I made a grave mistake and this is an official redaction. Our earlier article on Cloudflare running Tor exit nodes was incorrect and based on a faulty methodology. The reason this happened is I was unaware that Cloudflare has a “hidden hidden” service that offers an alternative type of Tor onion that does NOT show up as a usual onion address in the URL bar. This hidden service still displays the CLEARWEB URL at the top, and the supposed purpose of this is to not damage the reputation of the Tor exit. Source:
https://developers.cloudflare.com/network/onion-routing/
Additionally, they somehow gather information, quote “Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic.” Now I’m not here to debate the morality of them running these secretive onions that let them better determine bots via data collection. I am here to set the record straight.
Because speedtest was configured in this way, it was giving false readings as Cloudflare being the exit about 1/3 of the time, when in-fact, it was due to speedtest itself being on Cloudflare, and my third hop was a totally different IP. Technically using this service, one doesn’t even exit Tor, but the URL still displays the clearweb. When combined with Cloudflare seeing something like 90% of all clearweb traffic along with regular unproven rumors of them running Tor nodes, the false conclusion of them trying to identify DDoS was all too quick to make. (Although technically this is what they were doing if it helps them determine bots, but in a different form)
In order to set the record straight, our team has taken the public 1,312 Tor exit nodes from the official Tor Project and created a python script to see whose registered the servers. Using WhoIs entries, this allows the community to evaluate the centralization, and therefore a single registered party doing traffic analysis. This does NOT mean that an attacker can’t just rent different servers to hide his identity, it just means whose officially registered it. Further, we are open sourcing this python script, so that the community can benefit from this centralization analysis in the future. Here is the full results. And here is the Python script code.
Below is a summary of the results:
Out of 1,312 Tor Exits:
Provider: ZWIEBELFREUN, Germany
Total Exits: 173
Percentage of total: 13%
What is this: Tor non-profit
_____________________________________________
Provider: PONYNET / BuyVM / Frantech (same provider)
Total Exits: 108
Percentage of total: 8.2%
What is this: Commercial VM provider
_____________________________________________
QUINTEX, USA
Total Exits: 98
Percentage of total: 7.4%
What is this: Privacy/Security-focused Datacenter
Does audits & data recovery
_____________________________________________
IP-EEND-AS IP-EEND
Total Exits: 59
Percentage of total: 4.4%
What is this: Tor non-profit
1337-GMBH, Germany
Total Exits: 41
Percentage of total: 3.1%
What is this: Commercial VM provider
_____________________________________________
Emerald Onion
Total Exits: 40
Percentage of total: 3%
What is this: Tor non-profit
_____________________________________________
OVH
Total Exits: 39
Percentage of total: 2.9%
What is this: Commercial VM provider
What conclusions can we draw from this?
Certainty not the ones I was expecting. One point is Zwiebelfreun is affiliated with RiseUp VPN, as they handled donations for them. Source:
https://torservers.net/blog/2018-07-04-zwiebelfreunde-raid/
So one of our readers asked me about RiseUp → Tor, and my answer then was “ok”, but now it’s no. Because then your entry VPN and the largest exit node runner have clear financial connections.
What does this have to do with Cloudflare? Nothing.
I am truly sorry to you for the mistake. And I am truly sorry to the team that I let down.
We have an amazing line-up of stuff coming down the pipeline, and I hope this doesn’t smear the whole project. Huge thank you to everyone who tuned in.