Good day,
I see that you’ve gotten this from LocalBitcoins. What they are essentially saying though is the following:
Since there could be attacks based on malicious exit nodes, don’t use Tor at all. That means you cannot be anonymous when buying BTC via the method they recommend. The rest they wrote is very plainly not correct.
First of all, they sometimes write about a “Tor browser” and sometimes just “Tor”. They likely meant the Tor Browser Bundle, which includes Tor as well as a browser designed for Tor. Just using said browser without Tor in any way is no different to using any other browser, so any attack based on Tor does not apply if we are just talking about a “Tor browser”. That’s why they change to talking about Tor at the end.
Secondly, they claim that “to maintain safety and privacy we recommend purchasing Bitcoins in LocalBitcoins using a normal web browser” but, as mentioned, ANY browser can use Tor as a connection making this completely nonsensical. The likely mean “normal internet connection” without Tor, instead of a “normal web browser”, as that would actually be correct. Though that wouldn’t, as they say, “maintain safety and privacy”, as it would be neither safe, nor private, due to your IP being known to them.
They further claim the following:
This is likely one of the most wrong statements I’ve read on Tor in quite some time. Exit nodes are NOT capable of reading your HTTPS encrypted traffic and they do not in any way employ self-signed certificates to do so. A few antivirus solutions. You can see the fact that Exit nodes CANNOT do this via this nice graphic, by selecting Tor and HTTPS and seeing how the last relay cannot read your password or traffic in any way: How HTTPS and Tor Work Together to Protect Your Anonymity and Privacy | Electronic Frontier Foundation
In the next sentence, they even admit that what they claimed wasn’t the case when they provide a link to inform yourself:
What they’ve linked there is the MITM section of the Tor Blog, in which the following is written:
In addition, TorBrowser ships with HTTPS-Everywhere which by default attempts to connect to some sites over HTTPS even though you just typed “http://”. After all, as we said in the past, “Plaintext over Tor is still plaintext”.
Like mentioned, Tor Exit nodes CANNOT read HTTPS encrypted traffic which is the reason the Tor Browser Bundle includes HTTPS-Everywhere to enforce HTTPS.
So, the person who wrote this didn’t just not know what he/she was writing about, no, this person actually even linked to information which proves them wrong, but still wrote this nonsense anyways.
As long as the connection you are using is secured via SSL, an exit node has no way of intercepting that traffic. If it where, we would have a multitude of issues.
Have a nice day,
Ego