Spoiled Onions: Exposing Malicious Tor Exit Relays

  • Philipp Winter
  • Richard Köwer
  • Martin Mulazzani
  • Markus Huber
  • Sebastian Schrittwieser
  • Stefan Lindskog
  • Edgar Weippl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8555)


Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.


Exit Node Network Consensus MitM Attack Indian Node Relay Operator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alexa: The top 500 sites on the web (2013),
  2. 2.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  3. 3.
    Le Blond, S., et al.: One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users. In: LEET. USENIX (2011),
  4. 4.
    Le Blond, S., et al.: Spying the World from Your Laptop: Identifying and Profiling Content Providers and Big Downloaders in BitTorrent. In: LEET. USENIX (2010),
  5. 5.
    Chakravarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting Traffic Snooping in Tor Using Decoys. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 222–241. Springer, Heidelberg (2011), CrossRefGoogle Scholar
  6. 6.
  7. 7.
    Dingledine, R.: Re: Holy shit I caught 1 (2006),
  8. 8.
    Dingledine, R., Mathewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: WEIS (2006),
  9. 9.
    Dingledine, R., Mathewson, N.: Tor Protocol Specification,;hb=HEAD;f=torspec.txt
  10. 10.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: USENIX Security. USENIX (2004),
  11. 11.
    Electronic Frontier Foundation. HTTPS Everywhere (2013),
  12. 12.
    Goldberg, I.: On the Security of the Tor Authentication Protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 316–331. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  13. 13.
    Haim, D.: SocksiPy - A Python SOCKS client module (2006),
  14. 14.
    Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security, HSTS (2012),
  15. 15.
    Hodges, J., Jackson, C., Barth, A.: RFC 6797: HTTP Strict Transport Security, HSTS (2012),
  16. 16.
    Huber, M., Mulazzani, M., Weippl, E.: Tor HTTP Usage and Information Leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  17. 17.
    InformAction. NoScript (2013),
  18. 18.
  19. 19.
    Thoughtcrime Labs. Convergence (2011),
  20. 20.
    Langley, A.: Public key pinning (2011),
  21. 21.
    Lowe, G., Winters, P., Marcus, M.L.: The Great DNS Wall of China. Tech. rep. New York University (2007),
  22. 22.
  23. 23.
  24. 24.
    McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining Light in Dark Places: Understanding the Tor Network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  25. 25.
    Paul, R.: Security expert used Tor to collect government e-mail passwords (2007),
  26. 26.
    Perry, M., Clark, E., Murdoch, S.: The Design and Implementation of the Tor Browser [DRAFT] (2013),
  27. 27.
    SkullSecurity. Passwords (2011),
  28. 28.
    SoftCom, Inc. Email Hosting Services,
  29. 29.
    The Tor Project. ExoneraTor,
  30. 30.
    The Tor Project. Relays with Exit, Fast, Guard, Stable, and HSDir flags,
  31. 31.
  32. 32.
    The Tor Project. Stem Docs,
  33. 33.
    The Tor Project. TC: A Tor control protocol (Version 1),
  34. 34.
  35. 35.
  36. 36.
    Torsocks: use socks-friendly applications with Tor,
  37. 37.
    Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: ATC. USENIX (2008),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Philipp Winter
    • 1
  • Richard Köwer
    • 3
  • Martin Mulazzani
    • 2
  • Markus Huber
    • 2
  • Sebastian Schrittwieser
    • 2
  • Stefan Lindskog
    • 1
  • Edgar Weippl
    • 2
  1. 1.Karlstad UniversitySweden
  2. 2.SBA ResearchAustria
  3. 3.FH Campus WienAustria

Personalised recommendations