Boy, is Tor fast. Try i2p if you would love to see what “not known for being fast” means. Tor is reasonably fast for its use-cases, and those are - for most part - not watching videos.
That said, I very much applaud Cloudflare working on this! The Cloudflare-wall-of-death for Tor users always makes me navigate away from pages immediately.
Tor has definitely gotten faster over the past few years. It used to be pretty useless for actual browsing, but now it just feels like slightly slow wifi - even videos load fairly well.
What is the motive behind this? Is it just to harden the stance that Cloudflare puts privacy first? I'm not trying to be at all cynical, just don't understand the energy invested by Cloudflare to launch this?
It enhances privacy by removing the exit nodes and the transit across the Internet. It should make browsing Cloudflare managed sites via Tor fast. It makes it easier for us to deal with abusive requests from the Tor network because we can terminate individual circuits that are abusive and leave legit users alone. It fulfils a promise we made a long time ago. It's cool.
I'm not sure if you remember a month or so ago, a HN commenter mentioned how infuriating the experience of browsing Cloudflare sites on Tor is, because he get's the "Not a Robot" captcha every-single-time, I assume this also helps improve the experience for Tor users to show as a legit user when browsing other Cloudflare sites, so all in all the traffic looks clean.
I see every comment on HN about Cloudflare and so I saw that. Every time Tor/Cloudflare comes up I talk to the team about fixing it. Today is part of the fix.
What other measures are in the works, since this is only part? I'm excited to see more widespread adoption of privacy technology. Thank you for listening to our complaints, genuinely happy to see progress on this front.
IMHO, Nowadays' Cloudflare is like Google or Facebook from 10 years ago.
What Cloudflare is doing, is essentially centralize the entire Internet infrastructure from DNS, HTTPS to WWW, to the extend that Cloudflare can be the most powerful man-in-the-middle attacker if it wanted to be, can track whoever they wanted, or carry out random censorship, hence harmful to security and privacy in the long run. In fact, the Cloudbleed vulnerability (https://news.ycombinator.com/item?id=13766339) has already shown the enormous scale of damage that Cloudflare is capable of doing. For this reason, some of the most radical privacy advocates went to call Cloudflare the "active global adversary".
However, Cloudflare at this stage, still has a strong motivation that they should act as a supporter of a secure, free, open, and humane Internet, believing it is the principle of a company in the Silicon Valley, and especially when many of the beliefs currently are consistent with their business interests. So, currently, they think they should not abuse the power, but instead, should keep neutral and do the public good.
Freedom - This is the reason that Cloudflare does not aggressively banning websites solely based on a single DMCA complaint, in fact, Cloudflare used to host The Pirate Bay just fine (only stopping doing it after a formal legal ruling I believe). First, because they believe in free speech, don't want to perform extensive private censorship beyond the laws. And second, because adopting the principle of neutrality as a common carrier is the best strategy for their business interests - a ISP doesn't use their arbitrary judgements to censor objectionable content, for Cloudflare, the largest CDN hosting service online, needs to adhere the same principle, for both ideological and commercial reasons. Their censorship of Daily Stormer (https://www.eff.org/deeplinks/2018/01/private-censorship-not...) manifested the power they have, perhaps in the case it is good, but thinking about the severity of the consequence if abused, is horrible. Now, the CEO of Cloudflare agreed that he shouldn't have this level of private power, and promised he would not do something like this anymore, but...
Security and Privacy - This is why Cloudflare made crucial contributions to the development and mass adoption of HTTPS/TLS, making working solution and optimizations, etc, and setting up 1.1.1.1, the privacy-respecting DNS service that even available as a Tor online service, also recently opening up a IPFS gateway. They even developed a zero-knowledge proof system for user's privacy.
Back to the Tor issue, which is our main topic. While I said the some of the most radical privacy advocates went to call Cloudflare the "active global adversary", other people also have problems with Cloudflare, especially the IP-address based Web Application Firewall, which would inevitably discriminate Tor users, bombard them with an endless number of CAPTCHA. They got criticized by the Tor Project (https://blog.torproject.org/trouble-cloudflare). Cloudflare felt that they have their responsibility to support privacy, so they acknowledge the problem, and actively working towards solutions. Initial measures included allowing website owners to whitelist Tor users, reducing the frequency of the CAPTCHA for Tor users. Now, their Cloudflare Onion Service is obviously their complete, permanent solution to this problem, which allows strong end-to-end encryption, allows the traffic to stay in the Tor network, and also allows Cloudflare to distinguish different Tor sessions to block abusive one...
So to recap and ensure I understood correctly... Cloudflare will now offer a Tor Service endpoint. All websites running over CF will automatically route traffic over this Tor endpoint if I use Tor Browser 8.
If that is the case, it's quite awesome indeed, I should investigate the alt-svc thingy and add a tor node on my services for that stuff... Very interesting.
> I should investigate the alt-svc thingy and add a tor node on my services for that stuff... Very interesting.
If you do, I'd say also make the onion address known and just offer that up to your users too. If you're hosting your own onion and own site, the alt-svc thing only has value to those who can't remember the onion (and don't mind the extra lookup).
Probably not, I'd want to run it to avoid the exit node thing, I don't really want to bother with a proper onion address and having to distribute it. They're fairly opaque, I'd rather hide that they are being used.
You won't hide it if you're using alt-svc, it'll be plainly visible in HTTP (just maybe not in the browser address bar). All alt-svc is doing is essentially redirecting to the onion, so might as well make it visible.
Thanks to CloudFlare for working with Tor on these issues. The browsing experience for us legit Tor users is much better than it used to be.
I hope that eventually, .onion services can get DV certs so their proxy can serve that cert if the user connects directly, bypassing the need to connect through an exit node for the first connection.
One thing I'm curious about:
> While bad actors can still establish a fresh circuit by repeating the rendezvous protocol, doing so involves a cryptographic key exchange that costs time and computation.
Is there some way for the destination .onion service to scale the difficulty of this rendezvous challenge, so this proof-of-work scheme can continue to work? It would be sad if they get to the point where it's no longer an effective rate limit and have to go back to serving CAPTCHAs for every new circuit.
I really doubt we'll go back to using CAPTCHA for that. We'd already (ages and ages ago) dropped the use of CAPTCHA for connections from the Tor Browser. Today's announcement is a further refinement of all the work we've been doing to make using Tor smooth with Cloudflare domains.
For what it's worth, I haven't seen a CAPTCHA browsing cloudflare sites for a long time (months?), until just today I've gotten two (out of several tens of CF-backed sites visited). Could be related to these changes, not sure.
The option showed up for me a few hours after this was posted on HN. But as far as I can tell, in Tor Browser 8.0, it’s still using exit nodes when I access cloudflare.com and the site I activated the option on.
This is a good feature. Still, appears you are hitting Cloudflare first via an exit. I would say if whatever service you are using has its own onion, use that instead. I assume the way Cloudflare is determining if I am using Tor is by doing an IP lookup match w/ known exits? I would expect this feature would reduce bandwidth on the exit nodes which is great for decentralization. However, if you weren't to trust Cloudflare, this could be bad as its now opening up a central company to route traffic for Cloudflare customers, making it a central location for traffic analysis attacks (again, if you don't trust Cloudflare). At least exit nodes are a bit more distributed (but not much as there are still a very limited number, and you have to trust them too).
Also, since OnionBalance doesn't support v3 services yet, what is Cloudflare using behind those onion services to make them HA? Or are they each running on single machines acting as gateways that load balance after that?
Also, count me as one of those people that don't see much value DV certs have for onion services. A v3 onion is itself proof you have the ed25519 private key, so DV adds little on an identity and encryption front. EV has extra identity verification of course. I've read the EFF mailing list post in justification, and I'd say if features of TLS are a requirement (e.g. benefits of HTTPS), you might as well allow self-signed certs instead of having people use a CA. Granted, it's fairly harmless to allow DV for onion services, I just don't want to see it become the norm for HTTP-based onion services via promotion of the concept.
Shameless plug, here's a toolkit to create your own onion services easily in just a few lines: https://github.com/cretz/bine (including non-anonymous mode like the CF onion services). You can fire one up for your own site and give it as an HTTP alt svc.
Reading your comment I think you're a little confused about what this is.
This is for Cloudflare customers. Before this you went across normal Tor and hit an exit node and then went across the Internet to connection the nearest Cloudflare PoP. After this you go to the onion being run by Cloudflare eliminating the exit node and the hop across the Internet.
If you already have an onion for your service then you are already not using Cloudflare.
Nah, I get it and think it's good for Cloudflare customers over what happens today. My comment was a bit of scattershooting admittedly, so I can clarify this point.
> If you already have an onion for your service then you are already not using Cloudflare.
To clarify my point, what I mean is I might have "kodablahforum.com" running behind Cloudflare but I might, as a convenience for my users, offer my service behind an onion service unrelated to Cloudflare. I am saying, if the service offers that option, it can be seen as a bit more secure (if you don't mind the unwieldiness of the onion service address) to access that instead of the regular domain that hits Cloudflare via an exit and then routes all traffic through Cloudflare onion services.
Again, in general, I agree this is a complete improvement for non-onion-service using Tor browser users of Cloudflare customer sites. And I think it's a good pattern for sites/hosts/CDNs to follow (i.e. onions as HTTP alt services) in the current absence of acceptably secure/decentralized DNS for onion services. But direct onion service access hosted by the endpoint is always preferred over a middleman if it is an option.
I typically get on tor to deny large corporations information about myself and my connection, and typically via torify lynx... A behemoth corporation insinuating itself into this is defeating at least my purpose. Yes, they cannot see where I came from, but it is one more instance harvesting my browser information. Not a fan.
22 comments
[ 3.0 ms ] story [ 64.4 ms ] threadBoy, is Tor fast. Try i2p if you would love to see what “not known for being fast” means. Tor is reasonably fast for its use-cases, and those are - for most part - not watching videos.
That said, I very much applaud Cloudflare working on this! The Cloudflare-wall-of-death for Tor users always makes me navigate away from pages immediately.
What Cloudflare is doing, is essentially centralize the entire Internet infrastructure from DNS, HTTPS to WWW, to the extend that Cloudflare can be the most powerful man-in-the-middle attacker if it wanted to be, can track whoever they wanted, or carry out random censorship, hence harmful to security and privacy in the long run. In fact, the Cloudbleed vulnerability (https://news.ycombinator.com/item?id=13766339) has already shown the enormous scale of damage that Cloudflare is capable of doing. For this reason, some of the most radical privacy advocates went to call Cloudflare the "active global adversary".
However, Cloudflare at this stage, still has a strong motivation that they should act as a supporter of a secure, free, open, and humane Internet, believing it is the principle of a company in the Silicon Valley, and especially when many of the beliefs currently are consistent with their business interests. So, currently, they think they should not abuse the power, but instead, should keep neutral and do the public good.
Freedom - This is the reason that Cloudflare does not aggressively banning websites solely based on a single DMCA complaint, in fact, Cloudflare used to host The Pirate Bay just fine (only stopping doing it after a formal legal ruling I believe). First, because they believe in free speech, don't want to perform extensive private censorship beyond the laws. And second, because adopting the principle of neutrality as a common carrier is the best strategy for their business interests - a ISP doesn't use their arbitrary judgements to censor objectionable content, for Cloudflare, the largest CDN hosting service online, needs to adhere the same principle, for both ideological and commercial reasons. Their censorship of Daily Stormer (https://www.eff.org/deeplinks/2018/01/private-censorship-not...) manifested the power they have, perhaps in the case it is good, but thinking about the severity of the consequence if abused, is horrible. Now, the CEO of Cloudflare agreed that he shouldn't have this level of private power, and promised he would not do something like this anymore, but...
Security and Privacy - This is why Cloudflare made crucial contributions to the development and mass adoption of HTTPS/TLS, making working solution and optimizations, etc, and setting up 1.1.1.1, the privacy-respecting DNS service that even available as a Tor online service, also recently opening up a IPFS gateway. They even developed a zero-knowledge proof system for user's privacy.
Back to the Tor issue, which is our main topic. While I said the some of the most radical privacy advocates went to call Cloudflare the "active global adversary", other people also have problems with Cloudflare, especially the IP-address based Web Application Firewall, which would inevitably discriminate Tor users, bombard them with an endless number of CAPTCHA. They got criticized by the Tor Project (https://blog.torproject.org/trouble-cloudflare). Cloudflare felt that they have their responsibility to support privacy, so they acknowledge the problem, and actively working towards solutions. Initial measures included allowing website owners to whitelist Tor users, reducing the frequency of the CAPTCHA for Tor users. Now, their Cloudflare Onion Service is obviously their complete, permanent solution to this problem, which allows strong end-to-end encryption, allows the traffic to stay in the Tor network, and also allows Cloudflare to distinguish different Tor sessions to block abusive one...
If that is the case, it's quite awesome indeed, I should investigate the alt-svc thingy and add a tor node on my services for that stuff... Very interesting.
If you do, I'd say also make the onion address known and just offer that up to your users too. If you're hosting your own onion and own site, the alt-svc thing only has value to those who can't remember the onion (and don't mind the extra lookup).
I hope that eventually, .onion services can get DV certs so their proxy can serve that cert if the user connects directly, bypassing the need to connect through an exit node for the first connection.
One thing I'm curious about:
> While bad actors can still establish a fresh circuit by repeating the rendezvous protocol, doing so involves a cryptographic key exchange that costs time and computation.
Is there some way for the destination .onion service to scale the difficulty of this rendezvous challenge, so this proof-of-work scheme can continue to work? It would be sad if they get to the point where it's no longer an effective rate limit and have to go back to serving CAPTCHAs for every new circuit.
For what it's worth, I haven't seen a CAPTCHA browsing cloudflare sites for a long time (months?), until just today I've gotten two (out of several tens of CF-backed sites visited). Could be related to these changes, not sure.
I'm not currently seeing this in my account.
Does anyone know how to see this in action?
Also, since OnionBalance doesn't support v3 services yet, what is Cloudflare using behind those onion services to make them HA? Or are they each running on single machines acting as gateways that load balance after that?
Also, count me as one of those people that don't see much value DV certs have for onion services. A v3 onion is itself proof you have the ed25519 private key, so DV adds little on an identity and encryption front. EV has extra identity verification of course. I've read the EFF mailing list post in justification, and I'd say if features of TLS are a requirement (e.g. benefits of HTTPS), you might as well allow self-signed certs instead of having people use a CA. Granted, it's fairly harmless to allow DV for onion services, I just don't want to see it become the norm for HTTP-based onion services via promotion of the concept.
Shameless plug, here's a toolkit to create your own onion services easily in just a few lines: https://github.com/cretz/bine (including non-anonymous mode like the CF onion services). You can fire one up for your own site and give it as an HTTP alt svc.
This is for Cloudflare customers. Before this you went across normal Tor and hit an exit node and then went across the Internet to connection the nearest Cloudflare PoP. After this you go to the onion being run by Cloudflare eliminating the exit node and the hop across the Internet.
If you already have an onion for your service then you are already not using Cloudflare.
> If you already have an onion for your service then you are already not using Cloudflare.
To clarify my point, what I mean is I might have "kodablahforum.com" running behind Cloudflare but I might, as a convenience for my users, offer my service behind an onion service unrelated to Cloudflare. I am saying, if the service offers that option, it can be seen as a bit more secure (if you don't mind the unwieldiness of the onion service address) to access that instead of the regular domain that hits Cloudflare via an exit and then routes all traffic through Cloudflare onion services.
Again, in general, I agree this is a complete improvement for non-onion-service using Tor browser users of Cloudflare customer sites. And I think it's a good pattern for sites/hosts/CDNs to follow (i.e. onions as HTTP alt services) in the current absence of acceptably secure/decentralized DNS for onion services. But direct onion service access hosted by the endpoint is always preferred over a middleman if it is an option.