“SQLi, phishing, bad passwords, and lack of patches are the Four Horseman of the cybersecurity apocalypse”
Thanks to Robert Graham of Errata Security for that one. Sad, but true. I might add (bad) mobile code, but that’s just a subset of lack of patches, really.
Well… maybe.
Unless the exit node isn’t safe. Tor only encrypts as you traverse their network, so if you want to see what someone is using, just set up an exit node and monitor it.
It appears this is going on. Can you trust a Tor node?
In short, look at what you’re trying to achieve and then pick a tool that meets it. Want end-to-end encryption? Make sure you’re using it in the application, or via some other mechanism. This same logic applies to VPN — the services that you use terminating in an Internet end point may not be secure, so just because you’re encrypted to them, don’t trust people aren’t seeing what you do.