[londons_explore]

But... That tor exit node then sends the traffic onwards... Again via the internet, and the backbone provider can inspect it again.

Seeing a packet heading to a tor exit node and then a similarly sized packet heading onwards a fraction of a millisecond later is a pretty surefire way to spy on individual tor users.

[Thorrez]

I think Tor tries to resize/split/join packets a bit. And each Tor node will in theory be carrying traffic for many different users simultaneously. And Tor uses 3 nodes, each in a different country. So it's not quite as trivial as you make it sound.

If 1, 2, or possibly all 3 nodes are run by a malicious actor, deanonymization becomes easier. At one point 10% of nodes were run by a single malicious actor: https://therecord.media/a-mysterious-threat-actor-is-running...

[Pingk]

Yes, being able to see all the traffic on a given network is a legitimate threat to Tor's anonymity.

IIRC There is an alternate method of connecting to an endpoint which uses a 3rd node as a rendezvous point which is meant to be better, but I forget the name of the process...