|
|
Presented by Will
|
|
|
|
|
|
Million+ monthly facebook users over tor.
|
|
|
|
|
|
100k-200k daily.
|
|
|
|
|
|
1 Gbps of traffic from exit nodes to Facebook. AKA about 1% of Tor traffic.
|
|
|
Using FB over Tor is about 2x faster. Will suggests this is because the non-onion FB
|
|
|
opens like 15 circuits, but pastly says that isn't how TB is supposed to work.
|
|
|
|
|
|
# How to move that traffic to onions?
|
|
|
|
|
|
- Tell people about the onion
|
|
|
Doesn't work too well. and FB has worked hard to teach people that
|
|
|
"facebook.com" is trustworthy and other names are not.
|
|
|
|
|
|
- Alt-Svc headers
|
|
|
As of 3hrs ago FB serves an Alt-Svc header that points to onion services. (It's
|
|
|
different than their facebookcorewwwi.onion) This onion traffic has ALREADY
|
|
|
surpassed the main fb.onion traffic.
|
|
|
|
|
|
# Problems
|
|
|
|
|
|
## Can we tell users, or the browser, to go to the .onion instead of using Tor exit nodes?
|
|
|
|
|
|
## What onion to put in the header?
|
|
|
|
|
|
fb.onion? already has a bunch of traffic.
|
|
|
|
|
|
Created a set of v3 onions. every time a user visits fb.com, give them one of
|
|
|
these v3 onions deterministically based on their session. Note that session is
|
|
|
established before login.
|
|
|
|
|
|
## Other websites don't have a way to partition users
|
|
|
|
|
|
AKA sites that don't use cookies or sessions.
|
|
|
|
|
|
Giving users the same alt-svc header for an entire session keeps them on the
|
|
|
same circuit.
|
|
|
|
|
|
## FB has lots of subdomains
|
|
|
|
|
|
Each one is a new entry in the alt-svc cache. Meaning a new alt-svc discovery,
|
|
|
negotiation, etc.
|
|
|
|
|
|
## CDN
|
|
|
|
|
|
fbcdn.net doesn't have access to the same partitioning info that
|
|
|
facebook.com, so the same deterministic v3 onion idea doesn't work here.
|
|
|
|
|
|
# Why do this
|
|
|
|
|
|
- Remove traffic from exit nodes, thus being friendly
|
|
|
- Don't have to trust exits
|
|
|
- FB loads about twice as fast (over Tor...?) when you use the onion
|
|
|
- Using onions avoids some attacks, e.g. cookie stealing using a stolen cert
|
|
|
|
|
|
# Downsides
|
|
|
|
|
|
- User never knows they are using an onion. This is against the ideas Tor has
|
|
|
been pushing along the lines of onions being nice and normal and good for
|
|
|
normal life.
|
|
|
|
|
|
|
|
|
# Misc points
|
|
|
|
|
|
- CA Browser forum requires EV certs if you want a .onion in your cert. With
|
|
|
alt-svc, since the onion service serves content to you, it uses the same cert
|
|
|
as the original non-.onion domain. So you can get a free DV cert from let's
|
|
|
encrypt.
|
|
|
|
|
|
- Tor could improve onion service scalability so that FB doesn't have to run 15
|
|
|
onion services and could just run one.
|
|
|
|
|
|
- Onionbalance not suitable for FB right now
|
|
|
|
|
|
# Should other large websites do this too?
|
|
|
|
|
|
- Cloudflare does. In fact, they do by default (but one person said they didn't
|
|
|
see it working when they checked)
|
|
|
|
|
|
- If you don't have a huge site and one onion is good enough for you, it should
|
|
|
be very very easy to deploy this for you. Hardest thing is keeping an
|
|
|
up-to-date list of exits. |