6 Ways to Stay Safe From Compromised Tor Exit Nodes

Gavin Phillips Updated 09-05-2019

Tor is one of the most powerful tools for protecting your privacy on the internet. But, as seen in recent years, the power of Tor does come with limitations. Today, we’re going to look at how Tor works, what it does and does not do, and how to stay safe while using it.


Read on for ways you can stay safe from rogue or bad Tor exit nodes.

Tor in a Nutshell: What Is Tor?

Tor works like this: when you send a message through Tor, it is sent on a random course throughout the Tor network. It does this using a technology known as “onion routing.” Onion routing is a bit like sending a message sealed in a series of envelopes, each secured with a padlock.

Each node in the network decrypts the message by opening the outermost envelope to read the next destination, then send the still-sealed (encrypted) inner envelopes to the next address.

As a result, no individual Tor network node can see more than a single link in the chain, and the path of the message becomes extremely difficult to trace.

Eventually, though, the message has to wind up somewhere. If it is going to a “Tor hidden service,” your data remains within the Tor network. A Tor hidden service is a server with a direct connection to the Tor network and without a connection to the regular internet (sometimes referred to as the clearnet).


But if you are using the Tor Browser and Tor network as a proxy to the clearnet, it gets a little more complicated. Your traffic must go through an “exit node.” An exit node is a special type of Tor node that passes your internet traffic back along to the clearnet.

While the majority of Tor exit nodes are fine, some present a problem. Your internet traffic is vulnerable to snooping from an exit node. But it is important to note that it is far from all of them. How bad is the problem? Can you avoid malicious exit nodes?

How to Catch Bad Tor Exit Nodes

A Swedish security researcher, using the name “Chloe,” developed a technique that tricks corrupt Tor exit nodes into revealing themselves [Internet Archive link; original blog is no longer active]. The technique is known as a honeypot, and here’s how it works.

First, Chloe set up a website using a legitimate-looking domain name and web design to serve as the honeypot. For the specific test, Chloe created a domain resembling a Bitcoin merchant. Then, Chloe downloaded a list of every Tor exit node active at the time, logged into Tor, and used each Tor exit node, in turn, to log into the site.


To keep the results clean, she used a unique account for each exit node in question (around 1,400 at the time of the research).

Chloe tor network honeypot research data

Then, Chloe sat back and waited for a month. Any exit nodes that were attempting to steal login credentials from the exiting Tor traffic would see the unique login details, steal the username and password, and attempt to use it. The honeypot Bitcoin merchant site would note the login attempts and make a note.

Because each username and password combination was unique for each exit node, Chloe quickly uncovered several malicious Tor exit nodes.


Of the 1,400 nodes, 16 attempted to steal the login credentials. It doesn’t seem like many, but even one is too much.

Are Tor Exit Nodes Dangerous?

Chloe’s Tor exit node honeypot experiment was illuminating. It illustrated that malicious Tor exit nodes will take the opportunity to use any data they can acquire.

In this case, the honeypot research was only picking up the Tor exit nodes whose operators have an interest in quickly stealing a few Bitcoins. You have to consider that a more ambitious criminal probably wouldn’t show up in such a simple honeypot.

However, it is a concerning demonstration of the damage that a malicious Tor exit node can do, given the opportunity.


Back in 2007, security researcher Dan Egerstad ran five compromised Tor exit nodes as an experiment. Egerstad quickly found himself in possession of login details for thousands of servers across the world—including servers belonging to the Australian, Indian, Iranian, Japanese, and Russian embassies. Understandably, these come with a tremendous amount of extremely sensitive information.

Egerstad estimates that 95% of the traffic running through his Tor exit nodes was unencrypted, using the standard HTTP protocol, giving him complete access to the content.

After he posted his research online, Egerstad was raided by Swedish police and taken into custody. He claims that one of the police officers told him that the arrest was due to the international pressure surrounding the leak.

5 Ways to Avoid Malicious Tor Exit Nodes

The foreign powers whose information was compromised made a basic mistake; they misunderstood how Tor works and what it is for. The assumption is that Tor is an end-to-end encryption tool. It isn’t. Tor will anonymize the origin of your browsing and message, but not the content.

If you are using Tor to browse the regular internet, an exit node can snoop on your browsing session. That provides a powerful incentive for unscrupulous people to set up exit nodes solely for espionage, theft, or blackmail.

The good news is, there are some simple tricks you can use to protect your privacy and security while using Tor.

1. Stay on the Darkweb

dark web iceberg

The easiest way to stay safe from bad exit nodes is not to use them. If you stick to using Tor hidden services, you can keep all your communications encrypted, without ever exiting to the clearnet. This works well when possible. But it isn’t always practical.

Given the Tor network (sometimes referred to as the “darkweb”) is thousands of times smaller than the regular internet, you won’t always find what you’re looking for. Furthermore, if you want to use any social media site (bar Facebook, which does operate a Tor onion site How to Browse Facebook Over Tor in 5 Steps Want to stay secure when using Facebook? The social network has launched a .onion address! Here's how to use Facebook on Tor. Read More ), you will use an exit node.

2. Use HTTPS

Another way to make Tor more secure is to use end-to-end encryption. More sites than ever are using HTTPS to secure your communications Google Is Making HTTPS the Chrome Default With well over half of all websites now encrypted, it's time to think of HTTPS as the default option rather than the exception. That is, at least, according to Google. Read More , rather than the old, insecure HTTP standard. HTTPS is the default setting in Tor, for sites that support it. Also note that .onion sites don’t use HTTPS as standard because communication within the Tor network, using Tor hidden services is by its very nature, encrypted.

But if you enable HTTPS, when your traffic leaves the Tor network through an exit node, you maintain your privacy. Check out the Electronic Frontier Foundation’s Tor and HTTPS interactive guide to understand more about how HTTPS protects your internet traffic.

In any case, if you are connecting to a regular internet site using the Tor Browser, make sure the HTTPS button is green before transmitting any sensitive information.

3. Use Anonymous Services

The third way you can improve your Tor safety is to use websites and services that don’t report on your activities as a matter of course. That is easier said than done in this day and age, but a few small adjustments can have a significant impact.

For instance, switching from Google search to DuckDuckGo reduces your trackable data footprint. Switching to encrypted messaging services such as Ricochet (which you can route over the Tor network) also improve your anonymity.

4. Avoid Using Personal Information

In extension to using tools to increase your anonymity, you should also refrain from sending or using any personal information on Tor. Using Tor for research is fine. But if you engage in forums or interact in with other Tor hidden services, do not use any personally identifiable information.

5. Avoid Logins, Subscriptions, and Payments

You should avoid sites and services that require you to log in. What I mean here is that sending your login credentials through a malicious Tor exit node could have dire consequences. Chloe’s honeypot is a perfect example of this.

Furthermore, if you log in to a service using Tor, you may well start using identifiable account information. For example, if you log in to your regular Reddit account using Tor, you have to consider if you have identifying information already associated with it.

Similarly, the Facebook onion site is a security and privacy boost, but when you sign-in and post using your regular account, it isn’t hidden, and anyone can track it down (although they wouldn’t be able to see the location you sent it from).

Tor isn’t magic. If you login to an account, it leaves a trace.

6. Use a VPN

Finally, use a VPN. A Virtual Private Network (VPN) keeps you safe from malicious exit nodes by continuing to encrypt your data once it leaves the Tor network. If your data remains encrypted, a malicious exit node will not have a chance to intercept it and attempt to figure out who you are.

Two of MakeUseOf’s favorite VPN providers are ExpressVPN (MakeUseOf readers get 49% off) and CyberGhost (our readers can save 80% with a three-year signup). Both have long, respected histories of keeping your data private when it matters.

Staying Safe While Using Tor

Tor, and by extension, the darkweb, don’t have to be dangerous. If you follow the safety tips in this article, your chances of exposure will drastically decrease. The key thing to remember is to move slowly!

Want to learn more about Tor and the dark web? Download our free PDF guide exploring how you can explore the hidden internet—it’ll keep you safe as you traverse a hidden internet world. Otherwise, check out my unofficial user’s guide to Tor for more safety tips and tricks Really Private Browsing: An Unofficial User’s Guide to Tor Tor provides truly anonymous and untraceable browsing and messaging, as well as access to the so called “Deep Web”. Tor can’t plausibly be broken by any organization on the planet. Read More .

Related topics: Encryption, Online Privacy, Surveillance, Tor Network.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. anonymous
    July 8, 2016 at 12:57 am

    here yes, lol

  2. Anonymous
    July 3, 2015 at 12:07 am

    As a home PC user who use TOR on occasion, the civic-minded part of me wants to volunteer as a TOR exit node -- but like many others -- the pragmatic part of me worries that the FBI might come knocker if people use my node to jump to pirate or child porno sites. Wonder what (if any) safeguards can be put in place??

    • hbrillie
      February 11, 2016 at 2:33 pm

      if people use pirate or child porno sites, will the fbi come to you? so basically those assholes are safe and you are the bad guy?

    • HyPy
      March 13, 2016 at 10:43 pm

      You should do some research on how to run an exit node, if FBI, Interpol or whoever knocks your door complain about it, you just say that you're running an exit node and everything else should be fine. Also, if you want to run it, I recommend using a Linux live distribution with no persistence to do it.

      • sk
        April 9, 2016 at 6:30 pm

        Are you sure that running an exit node is totally legal in every country on the Earth?