How to Protect Yourself from Malicious Tor Exit Nodes

Tor Exit Nodes Feature

Tor is a standard in the world of Internet privacy, and deservedly so. However, if you’re using Tor to browse the conventional web, be aware that while Tor’s exit nodes (which route your original data out of the Tor network) don’t know who you are, they, by necessity, have access to the original data you sent through the network.

There are some exit nodes out there that are being run by cyber-criminals and governments in the hopes of scraping up valuable data generated by those seeking privacy for some reason. Learn how you can protect yourself from malicious Tor exit nodes.

What’s going on under the Tor hood?

Tor Exit Nodes Routing Diagram

A Tor connection to a non-onion (i.e., normal Internet) site looks like this:

  1. Your computer establishes an encrypted connection to the Tor network and finds an entry guard, which can be any relay with sufficient bandwidth and a history of uptime. The browser calculates a random route through the Tor network (this changes every 10 minutes) and wraps your data in several layers of encryption.
  2. Your data travels between nodes on the route, each one only knowing about the node before it and the node after it, meaning your original address is obfuscated after one bounce. Every Tor node can decrypt one layer, giving it information on the next place to send the data – thus, the “onion” terminology associated with Tor.
  3. Upon reaching the final node, the last layer of encryption is stripped away, and the data is sent to the server outside the Tor network where it was originally headed.

The final node is the weakest link in the Tor network since Tor’s encryption is gone and any unencrypted data is now readable by the node. If the traffic was encrypted before it entered the Tor network, though, that encryption remains in place until the traffic reaches the external destination server, which is key to maintaining your privacy and security.

Who runs bad exit nodes?

The two main categories of exit node attackers are cyber-criminals and governments. The cyber-criminals want passwords and other personal data they can use, and governments want to monitor criminal activity, surveil citizens, and even check up on other countries.

Tor Exit Nodes Camera

Malicious exit nodes have been uncovered or demonstrated in multiple independent experiments:

How to stay safe from malicious exit nodes

1. Only browse with HTTPS

Hands-down the best way to keep your data safe from snooping exit nodes is good old HTTPS. Determined exit node attackers could theoretically get around this, but because traffic over HTTPS is encrypted on the whole journey from your computer to the destination server and back, it means that your traffic will never appear by default in cleartext to any Tor node. Even the exit node is sending encrypted information to the site.

Tor Exit Nodes Https

Tor automatically upgrades every possible connection to HTTPS, but if you ever find yourself on a non-encrypted connection (HTTP sites, for example), be aware that your traffic is visible to the exit node. Luckily, most modern sites use HTTPS by default, but be careful and don’t log in or transmit any sensitive information at all over an HTTP connection.

2. Keep your sensitive information to a minimum

For maximum privacy, it’s best to just assume that someone is watching and encrypt everything accordingly, even if the connection uses HTTPS. If you have sensitive data to communicate to someone, encrypt it with something like PGP first. Don’t provide personal information or log in to accounts associated with the real you.

Tor Exit Nodes Encryption

In practice, if you’re on an HTTPS connection, you’re probably fine to browse relatively normally, but don’t let your guard down.

3. Only consume .onion sites

Tor Exit Nodes Onion

.onion sites are hosted on the Tor network and don’t require leaving through an exit node, meaning there’s no opportunity for a malicious node to see your decrypted traffic. Major sites with onion versions are few and far between, but you can at least read the New York Times and browse Facebook (if that seems like a good idea to you).

What about VPN + Tor?

Tor is good for privacy, and VPNs are good for privacy, so VPN + Tor = double privacy, right? Well, it’s a little more complex than that. Using a combination can be good for some things, but it comes with tradeoffs – especially in terms of speed.

Tor Exit Nodes Vpn

1. Tor over VPN (VPN connection to the Tor entry guard)

Connect to the VPN first and then using the Tor browser. This will provide some safety. It prevents entry nodes from seeing your IP address and stops your ISP from knowing that you’re using Tor. However, this means you have to trust your VPN provider as well as the Tor network and also does nothing to protect you from bad exit nodes. For getting around Tor-blocking censorship, though, bridge relays are probably better.

2. VPN over Tor (VPN after the exit node)

VPN over Tor is a bit harder to set up, as you have to set up the connection to the VPN, send the data through Tor, then pass it off to the VPN server. This means bad exit nodes can’t read unencrypted data, but it also makes you less anonymous since the exit node and the site both see your VPN server. You also can’t access .onion sites and don’t benefit from some Tor network anonymization features like circuit switching. There’s a lot of debate over this one, but in general, sticking to encrypted HTTPS connections is a better choice, and VPN over Tor is only useful in specific cases.

Basically, you can use a VPN with Tor, but the easy way doesn’t protect you from bad exit nodes, and the hard way comes with some significant catches. These approaches can be helpful, but it’s best to be aware of the tradeoffs.

The good, the bad, and the Tor

Tor is an amazing way to get around censorship and preserve online privacy, but being aware of its limitations and myths is important. The Tor network hosts a lot of illicit and private activity, and when you use it, you’re potentially exposing your traffic to people and institutions that are targeting exactly that. Even if malicious Tor exit nodes are the minority on the network, the fact remains that they do exist, and most of the owners aren’t just curious researchers.

Image credits: Geographies of Tor, Orange blue symmetric cryptography, HTTPS diagram, Surveillance Camera, Onion Router AR Walking TOR, Wat is Tor

Andrew Braun Andrew Braun

Andrew Braun is a lifelong tech enthusiast with a wide range of interests, including travel, economics, math, data analysis, fitness, and more. He is an advocate of cryptocurrencies and other decentralized technologies, and hopes to see new generations of innovation continue to outdo each other.


  1. Hi,

    [sorry for my poor English!]

    really good post! I wrote a quite long (about 11 pages) guide to Tor for an Italian tech website but I’m still improving it and I’m trying to find new different opinions about Tor, proxies, VPN… When I face the VPN topic, I tend to push people to use Tor with bridges: Tor is decentralized, is free, open while VPNs, even the more reliable ones, are still a commercial third party elements. In any case I suggest not to use VPN with Tor: nor Tor over VPN (the most common choice), nor VPN over Tor. In the first case we have an issue we can call “Permanent entry node with a possible money trace”; in the second case the VPN become the exit node, nullifying the advantage we can get from having different circuits for every site, even when we open it side by side in two or more tabs. In addition I say that the second option prevent from visiting onion sites.

    We can agree or disagree, but the problem is different and my doubts come when we talk about VPNs “alone”: many programmers and cybersecurity people say that using a VPN you just switch your trust from ISP to a third party, so you don’t have any benefit.
    I can agree, OK, but on the other side other people say: my ISP definitely collects my data, keep them for a long period and cooperates with gov, police etc..; my ISP knows a lot about me.
    Differently, VPN can still collect my data but, if the no log policy is good, it keeps only the data it needs to manage the network, but not the websites I visit, my IP and so on; and a VPN knows very little about me if compared to my ISP.
    For example, Mullvad gives you a random unique number that is yours without asking you even an email and you can pay it using cash if you want more anonymity. If you read the privacy policy in Mullvad website it’s very detailed and seems to be really trustworthy. I cannot be sure 100%, I know, but IF THE VPN IS GOOD it can be safer than ISP. There was a case in USA when the police asked PIA to disclose their archive but the police didn’t find anything because of REAL no log policy.
    The issue some programmer talk about is that “IF” :-) Because they say you know your ISP but you know less about your VPN and you have to trust it. In addition they say that IP is no more a so important element for identifying users because of NAT and other similar arguments.

    So, what do you think about VPN vs ISP? Do you think we should trust ISP and be safe just surfing https and encrypting DNS? Or it would be better pay and get a trustworthy VPN to hide completely our activity to our provider?

    Thank you!

Comments are closed.