
What is Tor?

Tor is a low latency privacy network.

When accessing the internet through Tor a path is 
created through 3 intermediary relays.  All requests
are then packed up into 3 layers of encryption, each
to be stripped off by each relay (hence The Onion
Router -- and the layering of encryption is like
the layering of an onion).  This ensures that no
relay can know both the source of the transaction
AND the destination.

In normal operation, both the DNS and other (HTTP,
HTTPS, FTP, rsync whatever) traffic is pushed all
of the way through the Tor "tunnel" so that the 
internet sees a Tor exit relay making these transactions,
while the ISP sees the user connecting to Tor, but has
no idea what they are doing.

What is a hidden service?

Tor provides the ability to provide Tor "hidden services"
(THS), the point of which is that both the server and the
connecting client can retain their anonymity, unless
they wish to declare their themselves.

Imagine a suicide chat service, at which the service 
identifies itself, to provide assurance to the client,
but at which the client is not needed to identify themself.

In this model it is practically impossible for the client
to be identified by anyone, and the client could connect
from anywhere globally, assuming that access to Tor is
possible.

Hidden services are identified as (protocol)://(some-hash).onion
as outlined in the example above.

What is the privacy issue?

When a THS is accessed with a Tor enabled browser no information
is leaked outside of the tor network -- there is no DNS
lookup.

However, when that URI is accessed with a normal browser,
there is a DNS lookup and that immediately breaks the
privacy of both parties: i.e the DNS request exposes the
user amongst a community using their recursive resolver,
and publishes their intention to visit the service.

Additionally, the connection will fail, as there is no
DNS registration involved in any THS.

What is the certificate issue?

Certificate authorities are meant to ensure the ownership
and validity of the domain for which they are issuing.
As .onion is a non-existent TLD issuing a certificate
for the above "domain" (wkqp7hcrpkxdgfat.onion) would be 
strange.  But, I could generate a self-signed certificate
and that would be fine, except for the warning that all
browsers give about this.

But, Facebook want to deploy a THS (in which they will
publish their identity, and to which people will de-anonymise
themselves by logging in), and they want to have a certificate
for it.

Thus, .onion needs to be either registered or declared special
use.  If it is registered, then it is controlled by a single
organisation, and this is entirely against the decentralised
principle of the Tor Project.  Thus, they request a special
use registration.

This solves, the certificate problem, but the privacy issue
outlined above remains.