[tor-onions] Probably-stupid question about Circuit IDs

[Gabbi Fisher]

Hi there! I'm now maintaining Cloudflare Onion Services (Mahrud recently
left to pursue his PhD).

I will be the new point person at Cloudflare for this project.

T, here are some answers to your questions:

> Is the connections between Cloudflare's Tor onion service and
Cloudflare's proxy

> instance encrypted?

As of now, the proxy protocol header passing from the onion service to the
proxy instance is not

encrypted. (This header includes a synthetic IP address based on circuit
ID, which we use to

uniquely identify circuits). We understand that this is undesirable and
leaks information about

the circuit ID at this hop. We're discussing options on how to address this.

> Does Cloudflare host its onion services in the same data centre as the
proxies they

> talk to?

No.

> Does the Cloudflare proxy strip out the PROXY header?

> Or does it get transformed into X-Forwarded-For? (Or something similar?)

X-Forwarded-For contains the synthetic src IP we include in the PROXY
header.

> Why does the Cloudflare dashboard show the circuit id to site owners?

> They can't effectively block a circuit id; if they try, there may be
collateral

> damage to unrelated users; and it is an information leak.

The Cloudflare dashboard shows all traffic (even that with a synthetic IP)
to customers as part of

a standard logging procedure. I agree that customers should not block these
synthetic IPs, given

that they correspond to ephemeral circuits. Though customers will be able
to see these synthetic

IPs, they aren’t really actionable due to their short-lived nature.

> How long does Cloudflare retain these circuit ids?

The synthetic IPs (built from circuit ids) are collected under Cloudflare’s
standard logging procedure.

As such, they could be kept as short as one week (for debugging purposes)
or as long as one year

(if a log is included in the 1% we sample for analysis purposes). Given the
extremely short-lived

nature of a circuit, these logs will be devoid of any context to us.


On Sun, Sep 23, 2018 at 7:46 PM Mahrud S <dinovirus at gmail.com> wrote:

> I think it would be better if you draft a response to this rather than me
> responding.
>
> ---------- Forwarded message ---------
> From: teor <teor at riseup.net>
> Date: Sun, Sep 23, 2018 at 12:38 AM
> Subject: Re: [tor-onions] Probably-stupid question about Circuit IDs
> To: <tor-onions at lists.torproject.org>
> Cc: Mahrud S <dinovirus at gmail.com>
>
>
> Hi Mahrud,
>
> > On 23 Sep 2018, at 12:10, Mahrud S <dinovirus at gmail.com> wrote:
> >
> > In short, yes. I think everything mentioned above is correct, and I'm
> not sure what else to add.
>
> I'm still not quite clear on some of the details:
>
> > On Sat, Sep 22, 2018 at 9:09 PM teor <teor at riseup.net> wrote:
> >
> >> On 23 Sep 2018, at 04:50, Alec Muffett <alec.muffett at gmail.com> wrote:
> >>
> >> That latter seems not very much worse than the information which a
> compromised exit node would be able to obtain ("Browsing Normal Web over
> Tor") although it would be a lot more available when the circID is
> presented to the any backbone observer who can sniff IPv6?
> >
> > This IPv6 address isn't in the IP header of the packets between
> Cloudflare's
> > onion service and Cloudflare's proxy.
> >
> > It's sent inside the TCP (or TLS?) connection between the Tor onion
> service
> > and the proxy instance, as a text header before any other inner TCP or
> TLS:
> > https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
> >
> > If Cloudflare encrypts their onion service to proxy connections (and they
> > should), the circuit id will only be known to the onion service and its
> guard
> > (or rendezvous point, for a single-hop onion service connection).
>
> Is the connections between Cloudflare's Tor onion service and Cloudflare's
> proxy
> instance encrypted?
>
> > Alternately, if Cloudflare hosts its onions in the same data centre as
> the proxies
> > they talk to, then the risk of interception is low.
>
> Does Cloudflare host its onion services in the same data centre as the
> proxies they
> talk to?
>
> > Then, if the proxy strips out this header before sending the request to
> the origin
> > site, or connects to the origin site using TLS, then this IP address
> shouldn't be
> > visible on the backbone.
>
> Does the Cloudflare proxy strip out the PROXY header?
> Or does it get transformed into X-Forwarded-For? (Or something similar?)
>
> > Also note: the CloudFlare dashboard shows the circuit id to site owners:
> > https://blog.cloudflare.com/cloudflare-onion-service/
> >
> > I can't see how having the actual circuit id is useful to site owners.
> > They can't block it effectively, because it's transient.
> > (And the same circuit id can be re-used by independent connections.)
>
> Why does the Cloudflare dashboard show the circuit id to site owners?
> They can't effectively block a circuit id; if they try, there may be
> collateral
> damage to unrelated users; and it is an information leak.
>
> That said, it's no worse than any other onion site operator using the
> circuit id
> feature, except that Cloudflare could collect and store a significant
> number of
> circuit ids.
>
> How long does Cloudflare retain these circuit ids?
>
> T
>
>
> --
> mahrud <algorithms.jux-foundation.org/~mahrud/blog>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20180926/fd0efe5f/attachment.html>