I want to address the issue that is foremost in the debates about security and privacy and anonymity. Just how secure is tor ***really***? I mean, mathematically I can surmise that it is the best we've got, but is it enough? With all these monster computers and algorhythms and spying machinery that the fucking government is ammasing against us, do we really stand a chance?
I don't want to sound like a wet blanket, but are our private days numbered?
The primary attack to worry about with Tor is end point timing correlation. Regardless of the number of middle nodes, if the attacker can watch traffic enter the network and arrive at its destination, they can link the traffic, meaning they can determine that the IP they saw sending traffic sent it to the location they saw traffic arrive. Pretty much the only way around this is to add enough artificial delay to traffic at each hop, that a large amount of peoples traffic can be gathered at the hop and reordered prior to being sent out. This is called mixing, but it generally requires too much time delay to get a substantial enough crowd, and isn't adequate for surfing the internet in a real time manner, it is mostly used for E-mails on networks like mixmaster and mixminion.
The first step of being able to watch both ends of traffic is to determine the target servers IP address (ie: the server you want to know who is visiting). If it is on the clearnet this is trivial, and you can monitor for connections to this server from your exit node. Clients create circuits that use a different exit node usually once every ten minutes. This is not as trivial to do against hidden services, although if you own a hidden services entry node you can trivially determine this fact and its IP address by doing a timing correlation attack, hidden services select entry guards. Entry guards consist of three relays selected from the pool of relays with the guard flag, that all traffic enters the network through. Guard nodes change every thirty or sixty days, and a hidden service uses the same guards for every client connecting to it. A hidden services natural 'exposure' to 'exit' (really entry) points is thus much less than a website on the clearnet. If the attacker can not monitor traffic arriving to the hidden service, they can not do an end to end timing correlation attack (although this does ignore website fingerprinting attacks).
Unfortunately, it is not that hard to trace a hidden service to its entry guards. Hidden services create a new circuit for every rendezvous node a client requests it to connect to, and malicious clients can request hidden services to connect to thousands of different rendezvous points simultaneously. Although the hidden service always enters through its entry guards, its middle and "exit" node (really not an exit, but last node from the hidden service) are selected from the total pool of Tor nodes, and are newly selected for each circuit. A malicious client doing this can also operate as a relay itself, and the hidden service is likely to select it as a relay for some of its circuits. The malicious client/relay can then do timing attack and statistical analysis to trace the hidden service up to its entry guards. This attack can be carried out with a single node and traces to entry guards in a matter of minutes.
At this point the attacker has two options. It is worth pointing out that there are two types of attacker, active and passive. Active attackers attack the network by adding nodes to it, passive attackers attack the network by monitoring the connections between nodes. For an active attacker to trace a hidden service, they need to own one of its entry guards. After they identify the hidden services entry guards, they will want to DOS them, forcing the hidden service to either go down (if strict entry guards are set in torrc, they are not by default), or select new entry guards (default behavior). One way to do this is by flooding entry guards with fake create cells, which cost very little processing power to construct but a significant amount to process. This allows the attacker to exhaust the processing power of the entry guards, effectively DOSing them. If they can continue to do this to all selected entry guards simultaneously, eventually one of the newly selected entry guards will belong to the attacker and thus they can deanonymize the hidden service. This is the best currently known active attack for tracing hidden services, and it isn't that expensive.
A passive attacker who traces to the entry guards can order the ISP of the entry guard, or other infrastructure (IX, AS) to put a trap and trace on the entry guard, this will allow them to deanonymize the hidden service without owning the entry guard, just being able to see all connections to and from it.
Once the hidden service is located, the attacker will monitor connections to and from it, this will give them one half of an end point timing correlation attack. Now your anonymity depends on the attacker not owning one of your entry guards, or being able to passively monitor you. Thankfully, it is significantly harder to speed up a clients entry guard rotation, so it will likely turn into a waiting game at this point, every 1-2 months you will select new entry guards and depending on how many entry guards the attacker owns there is a certain probability chance of them owning one of yours and being able to determine that you communicate with the hidden service they have traced. They will likely be able to deanonymize a small portion of the users every month to two month period, but Tor does a good job of preventing them from deanonymizing 100% of the users, at least unless they wait for quite a while, probably at least a year unless they have a large % of the total entry guards.