For those of you unsure of what might leak where and when using tor and/or https to protect your browsing, there is a useful interactive graphic on the EFF site. As EFF point out, the potentially visible data includes: the site you are visiting, your username and password, the data you are transmitting, your IP address, and whether or not you are using Tor. But, other information can also be collected.
By selecting either or both of the “tor” or “https” options on the interactive graphic you can see what information is potentially exposed to an adversary at various points in the path between you and the website you wish to view. It is instructive to note that even where you use both tor (to provide locational anonymity) and https (to provide data privacy) the end node will, of necessity know the following things about you:
- your site uid/password
- the data you accessed or provided
- the date and time at which you did so
- the fact that you used tor to reach the site
Depending upon the way you use tor (i.e. which anonymising software, be it tails, whonix, liberte, TBB or whatever) that end site may also be able to fingerprint your browser in some detail. (Full disclosure, the browser I use daily, and indeed used for this post, “appears to be unique among the 3,137,502 tested so far” according to panopticlick.)
Now a snooper on the path to the end website also knows that at date/time “X” a tor user connected to the site. If that adversary can also gain access to the detail known to the end website and you have been lax enough to re-use a uid/password pair from elsewhere and you use that uid/password pair when NOT using tor, then your anonymity is over.
UID/password re-use is extremely common *.
(* Note, the study referenced, ironically, provides an an excellent example of why you should not trust so-called “security plugins”. Imagine using that plugin whilst using tor.)