© Electronic Frontier Foundation
Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.
Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the "Global Network Adversary" attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.
EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries.
HTTPS is a better bet for security than no encryption, but Tor is not a better bet than nothing.
The biggest problem is that anyone can run a Tor node (and since Tor nodes are trusted with however much network capacity they state they have and, thus, how much traffic they get, anyone can choose how much traffic they get as a Tor node, especially if they're running multiple nodes), effectively choose how much Tor traffic they get, and then sniff traffic as it goes through, including running "Man in the Middle" (MitM) attacks against HTTPS (SSL/TLS encryption). These attacks aren't theoretical. They're also easy to perform if you have a lot of resources, like one of the alphabet soup agencies. With all the known flaws of Tor and the EFF (as far as I know) not having addressed them with new releases or new software altogether, for them to be recommending using it I have to wonder if they have serious blinders on or don't have their users' best interests at heart (my money's on the latter...).
Article on a security researcher sniffing data after running a few Tor exit nodes and what he got:
[Link]
Article about using BEAST (the Browser Exploit Against SSL/TLS Tool), which actually breaks SSL 3.0 and TLS 1.0 encrypted sessions, not just bypasses them (TLS 2.0 is secure, but not deployed or adopted anywhere yet)
[Link]
Article about sidestepping SSL (author is really using SSLstrip, not SLLstrip)
[Link]
How Tor can leak data to a malicious end router
[Link]
More evidence of Tor exit node performing man in the middle attacks:
[Link]
Source discussion of the above evidence:
[Link]