Rogue exit nodes - checking?

slush slush at
Sat Jun 19 23:40:52 UTC 2010


yes, there is a way how to detect corrupted/malicious node. I wrote
Tor exit node scanner with some advanced techniques (for example
clustering or source tree analysis) as my thesis last year. During
debugging and testing I checked all exit nodes with many common pages
(google, few news pages etc) but did not found anything critical
(except bug #779 which is fixed now).

If there is a demand, I'm able to publish my scanner as hidden service
in some way (at this time, it does not have any WUI). Unfortunately I
cannot publish source codes because attackers can adapt own techniques
(though it would be very difficult).

My Tor scanner also consume many resources of Tor network because need
to download given link from all or almost all exit nodes.


On Sat, Jun 19, 2010 at 11:20 PM, Matthew <pumpkin at> wrote:
> This is especially dangerous if you are using Yahoo Mail, because evenif you
> trust the person who sent you the document, your attachment will be
> downloaded in plaintext (via http, not https). This means that the exit node
> you use can replace or alter your document to unmask you (or worse, exploit
> your document reader and run arbitrary code).
> I am curious to know if there is a way of identifying "bad" exit nodes?  Do
> people who are more technical than me (not hard!) somehow search for exit
> nodes with interesting configurations?  Or, unless you use StrictExitNodes
> and are confident of the honesty of the operator, are you simply hoping the
> exit node owner is benign?
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at with
> unsubscribe or-talk    in the body.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list