LOGBOOK

HELP

Quiz Entry - updated: 2026.06.07

What can "Tor bad exits" actively do beyond passive eavesdropping, and who has run them?

Bad exits can read credentials on non-TLS connections, attempt MITM by forging SSL certificates, and try to de-anonymise hidden-service users via traffic/timing analysis — and state actors (NSA, GCHQ, Europol) have operated exit nodes.

Active threats from malicious exit nodes:

  • Reading personal data: logging login data for e-mail/bank accounts on connections not protected by SSL/TLS (mostly old sites without HTTPS). Defence: only use sites with a valid HTTPS certificate.
  • Forging SSL certificates: via man-in-the-middle, trying to fake certificates to read "encrypted" traffic. Defence: take certificate warnings seriously and abort on warning.
  • Locating hidden services: trying to de-anonymise hidden services and their users through traffic analysis and timing attacks.

State surveillance: Snowden documents confirmed the NSA and GCHQ passively operated exit nodes (the NSA reportedly ran 10–12 high-capacity Tor servers at the time); Europol has run a project aimed at "operational intelligence related to TOR."

Tip: A certificate warning while on Tor is a red flag, not an annoyance — it may be a bad exit attempting MITM.

From Quiz: PRIVACY / Anonymous Surfing, Tor & Location Tracking | Updated: Jun 07, 2026