On Fri, Oct 31, 2014 at 08:54:27AM -0400, Roger Dingledine wrote:
> I talked to them about this. The short answer is that they did the vanity
> name thing for the first half of it ("facebook"), which is only 40 bits
I've put up many other thoughts at
https://blog.torproject.org/blog/facebook-hidde
On 10/31/2014 11:07 AM, Mike wrote:
> Here is an obvious question that I can't figure out.
> Why would you use a service that cares nothing about keeping your details
> secret?
> They'll give you up to the state faster than you can blink.
>
> If you are in a country that blacklists facebook, (chin
On Fri, Oct 31, 2014 at 01:07:24PM -0400, Mike wrote:
> Here is an obvious question that I can't figure out.
> Why would you use a service that cares nothing about keeping your details
> secret?
> They'll give you up to the state faster than you can blink.
>
> If you are in a country that blacklis
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31.10.2014 21:25, Derric Atzrott wrote:
>>> Honestly if I was running an exit node still. I'd just add
>>> facebook to nullroute right now.
>>
>> That would probably have gotten you the BadExit flag, though.
>
> He wouldn't get it if he advertised
>> Honestly if I was running an exit node still. I'd just add facebook
>> to nullroute right now.
>
> That would probably have gotten you the BadExit flag, though.
He wouldn't get it if he advertised that Facebook was
null routed though right? As in he rejects it in his exit
policy.
Thank you,
D
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31.10.2014 18:07, Mike wrote:
> Honestly if I was running an exit node still. I'd just add facebook
> to nullroute right now.
That would probably have gotten you the BadExit flag, though.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBAg
Here is their blog post about the matter:
https://blog.ian.sh/2014/10/31/tls-over-tor/
They have successfully managed to get a certificate issued with
facebookcorewwwi.onion in the subjectAltName field. The cert file:
https://paste.ian.sh/raw/omegi
The subjectAltName:
DNS:certly.io, DNS:
Here is an obvious question that I can't figure out.
Why would you use a service that cares nothing about keeping your details
secret?
They'll give you up to the state faster than you can blink.
If you are in a country that blacklists facebook, (china) logging onto
facebook should be the least of
It appears that someone has been issued a facebookcorewwwi.onion cert
from another CA as .onion has no way of verifying a collision.
https://news.ycombinator.com/item?id=8538527
On Fri, Oct 31, 2014 at 12:12 PM, Andreas Krey wrote:
> On Fri, 31 Oct 2014 16:49:38 +, AFO-Admin wrote:
> ...
>> H
https://news.ycombinator.com/item?id=8538281
On Fri, Oct 31, 2014 at 5:47 PM, Murdoch, Steven
wrote:
> Facebook have now provided a Tor hidden service, see:
>
> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>
> —
> Facebook Onion Add
On Fri, 31 Oct 2014 16:49:38 +, AFO-Admin wrote:
...
> Hi,
> i really think that this is a good thing, because i think this hidden
> service will get a lot attention in countries where Facebook is
> blocked.
In blocking countries you'll use Tor whether you to the .com
or the .onion domain. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
i really think that this is a good thing, because i think this hidden
service will get a lot attention in countries where Facebook is
blocked. So it will get one of their goals to improve hidden service
scalability and performance which is good f
Thank you for doing this! I'm glad to see a site as huge as facebook has
decided to start implementing a HS for their users.
Colin
On October 31, 2014 8:35:50 AM EDT, Alec Muffett wrote:
>Hi - My name¹s Alec, I work for Facebook and am the team lead for
>Facebook
>over Tor.
>
>Long story short
Facebook have now provided a Tor hidden service, see:
https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
—
Facebook Onion Address
Facebook's onion address provides a way to access Facebook through Tor without
losing the cryptographic pr
Do you intend to extend to other darknets networks, too?
On Fri, Oct 31, 2014 at 12:35:50PM +, Alec Muffett wrote:
> Hi - My name¹s Alec, I work for Facebook and am the team lead for Facebook
> over Tor.
>
> Long story short: details will come out later, but we just did the same
> thing as ev
http://facebookcorewwwi.onion/
"Generating this private key was no accident, it was God's will."
On Fri, Oct 31, 2014 at 8:35 AM, Alec Muffett wrote:
> Hi - My name¹s Alec, I work for Facebook and am the team lead for Facebook
> over Tor.
>
> Long story short: details will come out later, but
This is scaring. Can someone calculate how much computer power they
used to generate the 11 chars?
- Message from Sam Pizzey -
Date: Fri, 31 Oct 2014 12:47:32 +
From: Sam Pizzey
Reply-To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Facebook brute forcing h
> What's the behavior when two services have the same .onion address?
The one with the most recent announcement wins.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
On Fri, Oct 31, 2014 at 8:54 AM, Roger Dingledine wrote:
> On Fri, Oct 31, 2014 at 12:23:02PM +, Mike Cardwell wrote:
>> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>>
>> So Facebook have managed to brute force a hidden service k
There are a lot of tools out there that generate vanity hidden service
addresses. Facebook merely used something like Shallot [1], or they
purchased the hidden service address off of one of the domain brokers that
are hosted as a hidden service. Generating an address does not mean
cracking an addre
* on the Fri, Oct 31, 2014 at 08:54:27AM -0400, Roger Dingledine wrote:
>> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>>
>> So Facebook have managed to brute force a hidden service key for:
>>
>> http://facebookcorewwwi.onion/
>>
Hi - My name¹s Alec, I work for Facebook and am the team lead for Facebook
over Tor.
Long story short: details will come out later, but we just did the same
thing as everyone else: generated a bunch of keys with a fixed lead prefix
("facebook") and then went fishing looking for good ones.
I feel
On Fri, Oct 31, 2014 at 12:23:02PM +, Mike Cardwell wrote:
> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>
> So Facebook have managed to brute force a hidden service key for:
>
> http://facebookcorewwwi.onion/
>
> If they have
Indeed and I hope they share too - I didn't mean to imply any knowledge of
the incident, just explaining in plain language why brute forcing is
involved, to people who are confused.
On Fri, Oct 31, 2014 at 12:50 PM, s7r wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
>
> On 10/31/20
Got it. What's the behavior when two services have the same .onion address?
On 31/10/14 13:50, Mike Cardwell wrote:
> You don't get to pick the ".onion" address. It is derived from the key
> you randomly generated.
>
> However, you can just keep generating keys over and over again until
> you get
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/31/2014 2:47 PM, Sam Pizzey wrote:
> So called 'vanity' addresses are essentially a brute force -
> generating tons of keys until you get one that starts with the
> prefix you want. The difference is that 'bob1d8rhdu2h.onion' is a
> lot less sp
* on the Fri, Oct 31, 2014 at 01:44:46PM +0100, David Rajchenbach-Teller wrote:
>> tl;dr You can now log into facebook via a Hidden Service.
>>
>> -T
>
> That's the part I understood. The part I didn't understand is how this
> is related to bruteforcing.
You don't get to pick the ".onion" addre
So called 'vanity' addresses are essentially a brute force - generating
tons of keys until you get one that starts with the prefix you want. The
difference is that 'bob1d8rhdu2h.onion' is a lot less specific than
facebookwwwi.onion - if Facebook can brute force arbitrary strings like
that, they can
On 31/10/14 13:41, Thomas White wrote:
> tl;dr You can now log into facebook via a Hidden Service.
>
> -T
That's the part I understood. The part I didn't understand is how this
is related to bruteforcing.
Cheers,
David
--
David Rajchenbach-Teller, PhD
Performance Team, Mozilla
signature.a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
tl;dr You can now log into facebook via a Hidden Service.
- -T
On 31/10/2014 12:37, David Rajchenbach-Teller wrote:
> That article is extremely vague. Can someone explain exactly what
> happened for someone like me who has very limited understanding
That article is extremely vague. Can someone explain exactly what
happened for someone like me who has very limited understanding of Tor?
Thanks,
David
On 31/10/14 13:23, Mike Cardwell wrote:
> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754
https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
So Facebook have managed to brute force a hidden service key for:
http://facebookcorewwwi.onion/
If they have the resources to do that, what's to stop them brute
forcing a key for any ot
See subject
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
33 matches
Mail list logo
