You're right, it would be LUDICROUSLY easy for them to do that, save for one thing: we don't go through an exit node to get to SR. It's a hidden Tor service, so it's in-network only. That means it's end-to-end encrypted, hence no SSL (HTTPS) necessary. It would just put more of a demand on the server and do very little else.Definitely bear in mind that some exit nodes run SSL stripping software to perform man-in-the-middle attacks and all that lovely black hat junk. If you're very paranoid, don't download Tor browser updates via Tor: never know if an exit node is deliberately replacing the real one with a malicious version.