CyberWarfare / ExoWarfare

New Security Service for Tor Project Users: Certificate Check for .onion Host Names

The idea behind the (open-source) Cloudflare Onion Service is to have domain names first resolve to an .onion address, with the browser then asking for a valid certificate to establish an encrypted connection with the host – without running entry, relay, or exit nodes.


Cloudflare on Thursday announced a new service to provide Tor users with improved security and performance, while also aiming at reducing malicious network traffic.

The service is being launched in collaboration with the Tor Project and is set to become available for all those using Tor Browser 8.0. Because the idea and mechanics behind this service are not specific to Cloudflare, anyone can reuse them on their own site, the company says.

The idea behind the new service, the website protection provider says, is that, while the Tor Browser does mitigate the issue of privacy on the web, it does filter malicious traffic, but actually hides its source. To tackle this, many use CAPTCHA challenges, thus making it more expensive for bots to reside on the Tor network, but these challenges are displayed to real users as well.

Cloudflare’s newly announced service aims at eliminating this problem and ensures that Tor users visiting Cloudflare websites won’t have to face a CAPTCHA. The feature also “enables more fine-grained rate-limiting to prevent malicious traffic,” the company says.

“From an onion service’s point of view each individual Tor connection, or circuit, has a unique but ephemeral number associated to it, while from a normal server’s point of view all Tor requests made via one exit node share the same IP address,” Cloudflare’s Mahrud Sayrafi explains.

The circuit number allows onion services to distinguish individual circuits and terminate those that behave maliciously.

The idea behind the Cloudflare Onion Service, the site protection company explains, is to have domain names first resolve to an .onion address, with the browser then asking for a valid certificate to establish an encrypted connection with the host.

“As long as the certificate is valid, the .onion address itself need not be manually entered by a user or even be memorable. Indeed, the fact that the certificate was valid indicates that the .onion address was correct,” Sayrafi points out.

This approach, Cloudflare claims, only requires for the certificate presented by the onion service to be valid for the original hostname, meaning that even a free certificate for a domain can be used instead of an expensive EV certificate.

“The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers, so you could audit this service using Certificate Transparency (which includes Nimbus, our certificate transparency log), to reveal any potential cheating,” Sayrafi says.

Because the service works without running entry, relay, or exit nodes, the only requests that Cloudflare would see as a result of this feature are those already headed to them. No new traffic is introduced and the company “does not gain any more information about what people do on the internet,” Sayrafi explains.

Cloudflare has made the Onion Routing service available to all of its customers and has enabled it by default for Free and Pro plans. The option can be accessed in the Crypto tab of the Cloudflare dashboard. The company recommends the use of Tor Browser 8.0 to take full advantage of the feature.