Back in October 2014, Facebook surprised most people by introducing an onion-routed access method to get onto Facebook without sharing identifying information much as physical location or IP address.
The Facebook over Tor service has, by most accounts, been a success for those wishing to participate and who might fear for their security and safety otherwise. Which is why it was disappointing to discover an announcement, posted on 13 December, that Facebook over Tor would be unavailable for one to two weeks. As it happens, the service went back online yesterday, so the disruption was "only" for five days. Which, if you are one of the more than a million users who regularly access Facebook this way, is five days where the security shield it provides was lowered.
So, what caused this disruption? Was the site the victim of a DDoS attack, or maybe there was a security breach? Nope, nothing as exciting as that; but just as devastating to service provision.
Facebook over Tor was out of action "while we await renewal of our TLS certificate," according to the Facebook announcement of the onion service downtime.
One Facebook user was prompted to ask why TLS could not just be turned off while awaiting renewal, on the basis that Tor-to-onion connections are always encrypted anyway. This was missing a couple of points. The first being that the certificate, as far as Facebook is concerned anyway, is used for more than just the encryption itself.
"This lapse is serious," Michael Barragry, operations lead and security consultant at edgescan told SC Media, "as it effectively resulted in a significant service blackout for a large number of users that connect to Facebook over Tor for various reasons." Although most services accessed over Tor don't use a TLS certificate precisely because of them being encrypted by default as mentioned before, Facebook bucked that trend. "Facebook were the first to do this," Barragry explains, "for architectural considerations and for ownership verification to protect users from similarly-named phishing sites."
No certificate and, in effect, you are removing one of the main reasons that people want to use an onion-routed service in the first place: protection against snooping. Man-in-the-Middle attacks could be created during the certification downtime, and it's generally agreed that downing the site was the right thing for Facebook to do in the circumstances.
The bigger missed point comes by the way that more important than how Facebook responded to the certificate expiry is why it was allowed to expire in the first place. "Certificate management should be a core consideration of every enterprise," Barragry told SC Media UK, "improperly configured or expired certificates can result in anything from minor issues (warning messages in users browsers which could spook them away) to much more serious issues such as a total service outage for a period of time."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, agrees but warns that "the reality is that most companies experience what is happening with Facebook all the time, and it’s very common for it to take days, or even weeks, to renew TLS certificates." This is, Bocek says, because most companies don’t have good visibility into every certificate they are using and where they are installed. "To make matters worse," Bocek continues, "When something like this happens replacing certificates is often a manual process, so human error is frequently a key contributor to slow recovery times."
The only way for companies to prevent these certificate outages, Bocek argues, is to have total visibility and intelligence over all the machine identities they use. "Having control over just a few is a recipe for disaster," Bocek concludes.