Hi there! I'm now maintaining Cloudflare Onion Services (Mahrud recently left to pursue his PhD).

I will be the new point person at Cloudflare for this project.


T, here are some answers to your questions:


> Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy

> instance encrypted?


As of now, the proxy protocol header passing from the onion service to the proxy instance is not

encrypted. (This header includes a synthetic IP address based on circuit ID, which we use to

uniquely identify circuits). We understand that this is undesirable and leaks information about

the circuit ID at this hop. We're discussing options on how to address this.


> Does Cloudflare host its onion services in the same data centre as the proxies they

> talk to?


No.


> Does the Cloudflare proxy strip out the PROXY header?

> Or does it get transformed into X-Forwarded-For? (Or something similar?)


X-Forwarded-For contains the synthetic src IP we include in the PROXY header.


> Why does the Cloudflare dashboard show the circuit id to site owners?

> They can't effectively block a circuit id; if they try, there may be collateral

> damage to unrelated users; and it is an information leak.


The Cloudflare dashboard shows all traffic (even that with a synthetic IP) to customers as part of

a standard logging procedure. I agree that customers should not block these synthetic IPs, given

that they correspond to ephemeral circuits. Though customers will be able to see these synthetic

IPs, they aren’t really actionable due to their short-lived nature.


> How long does Cloudflare retain these circuit ids?


The synthetic IPs (built from circuit ids) are collected under Cloudflare’s standard logging procedure.

As such, they could be kept as short as one week (for debugging purposes) or as long as one year

(if a log is included in the 1% we sample for analysis purposes). Given the extremely short-lived

nature of a circuit, these logs will be devoid of any context to us.



On Sun, Sep 23, 2018 at 7:46 PM Mahrud S <dinovirus@gmail.com> wrote:
I think it would be better if you draft a response to this rather than me responding.

---------- Forwarded message ---------
From: teor <teor@riseup.net>
Date: Sun, Sep 23, 2018 at 12:38 AM
Subject: Re: [tor-onions] Probably-stupid question about Circuit IDs
To: <tor-onions@lists.torproject.org>
Cc: Mahrud S <dinovirus@gmail.com>


Hi Mahrud,

> On 23 Sep 2018, at 12:10, Mahrud S <dinovirus@gmail.com> wrote:
>
> In short, yes. I think everything mentioned above is correct, and I'm not sure what else to add.

I'm still not quite clear on some of the details:

> On Sat, Sep 22, 2018 at 9:09 PM teor <teor@riseup.net> wrote:
>
>> On 23 Sep 2018, at 04:50, Alec Muffett <alec.muffett@gmail.com> wrote:
>>
>> That latter seems not very much worse than the information which a compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?
>
> This IPv6 address isn't in the IP header of the packets between Cloudflare's
> onion service and Cloudflare's proxy.
>
> It's sent inside the TCP (or TLS?) connection between the Tor onion service
> and the proxy instance, as a text header before any other inner TCP or TLS:
> https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
>
> If Cloudflare encrypts their onion service to proxy connections (and they
> should), the circuit id will only be known to the onion service and its guard
> (or rendezvous point, for a single-hop onion service connection).

Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy
instance encrypted?

> Alternately, if Cloudflare hosts its onions in the same data centre as the proxies
> they talk to, then the risk of interception is low.

Does Cloudflare host its onion services in the same data centre as the proxies they
talk to?

> Then, if the proxy strips out this header before sending the request to the origin
> site, or connects to the origin site using TLS, then this IP address shouldn't be
> visible on the backbone.

Does the Cloudflare proxy strip out the PROXY header?
Or does it get transformed into X-Forwarded-For? (Or something similar?)

> Also note: the CloudFlare dashboard shows the circuit id to site owners:
> https://blog.cloudflare.com/cloudflare-onion-service/
>
> I can't see how having the actual circuit id is useful to site owners.
> They can't block it effectively, because it's transient.
> (And the same circuit id can be re-used by independent connections.)

Why does the Cloudflare dashboard show the circuit id to site owners?
They can't effectively block a circuit id; if they try, there may be collateral
damage to unrelated users; and it is an information leak.

That said, it's no worse than any other onion site operator using the circuit id
feature, except that Cloudflare could collect and store a significant number of
circuit ids.

How long does Cloudflare retain these circuit ids?

T


--