[ponorin]

Exit node applies only to traffic that goes into a clearnet. You could to illegal stuff, but only tor users have protection and website owners are liable to raids should they allow illegal stuff to happen on their platforms.

With Tor Hidden Service there's no exit node as such since traffic terminates inside the Tor network. The networking route is doubly anonymized so both the server and the client can't track each other down.

[Manuel_D]

Perhaps I'm not understanding something. I'm imagining this scenario:

1. Bob is running a Tor exit node.

2. Charlie is a government official investigating illegal content (use your imagination)

3. Charlie downloads illegal content via Tor

4. This content is sent to Charlie from Bob's exit node.

5. Charlie observes that Bob's exit node sent him illegal content.

I understand that even if Bob is raided and his computer searched, they cannot find the website hosting the illegal content. But Charlie would know that Bob helped deliver the illegal content. Tor Hidden Service does not anonymize the exit node from the client.

[varenc]

Your mixing up general Tor use vs Tor hidden services. With hidden services there’s not really an exit node because the traffic never exits the Tor network.

Charlie could only see the machine in the final step of requesting the illegal content it Charlie was hosting the hidden service themselves. These requests can come from many different Tor operators not just exit nodes.

[Manuel_D]

To be clear, Bob is not the host of the illegal content. Bob is just the second-to-last hop before the content reaches the end destination (Charlie). My understanding of the tor network is that it obfuscates traffic across many hops. The path content takes from the host to Charlie:

Host -> Node 1 -> Node 2 -> ... Bob -> Charlie

this obfuscates the Host from Charlie. But Charlie knows that Bob sent him illegal content. Yes, Bob didn't host the content. The host is obfuscated. But Bob is still delivering illegal content and Charlie knows it.

[aniviacat]

Exit nodes are not the nodes that are directly facing tor users. Those nodes are called "Guard Relays".

Guard Relays usually don't have these issues, since you have to be somewhat technical to actively probe relays by requesting content through tor. And technical people know there isn't any point to rading an operator's home.

[fn-mote]

> Bob is still delivering illegal content and Charlie knows it

Does BOB know they are delivering illegal content?

No... is it even possible to send unencrypted traffic by Tor? If it's even possible, Charlie must be the only person in the world doing it.

[Manuel_D]

> Does BOB know they are delivering illegal content?

He does when Charlie knocks on his door and informs him that he delivered CSE to him. Ignorance of the fact that one is breaking the law is rarely accepted as a defense. Carriers usually get this protection when when meet some standards of safeguards and cooperation with law enforcement.

[Zak]

Ignorance of the law is not generally accepted as a legal defense, but ignorance of facts is. Most crimes involve a mental state of knowledge or intent with respect to the wrongdoing, and an exit node operator does not know what users are accessing.

Taking the wrong jacket by mistake is not theft, and operating the exit node through which someone downloads CSAM is not criminal possession of CSAM or knowing facilitation thereof.

[Vecr]

Hidden service connections don't go through exit nodes. In theory it's two back-to-back Tor connection that meet somewhere in the network, but you can also think of it (possibly more correctly) as a six-hop Tor connection to an exit node that is only used to directly connect to the backend server. If set up right this prevents government sniffing at all points.

[Manuel_D]

The final recipient is going to be able to decrypt the content, right? Regardless of "hidden service connection" or "exit nodes". Charlie is the final recipient and will be able to decrypt the content and know that it's illegal content.

Is there some mechanism that prevents Charlie from knowing who sent the content to him? Fundamentally, you can't stop the government from sniffing at the endpoint. Because they're not really "sniffing" they're just requesting content like any normal Tor user.

[Hizonner]

> Is there some mechanism that prevents Charlie from knowing who sent the content to him?

That is, in fact, the whole point of Tor. In the hidden service case, neither end can identify the other.

[Manuel_D]

Sorry, in case I wasn't clear, I'm not talking about identifying the site hosting the content. I'm talking about the second-to-last hop in the traffic. My understanding is that Tor obfuscates traffic by sending through several hops, each one decrypting a layer of traffic (hence the "onion" network). So we have:

Host -> Node 1 -> Node 2 -> .... -> Bob -> Charlie.

Charlie doesn't know where the Host is. But Charlie does know that Bob sent him illegal content. Or is that final link, from Bob to Charlie, also obfuscated somehow? If so, how did OP get raided by police if he's supposed to be hidden?

[Hizonner]

OK, so there are basically three cases:

1. Charlie is running a client and downloads something. In which case Bob is an entrance node, not an exit node, but it's essentially the same thing. Charlie does know that the next hop is Bob. Depending on whether the ultimate destination is a hidden service or on the clearnet, Charlie may or may not know who's running that service.

2. Charlie is running a hidden service, and somebody uploads something. Charlie knows that it came via Bob, but doesn't know where it came from.

3. Charlie is running a regular clearnet Web server, and somebody uploads something to Charlie via Bob's exit node. Again Charlie sees that the traffic comes from Bob.

In the first two cases, Charlie has to be actually running the Tor software, and knowingly using Tor. So Charlie also knows that (a) Bob is just a relay, (b) Bob doesn't actually host the content, (c) Bob doesn't handle more than a packet or two of the content at a time, and deletes those as soon as they've been relayed, (d) Bob doesn't know, and can't find out, what the content actually is, (e) Bob doesn't know, and can't find out, where the content originally came from, and (f) Bob is really unlikely to keep any record of the whole connection after the session is over, which means probably no more than 10 minutes or so.

If that's enough to go after Bob, then it's enough to go after Bob... but historically it hasn't been. Bob can reasonably claim not only that he doesn't know what that particular traffic was, but that, although he knows there's probably some illegal traffic, most of the traffic he relays is probably legal.

In the third case, it looks to Charlie like Bob is the ultimate user. Unless Charlie does some investigation, Charlie may go raid Bob. But Charlie should then find out all that other stuff.

I think the most common actual case is that Charlie is running a honey pot, either as a hidden service or on the clearnet, and somebody gets the content from Charlie via Bob. But the same basic ideas apply.

The main issue isn't that Charlie doesn't know what the content is, but that Bob doesn't.

[Oh, and on edit, just to be clear: In the first two cases, that "packet or two" that Bob may ephemerally buffer is encrypted so that Bob can't read it, nor can any other relay. In the third case, where Charlie is a clearnet service, the end user is usually still using TLS, so Bob still can't read it. And none of the non-exit relays can read it no matter what.]

[rtkwe]

Because it's not illegal to do that and if they're accessing hidden services they know they're accessing it via TOR and aren't directly connected to the illegal host. The most common reason exit nodes get raided is because they're the exit for some illegal user and appear as the source of the illegal activity.