Beginner question about nodes

Sorry if this is a noob question I just don’t understand what the ISP of each node server knows.
Can’t the ISP of the tor user, the ISP of the entry node, the ISP of the middle node, and the ISP of the exit node just log the dates and times that the tor user connected to each node and use that time and date to find out which website that person visited? What I do know is that a tor user’s ISP can see the connection to the entry node, but I have no clue beyond that.

On it’s own, not much. The entry and middle node’s ISP only sees hundreds/thousands of encrypted connections. The ISP of the exit node could in theory also see the clear-text requests to the internet such as domain names from the thousands of users using it. On it’s own, not very useful.

If you have traffic logs of entry and exit nodes in one place you could in theory start to correlate data and create patterns. Tor tries to prevent that by establishing circuits with servers at different ISPs in different countries so no-one has access to that level of data in one place. Also, it requires a fair amount of effort to do this (the data is still encrypted and there is lots of it) and it is illegal in a lot of countries to try. It’s like the post office opening and reading your letters.

1 Like

Thank you for your time I appreciate it.

And do those connections show that node’s ISP the IP address/location of the next/previous connection?

Assuming that they do not have logs of entry and exit nodes in one place, and the tor user’s ISP starts logging them first, since they can see the connection to (and I’m assuming IP address/location of?) the entry node, can the tor user’s ISP, in theory, attempt to work with the ISPs of the entry node then middle node then exit node, to follow the connections of all 3 nodes to find out which website that user visited? The “iterated compromise” attack from the tor design pdf is the closest example to my question. It states, “A roving adversary who can compromise ORs (by system intrusion, legal coercion, or extralegal coercion) could march down the circuit compromising the nodes until he reaches the end”. Assuming that the circuit was closed, wouldn’t the ISP still be able to trace next/previous connections, just by tracing their IP address/locations?

I looked at this visualization from Tor’s website:

And when I clicked for Tor and HTTPS to be on, it showed that the ISP can see “”. Doesn’t that mean that the exit node’s ISP can see the domain name, even if it is using HTTPS and Tor? And can the exit node’s ISP also see the domain name when using an onion service?

In theory, yes. The question is can they realistically do it and why would they. Lots of effort, it’s illegal and tor tries to prevent that by building circuits that are spread across different ISPs / countries etc.

Yes that is true. One of my exit nodes visits thousands of sites a day and in theory that is visible to my hoster (though it is illegal for them to log or monitor this). There is also no correlation which user is behind each request.

No. .onion services don’t leave the tor network (therefore there is no exit) and they don’t use DNS.

1 Like

I understand much more now thank you.

I don’t know much about onion services but so far they seem better.
“Onion services allow people to browse but also to publish anonymously, including publishing anonymous websites.”
How does an onion service help people browse and publish anonymously? Is a node prevented from knowing which .onion site its connected to?

I am not entirely sure if it’s still up-to-date, but you can find some additional details here and here (PDF). The 2nd link also talks about some of the challenges with .onion services.