Instead of just having your ISP able to sniff or MITM your web traffic, now you may have some random exit node operator doing the same - likely with more malicious intent than your Internet provider.
People who use Tor seriously usually also use a VPN service, and disable cookies, java, or any other client-side means of tracking you. They will also run TOR via a local virtual machine that they created on the fly.
While the exit node will be able to sniff the users, it won't be able to link it back unless the user gives up some information. ISPs can link back every time, regardless of behavior.
The FBI busted a child-porno ring on Tor using only an iframe and some javascript. They were able to take control at the data center the site was hosted, and then trace back to the ISPs for the Tor users who didn't disable java.
Java is not allowed on Tor Browser Bundle and shouldn't be allowed in a browser, ever. (And probably in general if you care about security.)
JavaScript in general should not be that dangerous - however, there was a 0-day bug in Firefox, that Tor Browser used, that leaked the IP anyway, and NSA used that 0-day.
In general - at least in my opinion - JavaScript is much lower on the "dangerous" list than Java, but yeah, still can leak something.
The best way is probably to just use Tails - a linux distro made to be secure from the start.
I meant javascript - my bad. The bug in Javascript was that it identified the MAC address, right? Javascript can still track client info if I'm not mistaken.
What do you mean by using Tor and a VPN service? Do you mean accessing Tor through the VPN? Or accessing the VPN through Tor? It seems like using Tor is a waste of time if you then go ahead and authenticate yourself somewhere. Or is this just in the context of trying to break out of a restricted environment? (rather than looking for anonymity)
Good question, I have been wondering the same for a while.
I have read somewhere the point is that one is anonymity provider, other - encryption to hide from your ISP.
If you think about it, you'd be using Tor to connect to either public or roll your own VPN. The issue with using Tor is that all exit nodes are (probably) monitored. Some websites even refuse to serve you, as they have a list of exit nodes. Use of public VPNs is easier, as semi-officially they track you, hence they can be trusted by websites. Your best option is use Tor & custom VPN with a clean IP address. Trouble here is leaving payment data and you'd still probably would trigger some alarms by connecting from a registered Tor exit node...
I meant using a VPN through TOR, between the client and the VPN service. This prevents the TOR chain from sniffing, at the cost of the VPN service potentially seeing your client.
Instead of just having your ISP able to sniff or MITM your web traffic, now you may have some random exit node operator doing the same - likely with more malicious intent than your Internet provider.