Facebook is using a wildcard for SSL. The following are a list of domains/hosts the cert provides for. Notice the additional onion addresses
Not Critical DNS Name: *.facebook.com DNS Name: facebook.com DNS Name: *.fb.com DNS Name: *.fbsbx.com DNS Name: *.fbcdn.net DNS Name: *.xx.fbcdn.net DNS Name: *.xy.fbcdn.net DNS Name: fb.com DNS Name: facebookcorewwwi.onion DNS Name: fbcdn23dssr3jqnq.onion DNS Name: fbsbx2q4mvcl63pw.onion I'm still wondering how one verifies ownership of a .onion domain? You aren't going to look at the WHOIS record and send an email to the technical contact on file or send an email to postmaster@xxx.onion. Do large companies like FB have a fast track for getting odd requests? On Fri, Oct 31, 2014 at 9:05 AM, AntiTree <antit...@gmail.com> wrote: > I find the interesting part the fact that they got a CA to sign a .onion > domain certificate. Is that normal? > > On Fri, Oct 31, 2014 at 8:39 AM, Nariman Gharib <nariman...@gmail.com> > wrote: >> >> It's important to us at Facebook to provide methods for people to use >> our site securely. People connect to Facebook in many different ways, >> which is why we have implemented HTTPS across our service, and Perfect >> Forward Secrecy, HSTS, and other technologies which help give people >> more confidence that they are connected securely to Facebook. >> >> >> That doesn't mean we can't improve yet further. >> >> >> Consider Tor: Tor challenges some assumptions of Facebook's security >> mechanisms - for example its design means that from the perspective of >> our systems a person who appears to be connecting from Australia at >> one moment may the next appear to be in Sweden or Canada. In other >> contexts such behaviour might suggest that a hacked account is being >> accessed through a "botnet", but for Tor this is normal. >> >> >> Considerations like these have not always been reflected in Facebook's >> security infrastructure, which has sometimes led to unnecessary >> hurdles for people who connect to Facebook using Tor. To make their >> experience more consistent with our goals of accessibility and >> security, we have begun an experiment which makes Facebook available >> directly over Tor network at the following URL: >> >> >> https://facebookcorewwwi.onion/ >> >> >> [ NOTE: link will only work in Tor-enabled browsers ] >> >> >> Facebook Onion Address >> >> >> Facebook's onion address provides a way to access Facebook through Tor >> without losing the cryptographic protections provided by the Tor >> cloud. >> >> >> The idea is that the Facebook onion address connects you to Facebook's >> Core WWW Infrastructure - check the URL again, you'll see what we did >> there - and it reflects one benefit of accessing Facebook this way: >> that it provides end-to-end communication, from your browser directly >> into a Facebook datacentre. >> >> >> We decided to use SSL atop this service due in part to architectural >> considerations - for example, we use the Tor daemon as a reverse proxy >> into a load balancer and Facebook traffic requires the protection of >> SSL over that link. As a result, we have provided an SSL certificate >> which cites our onion address; this mechanism removes the Tor >> Browser's "SSL Certificate Warning" for that onion address and >> increases confidence that this service really is run by Facebook. >> Issuing an SSL certificate for a Tor implementation is - in the Tor >> world - a novel solution to attribute ownership of an onion address; >> other solutions for attribution are ripe for consideration, but we >> believe that this one provides an appropriate starting point for such >> discussion. >> >> >> Over time we hope to share some of the lessons that we have learned - >> and will learn - about scaling and deploying services via the Facebook >> onion address; we have many ideas and are looking forward to improving >> this service. A medium-term goal will be to support Facebook's >> mobile-friendly website via an onion address, although in the meantime >> we expect the service to be of an evolutionary and slightly flaky >> nature. >> >> >> We hope that these and other features will be useful to people who >> wish to use Facebook's onion address. >> >> >> Finally, we would like to extend our thanks to Ms. Runa Sandvik and to >> Dr. Steven Murdoch of UCL for their kind assistance and generous >> advice in the development of this project. >> >> >> Alec Muffett is a Software Engineer for Security Infrastructure at >> Facebook London. >> >> >> SOURCE: >> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237 >> >> >> -- >> PGP: 0xa53963936999cbb6 >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, >> change to digest, or change password by emailing moderator at >> compa...@stanford.edu. > > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
