Skip to main content
banner image
venafi logo

Facebook Faces Tor Site Outage Due to Expired Certificate

Facebook Faces Tor Site Outage Due to Expired Certificate

facebook outage at tor
December 18, 2019 | Anastasios Arampatzis


Even the biggest companies can suffer

from an expired certificate outage. Facebook announced on December 13th, 2019, that its Tor gateway will be down for one to two weeks due to an expired TLS certificate. In their exact words:
 

“Our onion service, facebookcorewwwi.onion, is temporarily unavailable while we await renewal of our TLS certificate. In the meantime, Facebook is still accessible via facebook.com using Tor Browser. We expect facebookcorewwwi.onion to be available again in one to two weeks. Thanks for your patience.



 

Why had Facebook established the Tor gateway

that is now unavailable due to an expired certificate? When using Tor to connect directly to facebook.com, Facebook will lock a user's account because it looks like they are coming from different countries each time they connect to the site.  To Facebook, this would appear to be a botnet or other malicious activity and will cause the system to lock the account.
 

As a way of fixing this issue and to allow users to have a better experience when connecting via Tor, Facebook launched in 2014 the dedicated Tor address https://facebookcorewwwi.onion/. Using this onion site, Tor users could access the site directly without fear that their account would be locked out.
 

Alec Muffett had commented that Facebook has “provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook.”
 

As it happens with every certificate-related outage, users who attempt to connect to the site via Tor will be greeted with an "Unable to connect" message.



"Expired TLS certificates impact organizations"

Unfortunately, expired TLS certificates impact organizations across all regions, industries and sizes. According to a recent Venafi study of CIOs from the U.S., U.K., France, Germany and Australia, 60% experienced certificate-related outages that impacted critical business applications or services within the last year.
 

Commenting on the incident, Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi, said: “The reality is that most companies experience what is happening with Facebook all the time, and it’s very common for it to take days, or even weeks, to renew TLS certificates. Most companies don’t have good visibility into every certificate they are using and where they are installed. To make matters worse, when something like this happens, replacing certificates is often a manual process, so human error is frequently a key contributor to slow recovery times. 


TLS keys and certificates serve as machine identities; they secure and protect nearly every transaction in our global digital economy. It’s only when certificates for high profile applications or services expire the impact becomes really visible.
 

The only way for companies to prevent certificate outages is has to have total visibility and intelligence over all the machine identities they use. Having control over just a few is a recipe for disaster.”
 


Why do outages like this continue to occur?

Large organizations find on average over 50,000 previously unknown machine identities. This problem is becoming even more critical for organizations of every size as the volume of machine identities increases and the certificate validity periods shrink. The lack of comprehensive visibility and intelligence leads to certificate-related outages. Companies must get control of all their certificates, otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage.
 

That is the message conveyed by Michael Thelander, Director of Product Marketing at Venafi: “A ‘hard conversation’ is one where a CIO needs to explain a two-week outage when a process for preemptive automation was readily available.


"a hard conversation"

With the ongoing explosion of sites, properties and services across the web, these certificate-related outages are going to grow in number and impact until operations, PKI and InfoSec teams embrace the mantra of automation.
 

The only way to truly remain ahead of these outages is take the next step and automate certificate issuance and renewal”.
 

If you don’t want to be in Facebook’s boots and experience the impacts of a certificate-related outage, you should read Venafi’s eight steps to stopping certificate-related outages, the VIA Venafi roadmap to build, maintain and scale a solution to eliminate certificate outages across your enterprise.


 

Related posts

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more