Cloudflare experiments with hidden Tor services
Matt Prince sets a daemon to work with the onions
Cloudflare has added a Tor hidden service to its DNS services.
Launching the service, the company explained that while it wipes logs and doesn't write client IP addresses to disk, “exceptionally privacy-conscious folks might not want to reveal their IP address to the resolver at all, and we respect that.”
The resolver's address is dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion, accessible via tor.cloudflare-dns.com, and (for those not familiar with Tor) the reason it's so extraordinarily complex is that it's the public key used to encrypt communication with the hidden service.
So users don't have to try to remember “dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad”, it uses HTTP's Alt-Svc header to notify the browser how and where to access the resource. This, the post noted, is supported in Mozilla, with Firefox Nightly offering .onion addresses as alternative services.
The header indicates to the browser that the .onion address is available for tor.cloudflare-dns.com (such as through a SOCKS proxy), and the browser checks security details like the certificate and server name.
If everything passes, he browser sends requests to the alternative service – the hidden Tor resolver – “ensuring that your future requests do not leave the Tor network.”
As well as basic privacy, Cloudflare says there are other protections available from offering a hidden service – in particular, users are protected against malicious exit nodes (which can reveal a user's browsing, or even strip SSL), and against deanonymisation attacks.
Against such attacks, “the only solution … is to eliminate the need for Exit Nodes by using hidden services instead.”
“Moreover, if your client does not support encrypted DNS queries, using a hidden resolver can secure the connection from on-path attacks, including BGP hijacking attacks”, the post adds.
The post concludes with instructions about configuring the
cloudflared daemon to use the service – and users are reminded that since this is currently an experimental service, don't use it in production. ®
Sponsored: Becoming a Pragmatic Security Leader