[tor-talk] Facebook brute forcing hidden services
colinmahns at riseup.net
Sat Nov 1 18:53:50 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
I'm one of the developers on darkweb-everywhere. I was playing around
with having fbcdn.net redirect to
fbcdn23dssr3jqnq.onion with a rule, hoping to cover instances where
people have linked directly to images from Facebook.
Since the cert Facebook is using doesn't have a wildcard subdomain for
the hidden services, the user is presented with a mismatched exception
error. Obviously this isn't intended so I figured I would reach out to
you about this :)
Here is the example I used  I included both the original link
and the redirected one. This was found by searching for site:fbcdn.net
on Reddit and picking the first non-broken safe for work image I could
find (this was surprisingly hard!).
I'm not too familiar with how Facebook handles these links, or if this
is even expected behavior. It seems the fix should just be reissuing
the cert with a wildcard flag, but I could be wrong. Any ideas?
I'm cc'ing tor-talk on this email since I figured more users reading
this can't be a bad thing.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the tor-talk