[tor-onions] Probably-stupid question about Circuit IDs

teor teor at riseup.net
Sun Sep 23 04:38:00 UTC 2018 

Hi Mahrud,

> On 23 Sep 2018, at 12:10, Mahrud S <dinovirus at gmail.com> wrote:
> 
> In short, yes. I think everything mentioned above is correct, and I'm not sure what else to add.

I'm still not quite clear on some of the details:

> On Sat, Sep 22, 2018 at 9:09 PM teor <teor at riseup.net> wrote:
> 
>> On 23 Sep 2018, at 04:50, Alec Muffett <alec.muffett at gmail.com> wrote:
>> 
>> That latter seems not very much worse than the information which a compromised exit node would be able to obtain ("Browsing Normal Web over Tor") although it would be a lot more available when the circID is presented to the any backbone observer who can sniff IPv6?
> 
> This IPv6 address isn't in the IP header of the packets between Cloudflare's
> onion service and Cloudflare's proxy.
> 
> It's sent inside the TCP (or TLS?) connection between the Tor onion service
> and the proxy instance, as a text header before any other inner TCP or TLS:
> https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
> 
> If Cloudflare encrypts their onion service to proxy connections (and they
> should), the circuit id will only be known to the onion service and its guard
> (or rendezvous point, for a single-hop onion service connection).

Is the connections between Cloudflare's Tor onion service and Cloudflare's proxy
instance encrypted?

> Alternately, if Cloudflare hosts its onions in the same data centre as the proxies
> they talk to, then the risk of interception is low.

Does Cloudflare host its onion services in the same data centre as the proxies they
talk to?

> Then, if the proxy strips out this header before sending the request to the origin
> site, or connects to the origin site using TLS, then this IP address shouldn't be
> visible on the backbone.

Does the Cloudflare proxy strip out the PROXY header?
Or does it get transformed into X-Forwarded-For? (Or something similar?)

> Also note: the CloudFlare dashboard shows the circuit id to site owners:
> https://blog.cloudflare.com/cloudflare-onion-service/
> 
> I can't see how having the actual circuit id is useful to site owners.
> They can't block it effectively, because it's transient.
> (And the same circuit id can be re-used by independent connections.)

Why does the Cloudflare dashboard show the circuit id to site owners?
They can't effectively block a circuit id; if they try, there may be collateral
damage to unrelated users; and it is an information leak.

That said, it's no worse than any other onion site operator using the circuit id
feature, except that Cloudflare could collect and store a significant number of
circuit ids.

How long does Cloudflare retain these circuit ids?

T
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20180923/c8893916/attachment.sig>

More information about the tor-onions mailing list