Researcher tests Tor exit nodes, finds not all operators can be trusted

While the Tor anonymity network conceals (relatively successfully) a user’s location and Internet activity from anyone who might want to know about it, users should be aware of the fact that it does not offer end-to-end encryption, and any traffic that is not encrypted before it enters Tor can be seen and perused by those operating exit nodes.

Since it’s impossible for the Tor project to verify whether all those who operate exit nodes are ethical operators looking only to help people around the world, flagging exit nodes as “bad” usually happens only in situations when they are obviously badly configured or someone – usually a researcher – discovers they are trying to manipulate traffic.

A security researcher that goes by the name Chloe recently tested around 1,400 Tor exit nodes by setting up a Bitcoin-themed phishing site with a login page and using unique username/password combinations every time she (he?) used different nodes to visit and log into the site.

This allowed Chloe to see whether someone operating a Tor exit node would try to use the login credentials they gleaned from the (non-encrypted) traffic.

In a little over a month, some 1,400 nodes were tested over 95 times. In that timeframe, there were 12 attempted unsuccessful logins (wrong password) and 16 successful ones using the unique passwords (and they weren’t made by Chloe).

The used passwords allowed Chloe to pinpoint which exit node operators obviously sniffed the traffic passing through it, and report them to the Tor project. Still, some of these nodes are still active to this day and haven’t been flagged as “bad”.

Finally, it’s good to point out that it’s also possible that there are more snooping node operators than evidenced – perhaps some were just interested in accessing that particular phishing site.




Share this