Tor network
Tor network

The very network nodes that relay anonymous Tor traffic for you, free of charge, may be sniffing or reading your data as it passes through. That's the conclusion of an investigation by a security researcher known as Chloe.

The Onion Router (Tor) network is based on free software which enables anonymous communication by hiding the originating IP address from the destination server. It achieves this by directing internet traffic through a network of volunteer relays which makes it difficult to trace activity back to the user.

It is, according to reports by the US National Security Agency and UK's Parliamentary Office of Science and Technology, the most popular and effective anonymous internet communication system, used by an estimated 2.5 million people each day.

At the entry node, Tor encrypts the original data including the destination IP address multiple times and sends it through a virtual circuit of randomly selected Tor relays. Each relay decrypts a layer to reveal only the next relay in the circuit. The final relay, called the exit node, decrypts the innermost layer and sends the original data to its destination without revealing or even knowing the source IP address, making for anonymous communications.

Tor onion network - artwork by Electronic Frontier Foundation

That's the theory at least, but Chloe conducted an experiment called Badonions to test how often the exit nodes were sniffing the data after it had been decrypted.

The test involved setting up a dummy website with an admin sub-domain and a login page. Chloe then logged into the site through the Tor network many times – in fact, 137,319 times. Due to timeouts and other issues, only 99,271 attempts resulted in a successful connection to the dummy admin account.

Chloe was looking for instances where the unique password chosen for each login attempt was used a second time, which would indicate that the exit node, in that instance, had sniffed the credentials and someone had then decided to have a go at using the credentials to log into Chloe's dummy site.

Chloe found 16 instances of multiple uses of a unique password. While it may appear a small number, this number should be zero. In addition, there were 650 unique page visits which points to additional sniffing activity.

Chloe estimates that the number of exit nodes tested was 1400, with each used around 95 times.

The conclusion: “We can see that there's passive MITM [man in the middle spying] going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing.”

In an email to, Chloe says it would be wrong to conclude that the Tor network was unusable: “It just shows that there's bad guys out there that will try to take advantage of Tor-users. This is a problem that affects VPN and proxies too, but the problem is that anyone can anonymously set up a node and start sniffing.”

As a consequence, it's more important than ever for site owners to use HTTPS, and it would help if more users were to join the hunt for bad nodes.

Chloe has been critical in the past of how Tor is organised, citing the problem of the 10 or so authority nodes that exert some control over the network and have the ability to blacklist exit nodes.

According to Chloe, an email notifying the Tor project about a bad exit node was initially greeted with a positive response. “But nothing happened. Still today the same node is actively sniffing traffic and making the Tor network unsafe for everyone,” Chloe said.

Roger Dingledine, co-founder and interim executive director of the Tor Project, replying to an email from SC, said that the Project had been in communication with Chloe for about a week.

He disputed the number of suspect exit nodes discovered, saying it was seven rather than 15 or 16, a figure which is based on the number of unique Tor fingerprints, but even so he wasn't surprised or overly concerned about it.