Mahrud Sayrafi

Author Archives: Mahrud Sayrafi

Introducing the Cloudflare Onion Service

Introducing the Cloudflare Onion Service
  • When: a cold San Francisco summer afternoon
  • Where: Room 305, Cloudflare
  • Who: 2 from Cloudflare + 9 from the Tor Project
Introducing the Cloudflare Onion Service

What could go wrong?

Bit of Background

Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS. Indeed, back in the old days some websites only used HTTP --- weird, right? “Opportunistic” here meant that the server advertised support for HTTP/2 via an HTTP Alternative Service header in the hopes that any browser that recognized the protocol could take advantage of those benefits in subsequent requests to that domain.

Around the same time, CEO Matthew Prince wrote about the importance and challenges of privacy on the Internet and tasked us to find a solution that provides convenience, security, and anonymity.

From neutralizing fingerprinting vectors and everyday browser trackers that Privacy Badger feeds on, all the way to mitigating correlation attacks that only big actors are capable of, guaranteeing privacy is a complicated challenge. Fortunately, the Tor Project addresses this extensive adversary model in Tor Browser.

However, the Internet is full of bad actors, and distinguishing Continue reading

Introducing DNS Resolver for Tor

Introducing DNS Resolver for Tor

Introducing DNS Resolver for Tor

In case you haven’t heard yet, Cloudflare launched a privacy-first DNS resolver service on April 1st. It was no joke! The service, which was our first consumer-focused service, supports emerging DNS standards such as DNS over HTTPS:443 and TLS:853 in addition to traditional protocols over UDP:53 and TCP:53, all in one easy to remember address:

As it was mentioned in the original blog post, our policy is to never, ever write client IP addresses to disk and wipe all logs within 24 hours. Still, the exceptionally privacy-conscious folks might not want to reveal their IP address to the resolver at all, and we respect that. This is why we are launching a Tor hidden service for our resolver at dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion and accessible via

Introducing DNS Resolver for Tor

NOTE: the hidden resolver is still an experimental service and should not be used in production or for other critical uses until it is more tested.

Crash Course on Tor

What is Tor?

Imagine an alternative Internet where, in order to connect to, instead of delegating the task of finding a path to our servers to your internet provider, you had to go through the following Continue reading