There was some chatter about how Facebook was able to generate a random key that gave them a .onion address of facebookcorewwwi.onion, because typically people have only been able to pick a short prefix (using something like shallot), as in the case of the original Silk Road being at silkroad6ownowfk.onion. The concern being if Facebook has the cycles available to generate such a specific key, some other more powerful entity can just as easily generate a key to match any .onion address and MITM it on the Tor network.
Roger chimed in to say that Facebook generated a bunch of keys with a prefix of “facebook” (which is fairly easy to do) and just picked one that looked the best, which was “facebook core www i”, and that generating a full key that matches another .onion address is still extremely difficult.
It’s interesting that Facebook’s hidden service has a valid SSL certificate with these alt names:
DNS Name: facebookcorewwwi.onion
DNS Name: fbcdn23dssr3jqnq.onion
DNS Name: fbsbx2q4mvcl63pw.onion
Another piece of trivia is that both fbcdn.com and fbsbx.com (used as the prefix of the final two DNS entries) are registered by Facebook and redirect to facebook.com.
There was some chatter about how Facebook was able to generate a random key that gave them a
.onionaddress offacebookcorewwwi.onion, because typically people have only been able to pick a short prefix (using something like shallot), as in the case of the original Silk Road being atsilkroad6ownowfk.onion. The concern being if Facebook has the cycles available to generate such a specific key, some other more powerful entity can just as easily generate a key to match any.onionaddress and MITM it on the Tor network.Roger chimed in to say that Facebook generated a bunch of keys with a prefix of “facebook” (which is fairly easy to do) and just picked one that looked the best, which was “facebook core www i”, and that generating a full key that matches another
.onionaddress is still extremely difficult.It’s interesting that Facebook’s hidden service has a valid SSL certificate with these alt names:
the fact they got a CA to give them an
.onioncertificate is a little strangeAnother piece of trivia is that both fbcdn.com and fbsbx.com (used as the prefix of the final two DNS entries) are registered by Facebook and redirect to facebook.com.
More info from the Tor weblog.