Traffic in Tor network is being sniffed in the exit nodes

A security researcher conducted an experiment to demonstrate that someone is sniffing passing traffic from Tor network exit nodes.

When talking about Tor network, normally everyone assumes that you have an end-to-end security, but someone believes it may be wrong as it was discovered by the security researcher Chloe.

Tor network is free and it is the safest way to be anonymous since it hides your original IP from the destination server, to do that Tor uses relays to redirect traffic, but now the security researcher Chloe concludes that traffic is being sniffed in the exit nodes.

Chloe did the following tests to demonstrate its thesis:

• Set up a dummy website with an admin sub-domain and a login page
• Use Tor network to logging into the site several times(137,319 times)
• Use a unique password in every logging attempt

This means that there was no password repetition made by Chloe.

The next thing to be done by Chloe was searching inside the logs for instances where the unique passwords (used in each logging) were used more than one time, what would indicate that someone was sniffing an exit not and trying to access and logging into Chloe’s dummy site.

What Chloe found out was at least surprising, 16 instances of multiple uses of unique passwords, meaning that someone was sniffing the traffic, to add to that, Chloe got 650 unique page visits.

Chloe claims that in this test it was used 1400 nodes, and that each node was used around 95 times, and the conclusion is, ” We can see that there’s passive MITM [man in the middle spying] going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing.”

To the SCMagazineUK.com Chloe said, “It just shows that there’s bad guys out there that will try to take advantage of Tor-users. This is a problem that affects VPN and proxies too, but the problem is that anyone can anonymously set up a node and start sniffing.”

In the past Chloe criticized how Tor is organized, complaining about 10 or so authority nodes, which have the power to blacklist exit notes, even more, Chloe had in past notified Tor project by email about bad exit nodes, “But nothing happened. Still today the same node is actively sniffing traffic and making the Tor network unsafe for everyone,”

Roger Dingledine, the co-founder of the Tor project told to the SCMagazineUK.com that he is in communication with Chloe and that ” He disputed the number of suspect exit nodes discovered, saying it was seven rather than 15 or 16, a figure which is based on the number of unique Tor fingerprints, but even so he wasn’t surprised or overly concerned about it.”

Roger Dingledine also defends ” Tor is the best option out there in terms of privacy and anonymity, but there are still many open research questions in the area, and there’s always room for improvement. We rely in large part on community members, just like in this situation, to identify, understand, and help resolve problems,”

“I love Tor and I run a few relays by myself actually… My recommendations are better URL for onions, like foobar.onion, better cryptography, more decentralised, more power to the users and more focus on keeping the network safe.

“What I mean about the last thing is that these attacks that are made by the exit nodes are not so prioritised, Tor tries to focus on the big attacks on AS-level and so on.

“Also, there needs to be better communication with Tor because I had some problems contacting the right people and even when I did, I did not get the response I was hoping for.”

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Tor Network, hacking)