Opportunistic Onion: More Protection Some of the Time

Opportunistic Onion: More Protection Some of the Time – Mahrud Sayrafi


I will present results of a collaboration between the Tor Project, Mozilla, and Cloudflare to deploy onion services in Cloudflare’s infrastructure in order to protect the security and privacy of Tor user connections terminating in our network. Leveraging the HTTP Alternative Services, we demonstrate how to defend against passive attacks by malicious Exit Nodes. As a secondary feature, this method enables distinguishing individual Tor circuits, which allows Cloudflare to assign reputation to circuits rather than IP addresses, therefore showing less CAPTCHA to humans.

Additionally, I will introduce an open-source plugin for the Caddy Web Server which allows website admins to enable Opportunistic Onion using an existing HTTPS certificate with a simple configuration, nullifying the need to purchase Extended Validation certificates. Moreover, this plugin enables load balancing for the onion service.


Full-time mathematics student and part-time hacker.