I was recently connecting securely to the website where I have my mail account, and I connected through Tor. When doing so firefox presents me with the screen saying that the connection is untrusted and it can't verify the certificate. So I cancelled.

I'm using torbutton and I turned torbutton to off and connected again with no problem. Then with torbutton on again, same thing (untrusted).

Is it possible the exit node I was going through is doing a man in the middle attack?

However later when connecting through tor I did NOT get the warning about the site being untrusted. I really don't know what exit node I was using when I got the certificate warning and what exit node I was using when I did not recieve the warning. I don't know how long I stay on the same node or how/when it changes.

Any thoughts?

My complete honest opinion about that.... If it worked without the Tor connection, then it did that going through only that one node, I wouldn't trust it. That is my only two cents though, and maybe someone else could explain that. But overall, I really would not trust it, and I would have change the exit node.

Yes, of course that's possible.

I'd imagine this is covered in the documentation.

Too bad you don't remember which exit node it was, it would help. Yeah, it could be a compromised exit node trying to perform a mitm attack. It would be interesting to see that certificate. Anyway, there are two things that you can do to avoid this in the future.

First, install the Certificate Patrol add-on for Firefox https://addons.mozilla.org/en-US/fir...ficate-patrol/
It stores the certificates from every site you visit and checks to see if they change before the expiration date. You will get a lot of notifications about cert changes but its almost always benign. I suggest you install that in every Firefox profile you use as its a very helpful add-on in general.

Secondly, compromised "bad" nodes are a bit common actually. There's a tor hidden service called InspecTor that checks nodes for bad versions, javascript injections, sql injections, replacing https links for http etc. http://xqz3u5drneuzhaeo.onion/users/badtornodes/
To protect against exit nodes like that you can select the set of bad nodes you want depending on how paranoid you are, create an ExcludeNodes text block with their fingerprints and edit your torrc file to avoid using them as exit nodes permanently.

Be aware that ExcludeNodes and ExcludeExitNodes are different options in the torrc file. ExcludeNodes will completely avoid using them in any part of the chain be it entry node, middle or exit. ExcludeExitNodes just excludes them from being used as exit nodes. Your choice.

If you find a strange node again you can report it to InspecTor to make the Tor network a little bit better. Hope this helps.

Thanks for the information katto!