Is it advisable to host Snowflake and an Onion Service on the same machine?

I know that you must not run Snowflake on a server that also hosts a Tor relay, because machines running Snowflake must look like ordinary users (so that Snowflake users won’t be suspected of connecting to Tor) while Tor relays are publicly known by their IP addresses.

However, since Onion Services don’t connect to the clearnet at all, but are trying to hide where they’re hosted, there should be no issue running one simultaneously with Snowflake, right?

1 Like

I guess it will work for now, because censors maybe track tor-connection activity but do not enforce blocking on this information (, yet?). Someone having a node on the network would see your server interacting with tor and could block it as suspicious.

If you are running a silk-motorway, you should also consider every extra service you are running might draw attention and adds extra possible vulnerabilities to the server. But if you are just running a onion-mirror of a harmless clear-web-site you should be fine too.

So imho you should do a brief threat analysis considering your potential users and yourself. Asking here is a good start :wink:

But that’s already the case when running only Snowflake, isn’t it? After all, all Snowflake traffic is relayed to Tor.

I think the question really is: Does hosting an Onion Service give away any other information than simply “Hey, I’m using Tor”?

:joy:

you are right, but the traffic pattern is quite different.

snowflake-standalone gets WebRTC (UDP) coordinated by the broker from the clients and does the transfer to tor via websocket (TCP) with predefined tor entry nodes

snowflake-01.torproject.net & snowflake-02.torproject.net (DESTINATION/entry nodes)

snowflake-broker.torproject.net (BROKER)

so not like a classical client

you could run your onion service via snowflake to blend in with the traffic snowflake traffic but it would create an imbalance of UDP/TCP, which could be spotted via netflow or else

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.