A "free" online service is rarely ever free as it tends to mean you are the product. A recent example of that came after developer Christian Haschek tested the security of free proxy services. He analyzed 443 free proxies before claiming only a mere 21% are "not shady." Yet of the 443, only 199 free proxies were online. Of those, 33 proxy servers modified static HTML pages and injected ads. He called the injected code "definitely bad adware" that probably also steals cookies. Seventeen of the 199 proxies modified JavaScript mostly to inject ads.

One hundred fifty seven of the 199 free proxies tested sent the user traffic in cleartext. Haschek said, "I didn't expect so many proxies to ban HTTPS traffic. It could be because they want you to use HTTP so they can analyze your traffic and steal your logins."

"Just because a proxy doesn't actively modify your content does not mean it's safe to use," Haschek added. "The only way to use a free proxy and be somewhat safe is if it's HTTPS capable and you're only surfing on HTTPS enforced sites."

Unfortunately, Haschek did not post a list of "not shady" free proxies. "I thought about publishing all proxies but I didn't want to start a witch hunt so I didn't," he said. Instead, he advised users to use his "simple proxy check script" posted on GitHub to check the security of proxy servers and then publish a list of their findings with the "good" freebie proxies.

Same risks apply to Tor exit nodes

When a Redditor asked if the same risks apply to Tor exit nodes, another replied "yes" and linked to BADONIONS project analysis posted on chloe.website. The person got the "idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with a unique password and then store them. I do this with every exit node there is and then see if a password has been used twice; if that's the case I know which node was sniffing the traffic."

While "honeyConnector works in the same way as BADONIONS," "Chloe" said it's "extremely difficult and complex" to setup and it "only supports IMAP and FTP for now." BADONIONS was described as "really simple." It works like this:

You download a list of all the Tor exit nodes from here and then you use the Stem API to connect to every exit node out there and login to a website over HTTP. Now, IF an exit node is sniffing the traffic he will see my login and now when he has my password he probably will do something bad with my account, or sell it, I don't know. So here's the catch. Every exit node has its unique password and because BADONIONS saves every login, I can go back and check if a password has been used more than once, and if that's the case I can simply lookup which exit node used that password!

Using BADONIONS over a span of 32 days, Chloe tested about 1,400 exit nodes around 95 times. The figure 137,319 listed as exit nodes tested refers to how many fingerprints were tested. There were "16 instances of multi-use of a unique password" and "12 logins with a wrong password." Chloe said, "In 32 days I've found 15 instances where a node is sniffing and using my credentials and over 650 unique page visits which means that others also sniff."

Chloe concluded:

There's passive MITM going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing. Tools such as exitmap can only detect if the node is misconfigured or is manipulating traffic, but with BADONIONS you can have the luck and find nodes that sniff traffic and actively use it. We can also see that nodes that have been running so long that they have earned the "Guard"-flag also sniff traffic.

Additionally by seeing that not all use the logins, "but rather just visit the website, this indicates that they are sniffing" without using "the provided logins. So by using Tor you are drawing attention to your site."

Chloe urged security researchers, website owners, and Tor to get involved in the BADONIONS project in order "to work towards a safer Internet."