
Introducing the Cloudflare Onion Service - jgrahamc
https://blog.cloudflare.com/cloudflare-onion-service/
======
chrisacky
What is the motive behind this? Is it just to harden the stance that
Cloudflare puts privacy first? I'm not trying to be at all cynical, just don't
understand the energy invested by Cloudflare to launch this?

~~~
jgrahamc
It enhances privacy by removing the exit nodes and the transit across the
Internet. It should make browsing Cloudflare managed sites via Tor fast. It
makes it easier for us to deal with abusive requests from the Tor network
because we can terminate individual circuits that are abusive and leave legit
users alone. It fulfils a promise we made a long time ago. It's cool.

~~~
chrisacky
I'm not sure if you remember a month or so ago, a HN commenter mentioned how
infuriating the experience of browsing Cloudflare sites on Tor is, because he
get's the "Not a Robot" captcha every-single-time, I assume this also helps
improve the experience for Tor users to show as a legit user when browsing
other Cloudflare sites, so all in all the traffic looks clean.

~~~
jgrahamc
I see every comment on HN about Cloudflare and so I saw that. Every time
Tor/Cloudflare comes up I talk to the team about fixing it. Today is part of
the fix.

~~~
Forbo
What other measures are in the works, since this is only part? I'm excited to
see more widespread adoption of privacy technology. Thank you for listening to
our complaints, genuinely happy to see progress on this front.

------
zaarn
So to recap and ensure I understood correctly... Cloudflare will now offer a
Tor Service endpoint. All websites running over CF will automatically route
traffic over this Tor endpoint if I use Tor Browser 8.

If that is the case, it's quite awesome indeed, I should investigate the alt-
svc thingy and add a tor node on my services for that stuff... Very
interesting.

~~~
kodablah
> I should investigate the alt-svc thingy and add a tor node on my services
> for that stuff... Very interesting.

If you do, I'd say also make the onion address known and just offer that up to
your users too. If you're hosting your own onion and own site, the alt-svc
thing only has value to those who can't remember the onion (and don't mind the
extra lookup).

~~~
zaarn
Probably not, I'd want to run it to avoid the exit node thing, I don't really
want to bother with a proper onion address and having to distribute it.
They're fairly opaque, I'd rather hide that they are being used.

~~~
kodablah
You won't hide it if you're using alt-svc, it'll be plainly visible in HTTP
(just maybe not in the browser address bar). All alt-svc is doing is
essentially redirecting to the onion, so might as well make it visible.

------
KenanSulayman
> Tor isn’t known for being fast.

Boy, is Tor fast. Try i2p if you would love to see what “not known for being
fast” means. Tor is _reasonably_ fast for its use-cases, and those are - for
most part - not watching videos.

That said, I very much applaud Cloudflare working on this! The Cloudflare-
wall-of-death for Tor users always makes me navigate away from pages
immediately.

~~~
xur17
Tor has definitely gotten faster over the past few years. It used to be pretty
useless for actual browsing, but now it just feels like slightly slow wifi -
even videos load fairly well.

------
kodablah
This is a good feature. Still, appears you are hitting Cloudflare first via an
exit. I would say if whatever service you are using has its own onion, use
that instead. I assume the way Cloudflare is determining if I am using Tor is
by doing an IP lookup match w/ known exits? I would expect this feature would
reduce bandwidth on the exit nodes which is great for decentralization.
However, if you weren't to trust Cloudflare, this could be bad as its now
opening up a central company to route traffic for Cloudflare customers, making
it a central location for traffic analysis attacks (again, if you don't trust
Cloudflare). At least exit nodes are a bit more distributed (but not much as
there are still a very limited number, and you have to trust them too).

Also, since OnionBalance doesn't support v3 services yet, what is Cloudflare
using behind those onion services to make them HA? Or are they each running on
single machines acting as gateways that load balance after that?

Also, count me as one of those people that don't see much value DV certs have
for onion services. A v3 onion is itself proof you have the ed25519 private
key, so DV adds little on an identity and encryption front. EV has extra
identity verification of course. I've read the EFF mailing list post in
justification, and I'd say if features of TLS are a requirement (e.g. benefits
of HTTPS), you might as well allow self-signed certs instead of having people
use a CA. Granted, it's fairly harmless to allow DV for onion services, I just
don't want to see it become the norm for HTTP-based onion services via
promotion of the concept.

Shameless plug, here's a toolkit to create your own onion services easily in
just a few lines:
[https://github.com/cretz/bine](https://github.com/cretz/bine) (including non-
anonymous mode like the CF onion services). You can fire one up for your own
site and give it as an HTTP alt svc.

~~~
jgrahamc
Reading your comment I think you're a little confused about what this is.

This is for Cloudflare customers. Before this you went across normal Tor and
hit an exit node and then went across the Internet to connection the nearest
Cloudflare PoP. After this you go to the onion being run by Cloudflare
eliminating the exit node and the hop across the Internet.

If you already have an onion for your service then you are already _not_ using
Cloudflare.

~~~
kodablah
Nah, I get it and think it's good for Cloudflare customers over what happens
today. My comment was a bit of scattershooting admittedly, so I can clarify
this point.

> If you already have an onion for your service then you are already not using
> Cloudflare.

To clarify my point, what I mean is I might have "kodablahforum.com" running
behind Cloudflare but I might, as a convenience for my users, offer my service
behind an onion service unrelated to Cloudflare. I am saying, if the service
offers that option, it can be seen as a bit more secure (if you don't mind the
unwieldiness of the onion service address) to access that instead of the
regular domain that hits Cloudflare via an exit and then routes all traffic
through Cloudflare onion services.

Again, in general, I agree this is a complete improvement for non-onion-
service using Tor browser users of Cloudflare customer sites. And I think it's
a good pattern for sites/hosts/CDNs to follow (i.e. onions as HTTP alt
services) in the current absence of acceptably secure/decentralized DNS for
onion services. But direct onion service access hosted by the endpoint is
always preferred over a middleman if it is an option.

------
na412
Thanks to CloudFlare for working with Tor on these issues. The browsing
experience for us legit Tor users is much better than it used to be.

I hope that eventually, .onion services can get DV certs so their proxy can
serve that cert if the user connects directly, bypassing the need to connect
through an exit node for the first connection.

One thing I'm curious about:

> While bad actors can still establish a fresh circuit by repeating the
> rendezvous protocol, doing so involves a cryptographic key exchange that
> costs time and computation.

Is there some way for the destination .onion service to scale the difficulty
of this rendezvous challenge, so this proof-of-work scheme can continue to
work? It would be sad if they get to the point where it's no longer an
effective rate limit and have to go back to serving CAPTCHAs for every new
circuit.

~~~
jgrahamc
I really doubt we'll go back to using CAPTCHA for that. We'd already (ages and
ages ago) dropped the use of CAPTCHA for connections from the Tor Browser.
Today's announcement is a further refinement of all the work we've been doing
to make using Tor smooth with Cloudflare domains.

~~~
na412
Good to hear.

For what it's worth, I haven't seen a CAPTCHA browsing cloudflare sites for a
long time (months?), until just today I've gotten two (out of several tens of
CF-backed sites visited). Could be related to these changes, not sure.

------
leveck
I typically get on tor to deny large corporations information about myself and
my connection, and typically via torify lynx... A behemoth corporation
insinuating itself into this is defeating at least my purpose. Yes, they
cannot see where I came from, but it is one more instance harvesting my
browser information. Not a fan.

~~~
crtasm
I don't see how this makes any difference? if you use Tor to browse a site
that uses Cloudflare they were getting that info anyway.

------
michaelmior
> The option is available in the Crypto tab of the Cloudflare dashboard.

I'm not currently seeing this in my account.

~~~
guan
The option showed up for me a few hours after this was posted on HN. But as
far as I can tell, in Tor Browser 8.0, it’s still using exit nodes when I
access cloudflare.com and the site I activated the option on.

Does anyone know how to see this in action?

