Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloudflare Launches Security Service for Tor Users

Cloudflare on Thursday announced a new service to provide Tor users with improved security and performance, while also aiming at reducing malicious network traffic.

Cloudflare on Thursday announced a new service to provide Tor users with improved security and performance, while also aiming at reducing malicious network traffic.

The service is being launched in collaboration with the Tor Project and is set to become available for all those using Tor Browser 8.0. Because the idea and mechanics behind this service are not specific to Cloudflare, anyone can reuse them on their own site, the company says.

The idea behind the new service, the website protection provider says, is that, while the Tor Browser does mitigate the issue of privacy on the web, it does filter malicious traffic, but actually hides its source. To tackle this, many use CAPTCHA challenges, thus making it more expensive for bots to reside on the Tor network, but these challenges are displayed to real users as well.

Cloudflare’s newly announced service aims at eliminating this problem and ensures that Tor users visiting Cloudflare websites won’t have to face a CAPTCHA. The feature also enables more fine-grained rate-limiting to prevent malicious traffic,” the company says.

“From an onion service’s point of view each individual Tor connection, or circuit, has a unique but ephemeral number associated to it, while from a normal server’s point of view all Tor requests made via one exit node share the same IP address,” Cloudflare’s Mahrud Sayrafi explains.

The circuit number allows onion services to distinguish individual circuits and terminate those that behave maliciously.

The idea behind the Cloudflare Onion Service, the site protection company explains, is to have domain names first resolve to an .onion address, with the browser then asking for a valid certificate to establish an encrypted connection with the host.

“As long as the certificate is valid, the .onion address itself need not be manually entered by a user or even be memorable. Indeed, the fact that the certificate was valid indicates that the .onion address was correct,” Sayrafi points out.

Advertisement. Scroll to continue reading.

This approach, Cloudflare claims, only requires for the certificate presented by the onion service to be valid for the original hostname, meaning that even a free certificate for a domain can be used instead of an expensive EV certificate.

“The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers, so you could audit this service using Certificate Transparency (which includes Nimbus, our certificate transparency log), to reveal any potential cheating,” Sayrafi says.

Because the service works without running entry, relay, or exit nodes, the only requests that Cloudflare would see as a result of this feature are those already headed to them. No new traffic is introduced and the company “does not gain any more information about what people do on the internet,” Sayrafi explains.

Cloudflare has made the Onion Routing service available to all of its customers and has enabled it by default for Free and Pro plans. The option can be accessed in the Crypto tab of the Cloudflare dashboard. The company recommends the use of Tor Browser 8.0 to take full advantage of the feature.

Related: Embrace RPKI to Secure BGP Routing, Cloudflare Says

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.