<div dir="ltr"><span id="gmail-docs-internal-guid-0b5e8615-7fff-eecc-736a-fb5acbb5a497"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Hi there! I'm now maintaining Cloudflare Onion Services (Mahrud recently left to pursue his PhD). </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">I will be the new point person at Cloudflare for this project. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">T, here are some answers to your questions:</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> instance encrypted?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">As of now, the proxy protocol header passing from the onion service to the proxy instance is not </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">encrypted. (This header includes a synthetic IP address based on circuit ID, which we use to </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">uniquely identify circuits). We understand that this is undesirable and leaks information about </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">the circuit ID at this hop. We're discussing options on how to address this.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> Does Cloudflare host its onion services in the same data centre as the proxies they</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> talk to?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">No.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> Does the Cloudflare proxy strip out the PROXY header?</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> Or does it get transformed into X-Forwarded-For? (Or something similar?)</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">X-Forwarded-For contains the synthetic src IP we include in the PROXY header.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> Why does the Cloudflare dashboard show the circuit id to site owners?</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> They can't effectively block a circuit id; if they try, there may be collateral</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> damage to unrelated users; and it is an information leak.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The Cloudflare dashboard shows all traffic (even that with a synthetic IP) to customers as part of </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">a standard logging procedure. I agree that customers should not block these synthetic IPs, given </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">that they correspond to ephemeral circuits. Though customers will be able to see these synthetic </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">IPs, they aren’t really actionable due to their short-lived nature.<br></span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">> How long does Cloudflare retain these circuit ids?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The synthetic IPs (built from circuit ids) are collected under Cloudflare’s standard logging procedure. </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">As such, they could be kept as short as one week (for debugging purposes) or as long as one year </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">(if a log is included in the 1% we sample for analysis purposes). Given the extremely short-lived </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">nature of a circuit, these logs will be devoid of any context to us.</span></p></span><br class="gmail-Apple-interchange-newline"></div><br><div class="gmail_quote"><div dir="ltr">On Sun, Sep 23, 2018 at 7:46 PM Mahrud S <<a href="mailto:dinovirus@gmail.com">dinovirus@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I think it would be better if you draft a response to this rather than me responding.<div><div><br><div class="gmail_quote"><div dir="ltr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">teor</strong> <span dir="ltr"><<a href="mailto:teor@riseup.net" target="_blank">teor@riseup.net</a>></span><br>Date: Sun, Sep 23, 2018 at 12:38 AM<br>Subject: Re: [tor-onions] Probably-stupid question about Circuit IDs<br>To:  <<a href="mailto:tor-onions@lists.torproject.org" target="_blank">tor-onions@lists.torproject.org</a>><br>Cc: Mahrud S <<a href="mailto:dinovirus@gmail.com" target="_blank">dinovirus@gmail.com</a>><br></div><br><br>Hi Mahrud,<br>
<br>
> On 23 Sep 2018, at 12:10, Mahrud S <<a href="mailto:dinovirus@gmail.com" target="_blank">dinovirus@gmail.com</a>> wrote:<br>
> <br>
> In short, yes. I think everything mentioned above is correct, and I'm not sure what else to add.<br>
<br>
I'm still not quite clear on some of the details:<br>
<br>
> On Sat, Sep 22, 2018 at 9:09 PM teor <<a href="mailto:teor@riseup.net" target="_blank">teor@riseup.net</a>> wrote:<br>
> <br>
>> On 23 Sep 2018, at 04:50, Alec Muffett <<a href="mailto:alec.muffett@gmail.com" target="_blank">alec.muffett@gmail.com</a>> wrote:<br>
>> <br>
>> That latter seems not very much worse than the information which a compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?<br>
> <br>
> This IPv6 address isn't in the IP header of the packets between Cloudflare's<br>
> onion service and Cloudflare's proxy.<br>
> <br>
> It's sent inside the TCP (or TLS?) connection between the Tor onion service<br>
> and the proxy instance, as a text header before any other inner TCP or TLS:<br>
> <a href="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt" rel="noreferrer" target="_blank">https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt</a><br>
> <br>
> If Cloudflare encrypts their onion service to proxy connections (and they<br>
> should), the circuit id will only be known to the onion service and its guard<br>
> (or rendezvous point, for a single-hop onion service connection).<br>
<br>
Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy<br>
instance encrypted?<br>
<br>
> Alternately, if Cloudflare hosts its onions in the same data centre as the proxies<br>
> they talk to, then the risk of interception is low.<br>
<br>
Does Cloudflare host its onion services in the same data centre as the proxies they<br>
talk to?<br>
<br>
> Then, if the proxy strips out this header before sending the request to the origin<br>
> site, or connects to the origin site using TLS, then this IP address shouldn't be<br>
> visible on the backbone.<br>
<br>
Does the Cloudflare proxy strip out the PROXY header?<br>
Or does it get transformed into X-Forwarded-For? (Or something similar?)<br>
<br>
> Also note: the CloudFlare dashboard shows the circuit id to site owners:<br>
> <a href="https://blog.cloudflare.com/cloudflare-onion-service/" rel="noreferrer" target="_blank">https://blog.cloudflare.com/cloudflare-onion-service/</a><br>
> <br>
> I can't see how having the actual circuit id is useful to site owners.<br>
> They can't block it effectively, because it's transient.<br>
> (And the same circuit id can be re-used by independent connections.)<br>
<br>
Why does the Cloudflare dashboard show the circuit id to site owners?<br>
They can't effectively block a circuit id; if they try, there may be collateral<br>
damage to unrelated users; and it is an information leak.<br>
<br>
That said, it's no worse than any other onion site operator using the circuit id<br>
feature, except that Cloudflare could collect and store a significant number of<br>
circuit ids.<br>
<br>
How long does Cloudflare retain these circuit ids?<br>
<br>
T<br>
</div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_-411121612758907646gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">mahrud <<a href="http://algorithms.jux-foundation.org/~mahrud/blog" target="_blank">algorithms.jux-foundation.org/~mahrud/blog</a>><br></div></div></div></div></div>
</blockquote></div>