So Facebook can get a .onion cert, but normal people can't? That's a little annoying.<p>I wonder whether the same effect could be had by using a self-signed cert - would work especially well with a phone app which could pin whatever cert it wanted.
HBO was granted an SSL certificate by Verisign for "localhost" that was embedded in their iOS app for a while (allowing them to have the iPhone player, which had some SSL requirement I never knew much about, to connect to localhost to stream content, but let the app apply some crazy custom DRM scheme to the traffic). It was found by jan0, when he was working on a Cydia Substrate extension to backport the bug fix for one of the SSL issues that Apple had on iOS 4, and his extension died on someone's phone logging about localhost. He mentioned it on IRC and then left for lunch, so I decided it would be a fun challenge to try to grab it out; two hours later I had disassembled the code and figured out that it had a string that was like "AHdagw%@gcgAWdsa%@fGS3" that it formatted with two strings (replacing the "%@", if you don't know Objective-C), then base-64 decoded that, and used it as the password for a key file, which was something like "Amst3rd4m1sC0ld" (I remember what it said, but not the numbers/caps ;P). I knew it hadn't taken him two hours to figure this out, so I asked him how he did it, and he made fun of me for not using my own tools (in this case, Substrate) to just hook the function that you pass the password to to decrypt a key file :(.
Seeing the words "Facebook and "anonymous" together is a little odd, given how use of Facebook, and its policies, is often seen as being the exact opposite of anonymous.
"Facebook would treat users as “hacked’ since their location would vary throughout the world. Using the .onion address prevents the lock-out from occurring."<p>So anybody wanting to "hack" a Facebook account should do it via Tor and use the .onion address to avoid being detected and locked out? How does that work?