Tor Browser is an abomination. I don't know of any other software with lower ratio of real security to expected security (by the average user). See the Freedom Hosting story [0] for an example why. This time it was about pedophiles, but this danger holds for everyone, from users of silkroad clones to opposition in totalitarian countries.
Tor Browser is making tor more accessible to average computer user in the same way selling minefields cheaply makes real estate more accessible to average human.
The only reasonable way of using tor for even remotely illegal purposes is by using whonix, or roughly equivalent schemes (eg. a tor-only router + tails).
Keep in mind however that using a LiveCD means that you will lose your guard nodes, which may make it easier for an attacker to deanonymize you over time.
Also Tor Browser is usually better than using Tor + another browser.
Uh...you use some pretty strong language there. Can you provide technical information that will help me understand why is the Tor Browser an abomination?
Apart from the obvious (Firefox vulnerabilities, dangers of running Javascript or other plugins, etc.) weaknesses, I mean.
Security of firefox is beyond awful [0]. The same is true of all currently used browsers - almost certainly each has several unpatched remote code execution holes. The overwhelming majority of professional bug finding people are either working for the government(s) or selling bugs/exploits to them. These bugs aren't getting reported to the vendor. The occasional ones that are, are either reported by hobbyists, or professionals for marketing purposes.
You're the perfect example why tor browser is so bad.
>was only used against older Windows boxes
It was only used against windows systems, but it was a firefox exploit.
None of the CVE's listed affect the current version of Firefox.
Many of the vulnerabilities fixed are discovered by Mozilla's security team as well as community members, so while there may have been a vulnerability in the browser and it was fixed, it does not mean the vulnerability was known or used maliciously previous to being disclosed.
This is why you cannot judge the security of a product based upon the number of CVE's published. If the vendor in question has an open security program they will publicly disclose all security vulnerabilities they discovered internally. This is a common practice will most (all?) of the major browser vendors.
For example, look at the history of Google Chrome CVE's. You will notice huge spikes in the number of vulnerabilities. A little research, and you will find that was when the Chrome Security team started heavily fuzzing their code and fixing vulnerabilities before most of them were discovered by outside parties.
What you have to worry more about is vendors who don't publicly disclose security vulnerability information, so the only CVE's you see are the ones that independent parties published.
I'm aware that current browsers don't have a great security record (and present a huge attack surface). However, browser exploits are not so abundant that governments are willing to pop people left and right. A good, reliable browser exploit generally costs in the tens of thousands of dollars range, and even governments are hesitant to use those willy-nilly. Most of these can be mitigated with obvious precautions like disabling scripted media (no Javascript, Java, Flash, etc.)
Of course, really solid security requires a lot more effort. If I were to engage in illegal purchases using the Tor browser, I would run the browser in a VM and route all VM traffic through Tor. However, as we know from experience, the Tor Browser's (very mediocre) security is sufficient for the vast majority of casual criminals.
>You're the perfect example why tor browser is so bad.
Gee, thanks :)
Also, none of those CVEs are for the latest version of Firefox.
None of the CVE's you linked to are exploitable in the latest Firefox. "Beyond awful" security would usually require multiple unpatched exploits. Current Firefox has none.
I would tend to agree with this overall. I'm a daily user of Tor for random browsing, but I use it on what is essentially a throw-away tablet using a Tor-only router.
The NSA and other agencies around the world already has you targeted. Tor makes you safer. Tor makes you aware of risks. This is also good since you are now better suited to defend yourself accordingly.
Tor Browser is making tor more accessible to average computer user in the same way selling minefields cheaply makes real estate more accessible to average human.
The only reasonable way of using tor for even remotely illegal purposes is by using whonix, or roughly equivalent schemes (eg. a tor-only router + tails).
[0] http://nakedsecurity.sophos.com/2013/08/05/freedom-hosting-a...