teamcoltra
commented
4 years ago Hey, it's been a long time since this has been updated and as I am helping a friend with a tor2web instance and was looking into information about putting it behind cloudflare I stumbled into this.
1) This is very easy to do from a CF perspective. 2) Personally I think CF has shown itself to be a great partner in not only Onion Routing but also protecting the Internet. 3) You would have to get a premium cloudflare membership which is $hundreds per month, but I think the bandwidth savings, the overall better and faster experience for people using the service would be worth it but also perhaps if you reached out CF might be willing to throw it your way or give a discount or whatever.
As for the concern about users privacy, I think that inherently users using these systems should assume no privacy. Tor2Web is not for protecting end users it's for protecting the people publishing the content. Creating any idea of security with the platform only re-enforces negative user assumptions.
I don't think that Tor2Web should just publish every URL accessed with an IP of the user in some public database and say "HEY LOOK! SEE! THIS ISN'T SECURE" but honestly I don't think it should be the #1 crux of a problem either (even though, in this specific case, I think CF actually is fine). People should not expect privacy when there is no verifiable way for the T2W team to give it to them anyway.
Aaron got an the idea of:
"What do you think of putting tor2web behind Cloudflare? It could provide extra protection for the Round Robins and, if we added appropriate caching headers, add some extra speed and another layer of caching for free."
We should evaluate which could be the different kind of CDN / caching proxy that we can use and IF/HOW that kind of feature should be implemented regarding the Tor2web caching feature #29 .
Additionally, we should consider the privacy impact of that, as we can expect that cloudfare and/or other CDN keep full access log.