I once met a BlackHat guy and he said that they regularly connect to the Tor network to spy on traffic. Hopefully a bunch of those folks cannot collude to identify the original HTTPS requester by tracing backwards.

Anyway, I took Medievalist's server-side arg to mean that the more sites that use SSL for all of their connections, even to pass unimportant and trivial information, the more likely it is that an attacker randomly fishing for a connection passing sensitive data will, if successfully cracked, only discover that someone is browsing, say, a bank's product offerings or contact information rather than an account holders actual account info. It just increases the workload. This is from the perspective of an attacker not attacking a specific client, but sniffing all traffic destined for the host.

I personally prefer using HTTPS over HTTP.

You can spy on the traffic in a TOR node if you are an exit point. Basically how it works is that all servers are only suppose to know about the previous hop and the next hop, and the traffic from one server to the next is encrypted. However, the exit nodes see all the traffic un-encrypted so yes it is possible to monitor the traffic through them.

What will also get you is any non TCP traffic since TOR by default only works with TCP. For example if you try and nmap scanme.insecure.org through TOR, only the TCP scans will be routed through it. Other things such as the DNS request for scanme.insecure.org will still go out your regular connection.

nomb

Not only that, but there are many people who serve exit nodes and run sslstrip/ssh renegotiation proxies to try and remove/reduce encryption.

This is only true if you only route your tcp traffic through. There is a torify/usewithtor utility for a reason.

Correct as I stated the exit nodes see the regular traffic and can use normal web attacks on it.

Correct which is why I said by default. There were no reasons to go into which programs can get around the limitations so I intentionally left that out. One because it isn't relevant, and two because I didn't want to get the thread off topic. I originally brought it up in my first response just so the person knew there was a lot more to it; but lets stay on the topic of SSL.

nomb

Yes, that's exactly what I meant. In general, the more SSL/TLS is on the wire, the less each individual stream stands out.

Periodically SSL gets cracked, and we update or patch the software to prevent problems. But there's a period between the time a crack is discovered and the time that it is patched on all systems using the Internet. If we all use SSL all the time, even for unimportant connections, we make it harder for bad guys to find the important ones, which makes it less profitable to be a bad guy.