SSL can use AES for symmetric encryption. Tor uses AES from OpenSSL. Tor traffic is encrypted between you and your entry node, so your ISP can only see encrypted traffic. Tor does not encrypt traffic between your exit node and the website you visit, unless you are visiting a hidden service. So you need to use https to encrypt between the exit node and the non-hidden service website. Circuits to hidden services are encrypted from client to the hidden service though. Even though the traffic is encrypted it can still be fingerprinted though. VPNs also encrypt the traffic between you and the entry node, but so far every VPN I have seen tested can have its encrypted traffic fingerprinted with accuracy that approaches 100%, Tor is more resistant to this sort of attack with the best results so far being 60% accuracy for single pages. Fingerprinting has limitations. The attacker who fingerprints your traffic can not see the plaintext of your communications, but they might be able to infer it. For example, they may be able to determine that you are very likely surfing through a thread on SR, but they can not actually see the plaintext. They might be able to say with 60% certainty that if they could break the encryption the ciphertext would decrypt into a given plaintext though. Traffic classifiers can never reach 100% certainty, but some VPN's have had their encrypted traffic fingerprinted with 99% accuracy. This means that an attacker who can see the encrypted traffic coming to you from the VPN entry node can say with 99% certainty that you are browsing a certain stores website, for example, but if you transmit your credit card number to the stores website the attacker can not determine what you credit card number is through the encryption, but they might be able to say with 99% certainty that you just sent some credit card number to a specific stores website.