Two security researchers studying the Tor anonymization network discovered that a number of exit nodes in Russia were tapping traffic. They would be particularly interested in tracking traffic to and from Facebook.
The research on exit nodes was carried out by Philipp Winter and Stefan Lindskog from Karlstad University in Sweden. Exitnodes, currently around 1,000, serve as the endpoint of the encrypted and anonymized traffic in the Tor network and the open unencrypted internet, and can view unencrypted data traffic. These exit nodes are maintained by volunteers, but there are suspicions that secret services, among others, have also set up exit nodes.
According to the Swedish researchers, they have indications that at least 25 exit node servers have been tampered with. Two of them would redirect traffic to porn sites, possibly due to legislation in that particular country, while a third server was not properly configured in the OpenDNS server. However, the other exit nodes examined were more interesting because man-in-the-middle attacks are performed here in order to be able to intercept SSL-encrypted data traffic. The relevant exit nodes also fiddled with certificates.
Upon further investigation, the 22 servers were found to be running outdated versions of Tor and all of these machines were found as virtual servers in Russia, all with the same forged certificate. A number of these rogue exit nodes are also said to have focused specifically on tapping data traffic to and from Facebook. The machines may be in the hands of the Russian secret service, although the researchers do not rule out the possibility that a group of hackers is experimenting with Tor.
The researchers once again expose that the anonymization network Tor, which grew in popularity after the Snowden revelations, is anything but foolproof. In particular, the exit nodes, which are set up on a voluntary basis and often anonymously, are not always reliable. The developers of Tor therefore state that surfers should always take extra measures.