With her experiment, she found that, out of the 1,400 nodes she tested, seven intercepted traffic and stole passwords. Chloe said she wasn't surprised by the low number, "because Tor is mostly ran by good people," but she also said that this should serve as a cautionary tale to Tor users."You should never trust the exit node and use HTTPS," Chloe said in an email.For her experiment, Chloe created a fake and tempting honeypot website, not protected by HTTPS web encryption, called Bitcoinbuy.
"I always knew that you can't trust the exit nodes but I wanted to test how malicious they actually were."
"An exit node can see traffic between itself and the destination. This is by design; it is unavoidable," Kijin Sung, a web developer, wrote in a Hacker News thread commenting the research. "The experiment shows that some exit nodes actually are recording that traffic and extracting login credentials from it. There's nothing surprising about it. It's what we've all been suspecting for a long time."This research is a reminder that Tor is tool that makes you anonymous, not a tool that secures your connection. Also, this type of attack only works on websites that are not protected by HTTPS, the more secure TLS web protocol, which encrypts the connection between a user and a site.A Tor Project spokesperson declined to comment specifically on this research, simply saying: "We strongly support ethical Tor research."The Tor Project encourages researchers to flag and report bad relays, whether they are malicious, misconfigured or simply broken. The nonprofit also scans the network itself looking for bad relays.
"An exit node can see traffic between itself and the destination. This is by design; it is unavoidable."
Chloe said she's now working on new tools to scan for sniffing exit nodes, improving upon BADONION. One downside of the BADONION experiment, she said, is that it only detected malicious nodes that reused the password, not those that simply intercepted it and stored it away."My overall goal is to make Tor a safer place for everyone and this first published results shows that there are bad people in the network and more people need to be aware of this," Chloe said. "This issue can be fixed on both sides, the site owner should offer HTTPS for its users and Tor should work even harder to find these bad nodes."
"My overall goal is to make Tor a safer place for everyone."