Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Tor Exit Nodes Mapped and Located |

Shava Nerad shava23 at
Sun Mar 10 21:20:26 PDT 2013

This page could be more clearly stated.  Exit nodes are where Tor traffic
exits the Tor cloud to the open Internet.

If it is destined for an unencrypted service, it will exit unencrypted at
that point.  If it is destined for an encrypted service, it will be
encrypted at that point (for example https: traffic will be https: and
http: traffic will be in the clear).

After user error, which is by far THE MOST VULNERABLE ISSUE with just about
any security schema and Tor is certainly no exception -- and that includes
users who insist on using flash and other software that if they RTFM they
would know could betray their origin IP -- I believe the most vulnerable
technical attack that a state-scale entity is likely to launch against Tor
is what is called "traffic analysis."

Briefly, traffic analysis looks at the ones and zeroes going into the
network at one end, and is able to watch traffic at enough exit nodes going
out to see which ones and zeroes in patterns going out look like the
pattern going in, to be able to identify which "pipe" is the input-output
connection.  This takes a lot of surveillance resources, which is why I
talk about it being a state-scale entity.

One way that an entity could try to shortcut such a task is by providing
high bandwidth, attractive, massive exit nodes that would be honeypots for
lots of traffic to exit.  So eventually, some target traffic would be
likely to end up on their wire.  It would take patience and watching both
ends of the traffic.

Security folks don't talk about what is "safe" -- we talk about about
managing risks.  Safety is an illusion, the carrot at the end of the what
you are being struck with, generally.

You can see a list of exit nodes including our own classification of what
we've marked as a bad exit node at -- we do
our own policing.  Bad exit nodes are smacked in the directory authorities.
 If you search for tor and "bad exit node" you can find some interesting
discussions on our lists on this topic with far more detail than anyone
probably wants to see here.

Andrew can probably sanity check me on technical accuracy and currency.

Shava Nerad
shava23 at

On Sun, Mar 10, 2013 at 2:32 PM, Yosem Companys <companys at>wrote:

> Tor Exit Nodes Located and Mapped
> Tor Exit Nodes are the gateways where encrypted Tor traffic hits the
> Internet. This means an exit node can be abused to monitor Tor traffic
> (after it leaves the onion network). It is in the design of the Tor
> network that locating the source of that traffic through the network
> should be difficult to determine. However if the exit traffic is
> unencrypted and contains identifying information then an exit node can
> be abused.
> The torproject therefore is dependent on a diverse and wide range of
> exit nodes. This update to an older page is where I attempt to display
> the exit nodes diversity in a Google map with Geolocation. The map was
> built using Google Maps API v3, with Marker Clusterer.
> The majority of exit nodes are likely not monitored and are “safe”,
> they are managed by good Internet citizens who believe in the aims of
> the Tor project. However even a handful of bad nodes could be a threat
> as exit nodes are periodically changed as you use the Tor network.
> Understand the Technology, Understand the Risks
> Use of the Tor Project by activists and Human Rights Defenders can be
> a valuable tool in avoiding surveillance; however you should always
> have a good understanding of the risks and keep your traffic encrypted
> end to end, as any of these exit nodes could be watching your traffic
> flows.
> At the most basic level unless you are using encrypted protocols
> (HTTPS / SSH / TLS), the Tor traffic could be monitored. Here are two
> simple examples:
> - Using a forum that does not use HTTPS your login, password, session
> cookie and posts could all be captured.
> - If you send an email using SMTP (no TLS) then the email could be
> intercepted.
> - To gain an understanding of the technology the Tor Project website
> is the best place to start.
> Tor Exit Nodes Geo-Located on a Google Map
> These nodes are from February 27, I am working on scripting this up so
> that it is updated daily with the latest list of exit nodes. The list
> was downloaded from Blutmagie in csv format. Geolocation was performed
> against the IP addresses using the Free GeoIP API which seemed to have
> better coverage than MaxMind Geocities Lite.
> From the map it is clear to see the high concentration of Tor exit
> nodes within Europe, once you start to zoom in and see the European
> nodes it is clear there is quite a spread of locations where the Tor
> nodes are operating.
> Taking a closer look at the Internet Providers
> Using the Shadowserver Whois service I also mapped the Tor exit node
> IP addresses against the ASN and Netblock.
> The Internet service providers from the chart are the top 25 with the
> highest concentrations of Tor exit nodes.
> In this post I have touched on some of the security threats and
> benefits of the Tor network. I encourage anyone intending to use the
> Tor network, to do some solid research around Operational security. If
> you are using Tor to bypass a proxy you should understand the risks to
> your traffic. If you are an activist using Tor to avoid monitoring by
> oppressive regimes, you really need to have a solid understanding of
> the technology, without knowing the threats you are putting yourself
> and perhaps others at risk.
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at or changing your settings at


Shava Nerad
shava23 at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list