Cloudflare announces today its own onion service, which should make anonymous access easier to websites in its network, and reduce the malicious traffic aimed at them.

Using the Tor Browser to visit websites anonymously can be pretty frustrating for the regular user, who has to prove their human condition by solving CAPTCHA riddles that are difficult on the eyes.

Cloudflare Onion Service is a free solution that offers safe access to content via the Tor network, without going through an exit node.

Tor onion services

An onion service is hidden in the Tor network and its purpose is to intermediate connections anonymously from the clients by using a rendezvous point, which is a relay node in the Tor network.

Rendezvous points are established by the onion service via an introduction point, which is also a relay node in the network, picked randomly.

Under this scheme, a complete connection from the client to the onion service has six relays, three picked by the client (the third one being the rendezvous point) and the other three being picked by the onion service.

Cloudflare onion service

Users visiting websites in the Cloudflare network that are accessed through Tor Browser 8.0 and above can enjoy improved security and performance without having to pick crosswalks, street signs, store fronts, cars, buses or whatnot in CAPTCHAs.

"At the same time, this feature enables more fine-grained rate-limiting to prevent malicious traffic," Cloudflare notes in a post shared with BleepingComputer, adding that the idea can be implemented by anyone.

In simple terms, when Tor Browser sends a request to access a website behind Cloudflare network, it receives a reply containing an Alternative Service header specifying that the website is available over HTTP/2, via the Cloudflare Onion Service.

"Once the browser receives this header, it attempts to make a new Tor circuit to the onion service advertised in the alt-svc header and confirm that the server listening on virtual port 443 can present a valid certificate for “cloudflare.com” --- that is, the original hostname, not the .onion address," Cloudflare explains.

A trusted certificate ensures that any other connections to 'cloudflare.com'  use HTTP/2 via the onion service, eliminating the need of an exit node.

The onion services does not offer Cloudflare more visibility, since all connections run through Tor network and the company does not control any entry, relay or exit node; so no new traffic is introduced.

Onion Routing is currently available to all Cloudflare customers for free, and it is enabled by default under the Cryto tab of the dashboard.

Related Articles:

Phishing Attacks Distributed Through CloudFlare's IPFS Gateway

Cloudflare Becomes a Registrar, Sells Domains At Cost

Cloudflare Makes DNSSEC Activation Easy

CloudFlare's IPFS Gateway Makes it Easy to Create Distributed Web Sites

Exploit Affecting Tor Browser Burned In A Tweet