2.5 How Exit Relays Actually Work

In the Tor network, the Exit Relay (sometimes simply called an “exit node”) is the final hop in a Tor circuit when a user accesses the normal internet (the “clearnet”).
Exit relays play a unique role because they are the only Tor nodes that interact directly with external websites.

This chapter explains, in depth, how exit relays function, what they can and cannot see, how traffic flows through them, and why they are essential despite being a common source of misunderstanding.

---

A. What Is an Exit Relay?

An exit relay is the Tor relay responsible for:

• removing the final layer of onion encryption

• forwarding the decrypted request to the clearnet destination

• receiving the response from the clearnet and re-encrypting it for the user

It is the only point in a Tor circuit where Tor traffic becomes ordinary internet traffic.

Exit relays do not know who the user is; they only see:

• the destination site

• plaintext data if the site does not use HTTPS

Even then, they only see the content, not the user’s identity.

---

B. Position of the Exit Relay in the Tor Circuit

A Tor circuit consists of:

1. Entry Guard (first hop)

2. Middle Relay (second hop)

3. Exit Relay (third hop)

Data flow (simplified):

User → Entry Guard → Middle Relay → Exit Relay → Destination Website

The exit relay only sees decrypted outgoing traffic and the destination server.
It cannot see:

• user IP

• user identity

• user location

• user’s entry guard

This separation of knowledge is fundamental to Tor’s anonymity design.

---

C. What the Exit Relay Can See

Exit relays have visibility over exactly two things:

1. The Final Unencrypted Layer of Data

If a user visits:

• HTTP websites → exit relay can read content

• HTTPS websites → content is fully encrypted; exit relay sees nothing meaningful

Since most modern websites use HTTPS, exit relays cannot read the majority of traffic.

2. The Destination IP and Port

Exit relays must know where to forward the traffic.
They see:

Destination server IP Requested port (e.g., port 80 for HTTP)

Nothing else.

---

D. What Exit Relays Cannot See

Despite popular myths, exit relays cannot:

1. See the user’s IP address
   That information is hidden by the guard relay.

2. Know the user’s identity
   All Tor traffic is layered and encrypted.

3. Decrypt HTTPS traffic
   HTTPS encryption terminates at the destination server, not the exit node.

4. See internal Tor circuits
   Each hop removes only one encryption layer.

5. Determine where the user is located
   IP geolocation is impossible from the exit’s perspective.

6. Trace the user back through the Tor network
   No single relay has enough information.

---

E. Why Exit Relays Exist

Many darknet systems (I2P, Freenet) do not allow clearnet access.
Tor intentionally supports clearnet access to create a practical anonymity system for:

• researchers

• journalists

• everyday users seeking privacy

• citizens in censored environments

Exit relays act as translation bridges between:

• anonymous Tor circuits

• the normal, public internet

Without exit relays, Tor would be an internal-only network like I2P.

---

F. Exit Relay Policies & Restrictions

Exit relays operate under specific rules:

1. Exit Policies

Relay operators specify which ports/services they allow.
For example:

• allow ports 80 and 443

• deny SMTP ports to prevent spam

• deny risky ports to reduce abuse

These policies shape how traffic routes through the network.

2. Abuse Management

Exit operators often receive:

• DMCA notices

• abuse complaints

• legal inquiries

However, Tor Project provides guides explaining that operators cannot identify users.

Exit operators are not responsible for user actions, as they do not know who the user is.

---

G. Exit Relays & HTTPS: A Critical Distinction

If the site uses HTTPS:

• exit relay sees only encrypted TLS packets

• cannot read or manipulate content

• cannot insert malware

• cannot observe personal data

If the site uses HTTP:

• exit relay can see content

• but still cannot see the user’s identity

Modern browsers enforce HTTPS with:

• HSTS

• automatic HTTPS upgrades

• certificate pinning

This greatly reduces exit relay visibility.

---

H. Exit Traffic Fingerprinting & Academic Findings

Exit relay behavior has been studied extensively in academia.

Key findings include:

1. Exit Relays Are Often Underpowered

Volunteer-run nodes have limited bandwidth.

2. Exit Relays Are Bottlenecks

Clearnet-bound traffic flows through relatively few relays compared to entry or middle nodes.

3. Malicious Exit Relays Are Rare but Possible

Some research uncovered misconfigured or malicious exits attempting:

• TLS downgrades

• traffic injection

• DNS tampering

Tor mitigates these using:

• Relay operator vetting

• Exit scanning (Tor “exitmap” research)

• Community reporting

• Consensus weighting

No single malicious exit can deanonymize a user due to Tor’s architecture.

---

I. Why Exit Relays Cannot De-Anonymize Tor Users Alone

To deanonymize a user, an adversary must control:

1. The entry guard (to see user IP)

2. The exit relay (to see destination)

Controlling both simultaneously is difficult due to:

• guard rotation policies

• consensus mechanisms

• diverse volunteer relay operators

• large network size

A malicious exit alone is insufficient for deanonymization.

---

J. Exit Relays for .onion Services

When a user accesses a .onion service:

• exit relays are not used at all

• the entire circuit remains internal to Tor

• both sides use rendezvous points

• traffic never touches the clearnet

This increases anonymity and security.