans but rather botnets trying to cause trouble.
This is true! I just tested it out. I logged into my dusty old Facebook profile from Chrome and everything was normal. Then, with that Facebook tab still open, I fired up Tor and navigated to facebook.com, where I was greeted by the normal log in screen. That’s when things got weird. Facebook immediately thought I’d been hacked:
Simultaneously, the Facebook tab I had open in Chrome went dark. Facebook automatically signed me out. I didn’t even refresh the page, I was just kicked out. This is normal for a potential Facebook hack, but a little bit startling nevertheless.
So, in order to get into my account, I went through the motions which were sort of fun:
And the, finally, I got in. My home page looked normal enough, but when I navigated over to my Timeline, I found that it was indeed weird and broken-looking:
I don’t actually mind the serif font on my Facebook page. But the fact that it indicates there’s something wrong happening under the hood is definitely unsettling. So I tried the new, Tor-specific URL. It works — sort of.
Facebook did make me log in again — which is a good thing — but this time it didn’t think I was a hacker. My News Feed looked and worked perfectly. But! That damn serif font is still there on my Timeline. Again, it’s not a huge deal, and this is a brand new product that Facebook will clearly improve over time. But it’s a step in the right direction for Facebook, for Tor, for anonymity, and for the internet as a whole. Good job, Zuck and company! [Facebook]