[LinuxBender]

Sorry you are getting downvoted. This is very much correct and folks simply put a lot of faith in the proxy transport as the ends to a means. One vulnerability / bug (Tor has had many) can weaken that link. Tor is rarely installed correctly or in a secure manor. (forcing all packets through it and dropping anything that leaks from the browser, for starters)

[hazz99]

Do you have any links on how to install it properly, and to test that? (Maybe through Wireshark or something similar) I admit I've haven't used it in-depth (although I've studied the protocol quite a bit)

[LinuxBender]

I don't have one handy, though if you might find one in the documentation for Tails linux OS.

At a high level, the client workstation must not be allowed to send any packets to anything other than the socks port running on the Tor host. The Workstation must have a static arp entry for it's gateway. The Workstation should use a ram-disk linux distro and not persist anything to unencrypted disk. The Tor host must not allow anything inbound other than the Tor SOCKS port. The Tor node must only speak outbound on 80 and 443 (formerly known as the fascist firewall setup). Ideally, the Tor node should be running on a cheap VPS host, ideally payed for with a burner card and accessed via a VPN so that Tor traffic from the home ISP is not evident. The VPS host should be cycled from time to time.

This is of course a lot of setup work, but most of it can be automated.

[Edit] Speak of the devil. Here is a zero-day published on the Tor browser [1]

[1] - https://www.zdnet.com/article/exploit-vendor-drops-tor-brows...