A few worries about Tor

39 Antworten [Letzter Beitrag]
quantumgravity
Offline
Beigetreten: 04/22/2013

Maybe it's completely absurd, but I wondered whether I can get in trouble for using tor, since traffic is directed to my pc and maybe this traffic contains illegal material.
So are there any justifiable worries about using tor?
Did anyone get sued / is it technically possibel?

I would like to use tor-browser-bundle.

lembas
Offline
Beigetreten: 05/13/2010

I don't understand too much about tor but I think if you provide an exit node and somebody does something illegal, it appears you're to blame. This makes it less likely people provide exit nodes.

And the network is useless without exits.

On the other hand, the government can provide exit nodes with impunity and at the same time eavesdrop on the traffic...

quantumgravity
Offline
Beigetreten: 04/22/2013

Thank you two!
After a bit of reading I conclude that no traffic gets directed through my pc in case of using tor simply as a client.
one has to configure explicitly as a relay;
can't imagine how a client could be sued in any way.

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

It is safe to run the software as a relay or client.

There is some risk of police busting down your door if you run it as an exit node. Generally it is not illegal to run it as an exit node although law enforcement in many countries are technically incompetent-or near so. They don't understand how the Internet works. When they do semi-understand they make arguments to the effect of Tor being an oddity. The problem is most users are running MS Windows and infected with malware. As a result running Tor as an exit node and having traffic for which is not yours is normal. Not to mention that until recently most wireless access points were unsecured. There are lots of situations where the traffic which passes through an IP address is not connected to the account holder.

What has happened a number of times now is exit node operators homes have been invaded and the account holders have been embarrassed. After the law searches the home the police drop it because there is no point in prosecuting someone for being an exit node operator. There is no liability for passing traffic. Various laws ensure this. There is no law against Tor or Tor-like programs in most jurisdictions.

* I'm no lawyer and this is sort of or may be a legal question... if your really concerned consult a lawyer in your area

t3g
t3g
Offline
Beigetreten: 05/15/2011

Running an exit node puts you at a huge risk if someone is doing something illegal like viewing child porn, making threats towards an elected official, or huge amounts of software and media piracy on BitTorrent.

ssdclickofdeath
Offline
Beigetreten: 05/18/2013

"media piracy on BitTorrent."

Piracy? I thought that was a smear term to avoid.
http://www.gnu.org/philosophy/words-to-avoid.html#Piracy

quantumgravity
Offline
Beigetreten: 04/22/2013

I don't quite get it.
If someone sits between me (the client) and the first node, and he captures the traffic, can't he see both the content and my ip?
Or the first node himself; he knows my ip and can easily capture my traffic, can't he?

Michał Masłowski

I am a member!

I am a translator!

Offline
Beigetreten: 05/15/2010

> If someone sits between me (the client) and the first node, and he
> captures the traffic, can't he see both the content and my ip?
> Or the first node himself; he knows my ip and can easily capture my
> traffic, can't he?

Connections between nodes and you are encrypted using TLS, others cannot
decrypt it easily. The first node knows the second node address and
gets encrypted data to forward. It decrypts the data and forwards it to
the second node, or receives it if it's the final node. Multiple exit
nodes can be used for a single circuit, the packets don't show how many
routers are used (the same bytes are encrypted many times without adding
headers). I.e. only the exit node for this connection has the cleartext
content.

Attackers not knowing where the packets come from (i.e. which node is
first) is a reason to host a relay node.

The design document explains this and other issues [0]. (It's very
possible that I don't remember some relevant details.)

[0] https://www.torproject.org/docs/documentation.html.en#DesignDoc

quantumgravity
Offline
Beigetreten: 04/22/2013

Ahh but he can't be sure whether the traffic is really from me or if i'm just another node; am I wrong?

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

No. The first node is passed an IP address where to forward your data (which is encrypted), the node doesn't forward your IP though, the 2nd node does the same thing, but the first node doesn't get what the final exit nodes IP is. The final exit node can decrypt your data because you have used there key to do the encryption. You have also used a key of the 2nd node so the first node doesn't know the IP address of your exit node.

Long story short the exit node can see your data if it is unencrypted (not using SSL) but they can't identify your IP because they don't have it (unencrypted anyway- and it's encrypted with a key that the exit node does not have).

Now there is an ip-like address (this is not preserved though) so the exit node knows where to return data but again- the same thing happens in reverse. Ultimately the exit node only knows where to pass back your data encrypted, to a middle node, whom then knows nothing of the data they are transporting, but they do know where the first node is, whom then again doesn't know your contents, just where to send the final encrypted data. You then are the only one who can decrypt that data.

quantumgravity
Offline
Beigetreten: 04/22/2013

Is this only true for using https or is this a different issue?
Some sites don't provide https

andrew
Offline
Beigetreten: 04/19/2012

On 16/07/13 21:22, shiretoko wrote:
> Is this only true for using https or is this a different issue? Some
> sites don't provide https

If you aren't using end-to-end encryption, such as TLS, then the
communications between the exit node and the destination can be INTERCEPTED.

However, if you are doing standard web browsing without identifying
yourself online, this shouldn't matter, because it is _hopefully_
infeasible for an attacker to discover your identity.

Andrew.

t3g
t3g
Offline
Beigetreten: 05/15/2011

When you use the Tor Browser, the home page tells you that you are connected to the Tor network and are using a specific IP address. Many times when I use Tor, I get curious and do an IP lookup and it tells me the the country and state (if in the US) of the IP I am "borrowing" for that session. That is how I could watch streaming video on the BBC iPlayer by forcing my exit nodes to be under the UK.

Tor is "private" in the sense that you browse the internet under an IP different than yours. If you were to run an exit node and a handful of people were using your IP to upload and discuss child pornography, how would you be able to prove it wasn't yours? It is an IP assigned by your ISP that is tied to your account with your personal information.

At the end of the day, the sites you visit under that "borrowed" IP address may keep a record of that IP's visit and if they were forced to share visitors with the government for any reason, they tie that IP to the activity at that time. The user that was providing the exit node now has this activity tied to his IP address that he or she may not be aware of and is taking a HUGE risk by sharing it.

I can't moderate what someone would be doing with my IP address and sure would not want to serve prison time either due to the logged activity. That is why I would never run an exit node in Tor.

quantumgravity
Offline
Beigetreten: 04/22/2013

I think you misunderstood; I don't use it as an exit note, just the default configuration as a client;
The whole question was about this being secure or not.

I think very few people are running exit nodes;
Since all my ports are closed, this wouldn't work either.

t3g
t3g
Offline
Beigetreten: 05/15/2011

Another problem with Tor is that if more and more people move to just being a client instead of a relay or exit node like yourself, then there is no Tor network. It reminds me of BitTorrent where the ratio of leechers to seeders is greater and it becomes harder to get the file.

quantumgravity
Offline
Beigetreten: 04/22/2013

That's true, but there are enough countries and organizations in this countries which are much safer than I am.
Don't know if we really need private people running an exit node.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

You mean like people streaming heavy BBC videos through the Tor network? Yeah, those jerks really do not get what Tor is for (activism, dissidence, bypassing censorship and state monitoring, etc.) and eventually harm it.

t3g
t3g
Offline
Beigetreten: 05/15/2011

If people are using Tor for activism, bypassing censorship, and getting around monitoring in their country, they are using your IP to do it. If they are saying stuff that is extreme enough to warrant the use of Tor, my IP is held liable for the content posted and they are proteced.

Tor is only "safe" because you offset your responsibility to someone else. For shits and gigs, I found the ThinkPenguin node in Texas and their IP. What if I was a competitor and connected directly to their exit node and used it for illegal purposes? The node is tied to their company name and if someone wanted to dig up records based on their IP, do they want to be liable?

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

Let us recap:

  • You complain that with not enough exit nodes and too many clients, which send and receive much information, "there is no Tor network" (your words). So, you are perfectly aware of the main problem Tor faces.
  • You publicly argue against running exit nodes because the "legitimate uses" of Tor (i.e., the uses promoted by people actively working for Tor: letting the Chinese guy access uncensored information about the Tibet or Taiwan, letting the Syrian rebellion communicate to organize themselves, same thing for the dissidence in Iran or Egypt, allowing Edward Snowden to anonymously send information about PRISM to the Guardian and the Washington Post, etc.) are not worth the risk of being detected as the source of the connection.
  • You are a client of the Tor network for the worst workload I am aware of (streaming videos) and for leisure purposes only.

How isn't that parasitizing?

t3g
t3g
Offline
Beigetreten: 05/15/2011

1. Yes, it is true that more nodes equals more people being able to use it. That is obvious.

2. What you are describing as legitimate is very subjective. I do understand that people need an outlet sometimes to discuss information, but like I said a handful of times, the owner of the IP becomes liable. If someone provides an exit node for someone to use it for illegal purposes, doesn't that make them an accomplice?

3. I don't use Tor every day and using it to stream a video from the BBC only really happens if I want to see something in the iPlayer. If you are chastizing me for that, you are really being hypocritical. You say that Tor allows people the freedom to access and process information regardless of the country they are in and for a person in the US to access services on UK servers is no different than someone in Japan trying to access services on US servers.

No matter what, Tor allows someone access to something they are typically denied to by the rules of their country. If accessing Google is a big thing for a Chinese user, many times than not the Google servers will detect that the IP is under a type of proxy and will not let you proceeed. Of course someone can get around that by using DuckDuckGo or Startpage from the start regardless of their country.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

What I called "legitimate" is not subjective. It corresponds to the objectives of the Tor network. That is why I added "i.e., the uses promoted by people actively working for Tor". Just read the home page of the Tor project, section "What is Tor":

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

If, in this text, you read "let American people enjoy BBC videos", then you cannot read. Check out the FAQ too, question "Why is Tor so slow?":

You shouldn't expect to see university-style bandwidth through Tor. But that doesn't mean that it can't be improved. The current Tor network is quite small compared to the number of people trying to use it, and many of these users don't understand or care that Tor can't currently handle file-sharing traffic load.

You are confirming that you are perfectly aware of the main problem the Tor project faces to fulfill its objectives: the workload increasing faster than the number of exit nodes. Anyway you are selfish enough to:

  • not have any moral issue overloading the network by streaming BBC videos (hence taking the bandwidth that is aimed at fulfilling Tor's goal);
  • arguing against anybody managing an additional exit node because you believe the objectives of the Tor project are not worth the risk.

I repeat: how isn't that parasitizing?

quantumgravity
Offline
Beigetreten: 04/22/2013

> Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy

This doesn't mean tor is only for anti-government activists or censored chinese people.
We don't want the gouvernment to know: everyone who downloads tor does some abnormal things and is worth being written on a list.
Surfing the internet anonymously should just be normal; it should be a right for everyone, not being tracked. I don't want to get tracked walking in the forest; I don't leave a little note in the forest with a address, and everyone who finds it can find out who I am.
I know tor can't handle this at the moment.
But I don't agree with your thoughts about the purpose of tor.

BlinkingArrow

I am a member!

Offline
Beigetreten: 12/27/2011

Just like Chris stated there really aren't known cases of people running an exit node going to jail. Chris was very thorough in his post, but t3g is just ignoring this. No, you cannot, I repeat cannot, be held liable for the traffic that comes from your IP address. The worst that could happen is that your house would be raided and your name smeared for a bit. Take a look at this artile for example: http://www.nbcnews.com/id/42740201/ns/technology_and_science-wireless/t/bizarre-pornography-raid-underscores-wi-fi-privacy-risks/#.UeblsnzA9D1. The article does erroneously refer to crackers as "hackers."

Another instance where I can think the owner has not been held liable is in the case of trolls. I can't remember the source, although if t3g insists I'll search for it. These guys would grab IP addresses from file sharing networks, ask the ISP for the owner of the IP and sue them. They'd get people in the other side of the country and tell them something along the lines of "pay us $3000 or we'll drag you out to the other side of the country on charges of "piracy" of pornography." A judge found that an IP address does not automatically make the registered user the responsible party.

Likewise, if you were to use your Internet connection for illegal activity the government is not going to jail everyone that works for the ISP. Again, this is something that Chris mentioned and you simply ignored. In essence, if someone is running an exit node they are providing the same service.

For the record, no you can't be held accountable for the traffic coming from an exit node you run. The worst that can happen is you'd get raided and you're name would be smeared for a short while. If that's too high a price to pay, then don't participate but don't spread misinformation so no one else is willing too either.

quantumgravity
Offline
Beigetreten: 04/22/2013

>If that's too high a price to pay, then don't participate but don't spread misinformation so no one else is willing too either.

Where did I spread misinformation?
I _asked_ in this thread whether it is a problem or not. And by the way,
I thought about tor running as a client, though the whole discussion is
about exit nodes.
I don't want to setup tor as an exit node, though it may be right what
you said.
Don't know how things are in different countries, but in germany, it's
like this:
you may have justice on your side, but it doesn't matter. Law is very
complex in different judges make different decision. It's pretty much of
a roulette, even if the law is actually on your side.
If law isn't even clear at all, chances in the roulette are worse for
you.
In germany, you can dare to fight a law conflict if you have money and
time.
I have neither money nor time, and so I decide not to do it.

I know of people being sued for using filesharing networks.
They received letters from lawyers telling them to stop illegal activity
and pay an amount of money for not being brought to court.
Perhaps the law is actually different, I don't know. Whenever I informed
myself about the law concerning online activity, the output was: even
experts are arguing and don't know what's legal an what isn't.
So if I run an exit node, getting such a letter is the best thing of the
bad things that could happen.
Would I dare to join the roulette?
No.
And I never heard of the tor developers saying "everyone who uses tor as
a client does harm to the project - stop it".
If I read something like this, I would simply stop using tor.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

The Tor developers never said that "everyone who uses tor as a client does harm to the project - stop it". Neither did I.

Tor's FAQ blames people using *a lot* of bandwidth for no good reason (e.g. sharing copyrighted works). And so did I (with BBC video streaming).

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

While streaming video from the BBC web site might not seem like a great use of the networks bandwidth I'd be hesitant to put much criticism in it. We need people using the network in uncontroversial ways to ensure its continued legality and make unusual use cases (streaming controversial content) harder to detect. You can for instance make certain connections based on the type of traffic being sent.

BlinkingArrow

I am a member!

Offline
Beigetreten: 12/27/2011

I clicked on the wrong reply link. That reply was meant for t3g not you. Sorry for any confusion. As to your original question, there's no risk as far as I know. I believe it is possible to tell that one is on Tor, but I don't think that would be a problem.

Alexander Stephen Thomas Ross
Offline
Beigetreten: 09/17/2012

On 17/07/13 15:17, name at domain wrote:
> May I live until I got my fingers on some decent videocamera and push
> the output straight to VP9/WebM.

I have been wanting too test (Pending getting some hdmi cables +
adaptors and access to a hdmi screen or buying an hdmi2vga.) to see if
one gets a raw out not a preview from ones camera via hdmi and if so
that would mean with a suitable encoding monster computer one can avoid
the video ever going into h264! Yay!

I have a damcannon powershot SX260HS with CDHK.

t3g
t3g
Offline
Beigetreten: 05/15/2011

If you say that you cannot be held liable for traffic on your IP address, why is it that so many people get notices from their ISPs and media companies for sharing files on BitTorrent? The IP address is tied to an activity whether it is file sharing or a web server storing your visit through Google Analytics or their own software.

BlinkingArrow

I am a member!

Offline
Beigetreten: 12/27/2011

That's not the same. You are simply transmitting the information when it comes to Tor. It is hard to prove that you didn't know you were sharing a file when it is necessary to add the torrent or magnet. Anyway, like I mentioned previously a judge in the United States found before that an IP address alone can't be used to find someone guilty as it could have been another person using the network. Is it simpler to just not run a node at all? For sure! Then too, many things are simpler if just left alone. https://www.eff.org/torchallenge/legal-faq

t3g
t3g
Offline
Beigetreten: 05/15/2011

I know they don't do it now, but do you worry in the future that ISPs will not allow you to run a Tor node or any other software that shares your IP or provides routing software? I know many won't let you run a webserver and its honestly a matter of time that they work it into their service terms.

BlinkingArrow

I am a member!

Offline
Beigetreten: 12/27/2011

Then a smart consumer would vote with their wallet. I'm fairly certain the major ISPs will.

t3g
t3g
Offline
Beigetreten: 05/15/2011

Your reading comprehension must not be great or you are simply ignoring viewpoints that aren't yours:

1.) I don't use Tor everyday

2.) I've only used it for streaming BBC content maybe 3-4 times total

3.) An exit node is a risk because you cannot trust the user who uses your node and you are in the dark if they abuse it. You can be altruistic all you want, but people use Tor because they have something to hide and don't want their own IP tied to it.

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

As far as #2 go you need to look up what an accomplice is. There are legal definitions at play there and I doubt someone would be an accomplice when they are not a party to the crime. Providing the service itself is not a crime. Providing a getaway car is significantly different. You knew what the party you were providing the car to was going to do. Now if you loaned them a car and they used it to get away that is different and they would probably not be held as an accomplice or would otherwise not be convicted if it went to trial and the evidence proved they were uninvolved in the crime and had no knowledge of the crime to be committed.

Plus in the United States and most other countries there are things in place which shield liability. The Internet wouldn't function without it. In the United States the law which shields liability is the DMCA. It says ISPs and operators of other services like Tor exit node operators aren't liable so long as they take down content for which they host.

Now ISPs have taken this to the extreme in many cases by forwarding take down requests (a legal term) to server operators and end-users. This isn't actually required and I don't believe all ISPs do it. However many now do. Unfortunately there hasn't been as court case that re-enforced that interpretation of the law.

I'm not lawyer mind you and the lawyers themselves have different opinions on these topics. They are also paid to take sides to some extent. So... even a lawyers opinion you need to take with a grain of salt.

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

That wouldn't work because ThinkPenguin does not run an exit node. However we have no problem doing so and our reputation would only be enhanced by a competitor taking such actions. It would bring out the fact we are supporting the Tor project. Something that almost nobody knows right now. They would unintentionally be drawing good PR to ThinkPenguin.

ThinkPenguin does not currently run an exit node though (we have in the past). ThinkPenguin runs a relay. There is a big difference here in that nothing will ever be tied back to ThinkPenguin. It'll get tied to the exit node and the exit node operator will have to deal with (respond to take down notices for copyright, etc). There is no liability for exit node operators in most countries. There is only minimal risk and beyond a small handful of places being raided there have has never been significant harm to a exit node operator.

That said ThinkPenguin has run an exit node and the only reason we stopped was because of the take down requests. The ISP which connects a server that we ran the exit node from didn't like the continued stream of take-down requests and told us to 'fix it' so that they didn't have to pass on the notices. We could have reduced or eliminated the notices by taking certain actions. However it was easier to just turn the node back into a relay than continue. While privacy and such is at the foundation of the company it is not the primary purpose of the company. The goal is to support free software users by providing easy access to free software compatible hardware and promote/support such hardware. If nobody has designed or released chipsets for a particular type of hardware, etc we go and work on fixing that.

Here is a listing of the services our server offers the Tor network:

http://torstatus.blutmagie.de/router_detail.php?FP=079af6c8558c5eea6b81b3da4f23498178a73adc

Notice it says it is NOT an exit node.

Chris

I am a member!

Offline
Beigetreten: 04/23/2011

Can you point to a single person who has ever served prison time because they ran an exit node? The government generally needs more than an IP address to convict somebody of downloading illegal pornographic images. They may not need that to raid a persons house however.

So the risk is that law enforcement performs a raid on your premises and you lose your computers, are humiliated by being seen as a xyz criminal, and have your privacy/papers tossed and invaded.

If your largely clean legally that is (not taking drugs illegally, downloading illegal pornographic materials yourself, in the possession of weapons, or involved in other illegal activity, etc).

Law enforcement can probably charge you with crimes unrelated to items in the search warrant even if the search itself turns out to be illegal. The evidence collected in relation to the search itself might be thrown out but so long as the warrant existed and the contraband is seen by police it can be used in court (at least if it is not in the warrant which is illegal, invalid, or results in nothing due to misunderstood data).

What that basically means is don't be an exit node if your not always a law abiding individual, can't afford/handle a little undesirable publicity during the initial raid should one ever occur, etc.

Keep in mind most exit node operators will never be raided. If you setup the exit node properly there is little real risk. There may be from time to time DMCA take down requests and similar that you'll need to respond to because your ISP/the DMCA issuers doesn't understand Tor.

andrew
Offline
Beigetreten: 04/19/2012

On 17/07/13 00:04, t3g wrote:
> At the end of the day, the sites you visit under that "borrowed" IP
> address may keep a record of that IP's visit and if they were forced
> to share visitors with the government for any reason, they tie that
> IP to the activity at that time. The user that was providing the exit
> node now has this activity tied to his IP address that he or she may
> not be aware of and is taking a HUGE risk by sharing it.
>
> I can't moderate what someone would be doing with my IP address and
> sure would not want to serve prison time either due to the logged
> activity. That is why I would never run an exit node in Tor.

The only solutions to this, IMHO, are (a) get significantly more people
to create exit nodes, or (b) make more websites available as Tor hidden
services, so not has much traffic has to go through an exit node and Tor
becomes less dependant on the CensorNet. Maybe a combination of both.

Andrew.

Drewski
Offline
Beigetreten: 07/18/2013

More hidden services would definitely help, but I don't see it as a final solution because there is just too much information for the tor network contributors/devs to incorporate to make it remotely comparable to the whole internet.

Another approach:
The I2P network (a similar concept to tor, but not as widely adopted yet) essentially forces all clients to be a exit node (I2P doesn't use the term exit node though).

Maybe there should be a branch/fork of tor that forces everyone to be an exit node. Maybe it could be designed in such a way that would legally protect innocent users from being legally culpable/pursuable for another user of the network's misuse of the network.

On another note, I don't know if this is true, but I once read that tor receives ~80% of its donations/funding from government. Sort of disconcerting if you think about it. Maybe tor is just a honeypot for intelligence agencies and eavesdroppers; via exit node snooping or other means.

GNUser
Offline
Beigetreten: 07/17/2013

Tor being a honeypot is hard to be true (and even if it was, it would still be a good solution to use for some "small scale privacy attacks" anyway). As for the exit nodes, we should just assume that ALL of them are malicious (many are not, there are many good honest people running exit relays but still) and defend ourselves. Use https everywhere possible (tor browser uses an older version of https everywhere extension, some websites have https and it won't activate, if it's a website you know has https and Tor Browser didn't automaticaly redirected you, you can and should still make the change manually yourself), be careful not to mix public accounts with private ones, if you want to deal with sensitive accounts create a new session (in torbutton, not vidalia! vidalia won't clean your session cache, cookies etc), and basically use common sense. Also, there are many good hiddenservices that can be used, if possible use one of them instead of the surface.

I don't think we should fork the Tor project, if we do, not only will be (already small) team divided, it will also open doors for malicious features appearing and no one noticing. If someone wants to help improve Tor, he should help the core project, so that the entire community that runs services and projects based on Tor will benefit from them.

GNUser
Offline
Beigetreten: 07/17/2013

Hey everyone.
Great, a Tor discussion =D my favorite topic lol.

So, I will jump the basic stuff, you probably know about that already and if you don't you can take a look at the tor project homepage (or just send me an email and I will help if needed).
Fisrt, you are FINE running the tor browser as both a client AND a relay (not an exit node).
It will hardly help your anonymity, beacuse it's EASY for an atacker to know if that data was generated by your browser or if it was previously relayed to you from another point. Still, I believe you should run it as a relay if you can (some ISPs won't allow that, mine for example, stupid bunch of people -.-), and you can easily do that in the vidalia options choosing to become a relay (if your ISP doesn't allow that, you will be unable to estabilish the necessary connection anyway).
So.... how safe is Tor and do we need more relays?
We need more relays, but as the Tor team as already stated, it's not about having more relays, it's about improving the network. For example, you can have a bilion relays, but if you are accessing a hidden service, it will still go through 6 relays and that will take a lot of time anyway. So, yes we should grow the network, but that's not the final solution.
How safe is it? Well, that depends... if you listen to some speechs made by Roger Dingledine and Jacob Appelbaum, you will notice that they are VERY aware of the imperfections of the Tor system. They clearly state that Tor will hardly be able to defeat a global adversary. And I can understand that, if you can look at all the traffic of each person who uses the Tor network, all the exit nodes, AND all the websites that are visited by Tor exit nodes, you can cross reference that information and know "who is who".
But let's be honest, are we all really up agains't China or NSA? For me personally is more about not having my ISP snooping on me, not having my neighboor trying to play a "cracker" figure on me and watching my every move online, not having someone who has a friend on the police trying to get information about me just because he wants to, not having someone on the internet getting mad at me and trying to locate where I live and threaten me.... You know, I use a couple of global adversary capable defensive mechanisms, but I am not really trying to go up agains't them, I am merely trying to make things harder for the people "around me" who might have some reason to attack me, so that I can have PRIVACY.
I don't want my life insurance to grow more expensive just because I searched about some disease online. You understand?
I use Tor most of the time, but I don't use Tor to access my personal email. Why? Because that's the email that I decided "this will be my online identity, and I will not hide that's me". It's my official email, you know? In the same way, I don't visit my "secret" email account's without Tor (because it would be CLEAR that it was ME and not an exit node visiting the email account, and anonymity would be destroyed).

I am not sure if someon has alrady posted this or not, but the EFF has made a graphical presentantion of who can see what about your internet connections, if you use Tor, HTTPS, both or none. Take a look at it in:

https://www.eff.org/pages/tor-and-https

As a couple of final notes ( I might write a tutorial on online prviacy one of these days, lol) I will alert you that you shouldn't change the Tor Browser configuration (it will make you susceptible to browser fingerprinting) and if you want to make ONE change that might help to protect you, just choose to block javascript globally, as it will prevent some malicious smart ass javascript from attacking you. Usually I chose not to have javascript allowed.