Plaintext over Tor is still plaintext
Recently, a few articles have been published regarding Tor, Wikileaks, and snooping data coming out of the Tor network. I write to remind our users, and people in search of privacy enhancing technology, that good software is just one part of the solution. Education is just as important. This is why there is a warning on the Tor download page about what Tor does and does not do. We also have a FAQ entry about this topic. Any plaintext communication over the Internet is open to intercept. This is true if the transport mechanism is email, http, tor, or carrier pigeons. Tor does not magically encrypt the Internet from end to end. Tor does wrap your traffic in encrypted layers as it transports it through the Tor network. See this diagram for a visual explanation.
Tor provides anonymity and privacy by hiding where your Internet traffic is going and where it came from, but users must protect the security of their traffic by using encryption. Once you exit the last relay, you are back on the open Internet. Some web email providers, banks, and other sites use encryption by default when you log in, something you can check by looking for "https://" at the beginning of a URL. For more information, check out Ethan Zuckerman's comments on this topic.
For reference, these articles are unclear and blur concepts about Tor and Wikileaks. An article about Julian Assange of Wikileaks in The New Yorker is the source of the confusion. Ryan Sholin deliberates on one paragraph from the New Yorker story. Ethan Zuckerman responded to Ryan's thoughts about Tor here. We thanked EthanZ for the accurate response in an Identi.ca dent. It seems Slashdot and Wired Threat Level have picked up on just that one statement in the article by the New Yorker.
We hear from the Wikileaks folks that the premise behind these news articles is actually false -- they didn't bootstrap Wikileaks by monitoring the Tor network. But that's not the point. The point is that users who want to be safe need to be encrypting their traffic, whether they're using Tor or not.
This is also true for any Internet connection. Your ISP, local network provider, any hop in the path, etc can all intercept plaintext communications. Users need to learn to better assess risks and act accordingly. Encryption is cheap and easy, just not ubiquitous yet.
"Anyone who is transmitting private information in plain text via Tor or a open public WiFi is just asking for it"
You dont even know what you're talking about, eh? NOONE can read your data while is still is INSIDE the TOR-Network - ONLY the Exit-Node is able to read everything ... so if your exit-Node is trusted AND you dont leak data elsewhere you're pretty much unimpeachable. But thats the main problem : many people have big security-holes in their systems which even TOR is unable to close / bypass.
So all in all your statement is incorrect - only the latter people (with open public WiFis) are asking for it, TOR-users most certainly not
I made the assumption that yes, they were talking about exiting the Tor network on to the open Internet. Plaintext in Tor is encrypted. If you're going to a hidden service, your plaintext is safe as it's wrapped in layers of encryption in transit. If you're exiting the Tor network to an open IPv4/IPv6 Internet site, then you're on your own with plaintext.
"ONLY the Exit-Node is able to read everything ... so if your exit-Node is trusted AND you dont leak data elsewhere you're pretty much unimpeachable."
Ooh, almost there. The path between the exit node and the destination is unencrypted. There are still as many places to tap the line as there are hops.