Home/Threats/Exit Node Attacks

Exit Node Attacks

The Last Hop Problem

11 min read Updated 2024

The Exit Node Problem

Tor encrypts traffic between you and the exit node, but the exit node sees unencrypted traffic to the destination. Malicious exits can intercept, modify, or log this traffic.

Traffic Flow
You ══[Encrypted]══► Guard ══► Middle ══► Exit ──[PLAIN]──► Site
                                            │
                                     Can see traffic
                                     if not HTTPS!

Attack Types

Traffic Sniffing

Read unencrypted data (HTTP, FTP)

Passive

SSL Stripping

Downgrade HTTPS to HTTP

Active

Content Injection

Add malware to downloads

Malicious

Credential Theft

Capture login credentials

Theft

Real Incidents

Bitcoin Theft (2020)Malicious exits rewrote Bitcoin addresses
Certificate ManipulationExits caught issuing fake certificates
Malware InjectionExits adding malware to downloads

Protection Strategies

  • Always use HTTPS - encrypt end-to-end
  • Enable HTTPS-Only mode in Tor Browser
  • Verify certificate fingerprints for sensitive sites
  • Use .onion services when available (no exit)
  • Don't login to accounts over HTTP
  • Verify file hashes after downloading
!

Key Rule: Never send sensitive data without end-to-end encryption. The exit node is untrusted—always assume it's hostile.