Certain versions of the ‘Tor Browser’ package were 100% 0wn3d. Never should have trusted a browser with javascript and all the bells and whistles, paid the price.
What is unknown, at this point, is who owns the exit nodes. My understanding is that (to the best of unclassified security research) Tor is fine so long as (1) it is used properly (which the Browser exploit was explicitly designed to defeat) and (2) a single, coordinated, malicious actor doesn’t control more than a certain percentage of the exit nodes.
(1) is a fact; but one that can be circumvented by using a more secure set of client software. (2), though, is worrisome. Running a gigantic mass of Tor exits, on various boring VPS and colo services, is expensive by individual/nonprofit standards; but relatively cheap by Scary Feds standards. If it turns out that 80% of the Tor exit nodes with decent bandwidth are owned by three letter agencies…
