Hi there! I'm now maintaining Cloudflare Onion Services (Mahrud recently left to pursue his PhD).
I will be the new point person at Cloudflare for this project.
T, here are some answers to your questions:
Is the connections between Cloudflare's Tor onion service and
Cloudflare's proxy
instance encrypted?
As of now, the proxy protocol header passing from the onion service to the proxy instance is not
encrypted. (This header includes a synthetic IP address based on circuit ID, which we use to
uniquely identify circuits). We understand that this is undesirable and leaks information about
the circuit ID at this hop. We're discussing options on how to address this.
Does Cloudflare host its onion services in the same data centre as the
proxies they
talk to?
No.
Does the Cloudflare proxy strip out the PROXY header?
Or does it get transformed into X-Forwarded-For? (Or something similar?)
X-Forwarded-For contains the synthetic src IP we include in the PROXY header.
Why does the Cloudflare dashboard show the circuit id to site owners?
They can't effectively block a circuit id; if they try, there may be
collateral
damage to unrelated users; and it is an information leak.
The Cloudflare dashboard shows all traffic (even that with a synthetic IP) to customers as part of
a standard logging procedure. I agree that customers should not block these synthetic IPs, given
that they correspond to ephemeral circuits. Though customers will be able to see these synthetic
IPs, they aren’t really actionable due to their short-lived nature.
How long does Cloudflare retain these circuit ids?
The synthetic IPs (built from circuit ids) are collected under Cloudflare’s standard logging procedure.
As such, they could be kept as short as one week (for debugging purposes) or as long as one year
(if a log is included in the 1% we sample for analysis purposes). Given the extremely short-lived
nature of a circuit, these logs will be devoid of any context to us.
On Sun, Sep 23, 2018 at 7:46 PM Mahrud S dinovirus@gmail.com wrote:
I think it would be better if you draft a response to this rather than me responding.
---------- Forwarded message --------- From: teor teor@riseup.net Date: Sun, Sep 23, 2018 at 12:38 AM Subject: Re: [tor-onions] Probably-stupid question about Circuit IDs To: tor-onions@lists.torproject.org Cc: Mahrud S dinovirus@gmail.com
Hi Mahrud,
On 23 Sep 2018, at 12:10, Mahrud S dinovirus@gmail.com wrote:
In short, yes. I think everything mentioned above is correct, and I'm
not sure what else to add.
I'm still not quite clear on some of the details:
On Sat, Sep 22, 2018 at 9:09 PM teor teor@riseup.net wrote:
On 23 Sep 2018, at 04:50, Alec Muffett alec.muffett@gmail.com wrote:
That latter seems not very much worse than the information which a
compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?
This IPv6 address isn't in the IP header of the packets between
Cloudflare's
onion service and Cloudflare's proxy.
It's sent inside the TCP (or TLS?) connection between the Tor onion
service
and the proxy instance, as a text header before any other inner TCP or
TLS:
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
If Cloudflare encrypts their onion service to proxy connections (and they should), the circuit id will only be known to the onion service and its
guard
(or rendezvous point, for a single-hop onion service connection).
Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy instance encrypted?
Alternately, if Cloudflare hosts its onions in the same data centre as
the proxies
they talk to, then the risk of interception is low.
Does Cloudflare host its onion services in the same data centre as the proxies they talk to?
Then, if the proxy strips out this header before sending the request to
the origin
site, or connects to the origin site using TLS, then this IP address
shouldn't be
visible on the backbone.
Does the Cloudflare proxy strip out the PROXY header? Or does it get transformed into X-Forwarded-For? (Or something similar?)
Also note: the CloudFlare dashboard shows the circuit id to site owners: https://blog.cloudflare.com/cloudflare-onion-service/
I can't see how having the actual circuit id is useful to site owners. They can't block it effectively, because it's transient. (And the same circuit id can be re-used by independent connections.)
Why does the Cloudflare dashboard show the circuit id to site owners? They can't effectively block a circuit id; if they try, there may be collateral damage to unrelated users; and it is an information leak.
That said, it's no worse than any other onion site operator using the circuit id feature, except that Cloudflare could collect and store a significant number of circuit ids.
How long does Cloudflare retain these circuit ids?
T
-- mahrud <algorithms.jux-foundation.org/~mahrud/blog>