It's not quite that bad, but yes, it's not perfect. You have to understand
what Tor provides and what it doesn't provide and follow the advice of the
Tor developers to use it safely.
There was a two week period where you were told to assume your traffic had
been deanonymized. I forget if this impacted onnion sites or just normal web
traffic that passed through an exit node. In any event other than that if you
followed the advice of the project you should be relatively safe most of the
time. The core tenants are: make sure your connecting to onnion sites or at
least using encryption between you and the server your connecting to. This
will prevent typical attacks occurring in the situation an exit node is
monitoring your activity. Don't reveal who you are over Tor. If you do that
no anonymity system can protect you. Don't download software and other files
that may contain infectious code (PDF, DOC, ODT, movies, etc).
If your not practicing these tips already your vulnerable to the same attacks
any time you connect to a public access point. There simply is no solution to
stupidity.
There are a few other common mistakes I have to point out. These are almost
always how people get caught:
1. Using outdated software.
2. Using Tor Browser rather than Tails (Tails makes it much harder to screw
up, but you still need to use your brain a little)
3. If your shipping something the receiver is going to be able to identify
the area in which you shipped from. This is because the initial post office
will mark its stamp on the package. It doesn't matter if you ship via a drop
box, mail box, etc, or the post office itself. It has to go through that
initial sorting facility which will identify at least the part of the state
which your sending from.
4. If your in a large city its probably not enough to identify your vicinity
as there are other Tor users, but if your in a rural area, they'll identify
you as a potential suspect. They can do this because they'll likely be able
to identify from log files that you were the only person using Tor at a given
time in a given vicinity. That isn't enough to convict, but it is probably
enough to get a warrant (if your adversary is a government entity).
All of the significant stings by government entities thus far have involved
cases were users would have been protected by Tor had they taken the advice
I've presented here, and that of the Tor project.
Some Examples: Those who have been selling drug online, those making death
threats, those making bomb threats, etc have all made the mistake of either
connecting to the Tor network without going through a bridge, identifying
themselves off of Tor or using the same/similar uniquely identifiable
nicknames, or shipping from a vicinity in which is close to where they live.
Several specific examples: Freedom Hosting, Silk Road, a NJ high school bomb
threat case, a Harvard bomb threat case.
I'm not suggesting anybody use Tor for illegal activities. The reason I'm
using these examples is because the government is the ultimate adversary and
as such these cases are perfect examples of tactics and what not to do if you
don't want your adversary identifying you, your traffic being analyzed, or
malicious parties interfering with it.
