Over 25% of the TOR network exit nodes have been under the control of malicious actors who are performing man-in-the-middle attacks against network users.

What is the TOR Network

The TOR Network is a volunteer run network of relay servers that aims to provide anonymous and secure internet access that prevents its users from being traced, tracked or identified. By using a special web browser, all web access is relayed through a series of servers who apply successive layers of encryption each time the packet passes through another relay server with the aim of preventing any traffic traversing the network from bring intercepted and decrypted.  The final TOR server in the chain necessarily must remove all the encryption as the traffic emerges onto the open internet in order to reach the destination website.  The problem occurs when that exit server is under the control of a malicious actor and who then manipulates the HTTP request or response data.

The types of attacks performed by these malicious exit nodes include:

• SSL-stripping where HTTP to HTTPS redirects are removed in order to gain access to the unencrypted HTTP traffic without displaying any warnings to the user
• Bitcoin rewrites where a bitcoin wallet address included in a transaction is replaced with the address of a wallet controlled by the attackers in order to divert the funds
• Download modification where a requested file download is replaced with a file created by the attackers that contains malware to infect the victim’s computer

According to a long running research project, there is an ongoing problem with bad actors trying to add malicious exit nodes to the TOR network in order to manipulate the traffic for profit.  The volunteer administrators of the TOR network try to identify and remove malicious nodes as they come online, but in the cat and mouse game a certain number of malicious exit nodes are always active.  The worst case recorded was in February 2021 when 27% of the exit nodes were under the control of known bad actors.  The researcher noticed that malicious TOR nodes tend to leave the ContactInfo for the server blank – the majority of known malicious nodes all have blank ContactInfo.

How to protect your customers who are using TOR

Any website may receive legitimate customer traffic via the TOR network and there are steps you can take to protect your customers if they are unlucky enough to find their traffic routed via a malicious exit server on the TOR network.

• HSTS Preloading which adds your website to a hardcoded list maintained by the major web browsers that will force all browser requests to use secure TLS / HTTPS regardless of what the user types into the browser address bar.
• HTTPS Redirects on your webserver which redirect any request for open HTTP on port 80 to instead use secure TLS traffic over port 443.