Because of CloudFlare's position regarding Tor users, along with the erroneous idea that an identity is an IP address, these changes do nothing for the Tor user and developer community at large.
Tor is used for more than just routing around censorship. I use it to create a seamless network of all my computers all via hidden services. So every machine has a "hidden service domain name" of [hash].onion . Knowing all the hashes of my machines means I can then use all my machines as a computing cloud.
I've also figured out how to seamlessly handle DNS resolution of onion addresses at the resolver level, meaning all Linux programs that can handle DNS names can also handle Onion names. Effectively that means that tools like Puppet and Chef work over Tor as well.
Cloudflare serves to undo and retard growth of Tor and I2P (which gets much less attention). And there are definite positives of using Tor... along with anti-censorship and strong anonymity claims.
As an example where CloudFlare could be very useful is the following: (since I couldn't edit my parent comment)
I have a site. Because the site is... disparaging to political figures, I want to run behind Tor as a hidden service. Now, CloudFlare is good at their core business, so I hire them to cache my .onion site for mass consumption. It also defends my .onion site from being slashdotted/reddit hug of death/HNbombed.
All the better if fellow Tor users access my site: I want people to consume/use my site. That's why it's published.
And here is CloudFlare, destroying Tor user's capability of using any site that hires CloudFlare. It's a completely ridiculous situation, and a horrid solution they ascribe to that does nobody any favors.
Now, they do have some valid reasons. And there can also be technological ways to solve it without shitcanning every Tor user.
1. Tarpit defense. Slow down connections that show 'harassing behaviors' No you don't need to see that webpage 100 times in a second.
2. Offer a CloudFlare.onion hidden service. There's no reason they can't get into Tor HS as well. Facebook already is.
3. Limit bandwidth to known Tor exit nodes. Don't block.
CloudFlare is not blocking exit nodes because of volumetric DDoS attacks. That's not really viable over Tor anyway. It's mostly to block comment spam, crawlers and vulnerability scans (e.g. SQLi), which is unfortunately often done through Tor in automated ways.
Also: Website owners using CloudFlare can whitelist Tor traffic if they so chose.
I don't see how 2) would change anything with regards to the blocking situation. All the aforementioned problems would still apply, the only difference would be that they'd lose the IP address as an identifier, making it even harder to filter malicious traffic. I'm not against CloudFlare implementing something like that, but I fail to see the relevancy and I do wonder if tunneling all hidden service traffic for a site through a centralized service (which needs access to the plaintext in order to do any kind of caching or filtering) is a good idea for a project like Tor.
Yeah, I was making some big changes on my blog, and things kind of exploded in my face. My fault, it wasn't terribly critical so I nuked and reinstalled.
Just install Tor as you normally would, and turn on Hidden Services from port 22 to port 22 (for SSH). Keep track of the generated Tor onion hostname when you restart with Hidden Services enabled.
______________________________________
But here's the 'magic' part how to get .onion resolution across a Linux system:
get the following packages (Ubuntu, Debian)
sudo apt-get install tor iptables dnsmasq dnsutils
Add the following to the /etc/tor/torrc file
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
DNSListenAddress 127.0.0.2
I have my IoT system across multiple networks, some of which I do not control the router. One possible solution was to have my VPS machine provide tunnels in a star topology. It's pretty sucky for the star center, because they end up getting all the traffic. And it's also pretty hard.
Another solution was to dyndns, port forwarding, router redirection, poking through NATs and all that... for each location I'm in. That's bad. Real bad.
Perhaps I could do some point-to-point trickery... but that doesn't work when both machines are NATted.
Tor Hidden Services provides a way to automatically breach the network seamlessly, and provide a routable address to that machine, no matter where that machine is. I take it to a cafe in Washington DC? Within 10 seconds, it's back on Tor. South America? 10 seconds.
The topology, once done, looks like a humongous ethernet hub, with no promiscuity mode. And each node is the 16 char hash.
Then, I can code against .onion addresses. They just work, and I know if I establish a connection, I can send data.
I'm already sending MQTT telemetry data from one network to my broker in another house 30 miles away. And it's sending pictures and metadata both. And it just works.
EDIT response:
>What kind of throughput & latency do you usually see?
Latency is a bigger one, obviously. It depends on the construction of the bridge. If I'm not using any overlays (OBFS3, OBFS4, scramblesuit, etc) then initial lag times can go in excess of 30 seconds. Once that initial connection is established, then lag times go down to about 200-300ms range.
Using overlays, because the network blocks various vanilla types of Tor, can take a lot longer. That's because those overlays are beat on by China and Iran. Sometimes they will dead-route packets (5% of the time). Initial transit I've seen up to 1 minute, with avg ping times around 500 ms.
Throughput is a different beast. The only network I haven't saturated was my 1GBps desktop at work. I can stream movies directly with the speeds I routinely get. Just that initial bridge construction will make you think something went wrong.
(responded here because "I'm responding too fast")
Because of CloudFlare's position regarding Tor users, along with the erroneous idea that an identity is an IP address, these changes do nothing for the Tor user and developer community at large.
Tor is used for more than just routing around censorship. I use it to create a seamless network of all my computers all via hidden services. So every machine has a "hidden service domain name" of [hash].onion . Knowing all the hashes of my machines means I can then use all my machines as a computing cloud.
I've also figured out how to seamlessly handle DNS resolution of onion addresses at the resolver level, meaning all Linux programs that can handle DNS names can also handle Onion names. Effectively that means that tools like Puppet and Chef work over Tor as well.
Cloudflare serves to undo and retard growth of Tor and I2P (which gets much less attention). And there are definite positives of using Tor... along with anti-censorship and strong anonymity claims.