Eavesdropping On Tor Exit Nodes

In the last article, I talked about the appropriate configuration of the Tor browser and the steps to follow to further strengthen our privacy. Now, we’ll see how it is possible to have our data leaked even if our Tor browser is working in the right manner. The first thing to point out, is that Tor encrypts our communication only inside the Tor network, not outside, so it does not provide end-to-end encryption by itself. Once we understand this crucial concept, we wonder who has the ability to watch our exit nodes and how is it possible to avoid this violation of our privacy.

First Of All: End-To-End Encryption

To investigate who are the eavesdroppers, let’s deprive them of any chance to spy on us. In fact, there are cases in which the end-to-end encryption is possible. If we use Tor that is not, by itself able to guarantee encryption out of the onion network, in combination with other tools and protocols, we can obtain a full encryption that no eavesdropper could break.

  • https – using https (if the site that you are visiting supports it), the communication is encrypted end-to-end so, even if a malicious attacker could control the exit node, he wouldn’t see anything readable
  • onion sites – if you surf inside the onion-land, thus you query an onion site, your communication remains fully encrypted

Who Are The Snoopers

The answer is: everyone who can run an exit node. If you want to run a Tor relay, it is sufficient to go to the related page of the Tor project and read the procedure. There are different kinds of relays, specifically:

  • Middle relay
  • Exit relay
  • Bridge

A middle relay is a non-exit relay, an exit relay is the last Tor relay before the destination, and a bridge relay is a non-public relay. Theoretically, everyone can run a Tor relay but there are many difficulties related in particular to exit nodes. Since the final destination (thus the site that clients visit) see the exit node’s IP as the source of the request, if illegitimate requests (hacking) are made, the abuse complaints will arrive directly to the owner of the exit node. This is the reason why no one should run an exit node from home, because a corporation or an institution (like universities and the like) are better suited to manage legal exposure than individuals.

So who actually runs the exit nodes?

An interesting research from Jigsaw, states that the entities that run the exit nodes are mainly the following:

  • governments
  • intelligence agencies
  • great corporations
  • hackers

Governments run exit nodes to collect citizens’ data, intelligence agencies do the same to catch criminals, great corporations collect data to make money (possibly selling them to governments and intelligence agencies), hackers collect data for…whatever it is.

In 2007, Dan Egerstad, a Swedish security researcher, highlighted this flaw running five servers as exit nodes and collecting about 1,000 email accounts. Not only did he collect the credentials but he obviously could read the content of the emails. This fact must make you feel the stupidity of using Tor to hide your identity and then connecting to a service (like your email server) which requires your credentials to authenticate you.

In 2015, a security researcher under the pseudonym “Chloe” conducted a research running a bitcoin honeypot with a login interface. After connecting to a different exit node each time, she then logged in using the insecure http protocol. The result was that her credentials were stolen and used to log in the attackers, as Chloe could observe through her honeypot.

You can find the list of all the exit nodes here. There are several steps involved if you want to run an exit node. First, you should find a good ISP; there are ISPs good for Tor usage and others that are not. Here you can find a comprehensive comparative list. Try to email the ISP you choose and explain what is Tor and why it is important to run a relay. It is also important that you set a different IP, so it will be easier for the legal complaints to discern between your activity and the activity coming from the node. Choose a recognizable DNS name like “tor-exit.mydomain.org” and set the tor-exit-notice that you find here, so people that encounter your IP for different reasons can understand that you are running an exit node. Try to have your ISP assign to your IP a SWIP record that displays an abuse email related to you.