Facebook’s
Tor gateway will be out of commission for a week or two after a TLS certificate
expired.

“Our
onion service, facebookcorewwwi.onion, is temporarily unavailable while we
await renewal of our TLS certificate. In the meantime, Facebook is still
accessible via facebook.com using Tor
Browser,” the company posted
on the Facebook Over Tor page.

The
social media company unveiled the dedicated Tor address in 2014 so Tor users
could access Facebook without being locked out of their accounts.

While the announcement prompted
speculation that the lengthy downtime portends something more ominous, “the
reality is that most companies experience what is happening with Facebook all
the time, and it’s very common for it to take days, or even weeks, to
renew TLS certificates,” said Kevin Bocek, vice president of security strategy
and threat intelligence at Venafi. “Most companies don’t have good visibility
into every certificate they are using and where they are installed. To make
matters worse, when something like this happens replacing certificates is often
a manual process, so human error is frequently a key contributor to slow
recovery times.” 

Noting that “TLS keys and
certificates serve as machine identities” that “secure and protect nearly every
transaction in our global digital economy,” Bocek said “it’s only when
certificates for high profile applications or services expire the impact
becomes really visible.”