http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
This paper is more relevant today than ever. Anyone concerned about the efficacy of Tor should read and understand this article. Neither users nor Hidden Services can ever be 100% safe while using Tor. It doesnt matter if you're using NoScript, or if you have javascript enabled, all of these exploits target the very structure of Tor.
Relevant portions concerning recent events:
VI. OPPORTUNISTIC DEANONYMISATION OF HIDDEN SERVICES The fact that an attacker always controls one side of the communication with a hidden service means that it is sufficient to sniff/control a guard of the hidden service in order to implement a traffic correlation attack and reveal the actual location of the hidden service. In particular, an attacker can:
• Given the onion address of a hidden service with unencrypted list of introduction points determine if her guard nodes are used by this hidden service.
• Determine the IP addresses of those hidden services that use the attacker's guard nodes.
• Determine if the attacker's guard nodes are used by any of the hidden services, even if the list of introduction points is encrypted.
A. Unencrypted descriptors In order to confirm that an attacker controls a guard node of a hidden service she needs to control at least one more Tor non-Exit relay. In the attack, the hidden service is forced to establishes rendezvous circuits to the rendezvous point (RP) controlled by the attacker. Upon receiving a RELAY_COMMAND_RENDEZVOUS1 cell with the attacker's cookie, the RP generates traffic with a special signature. This signature can be identified by the attacker's middle node. We note that a special PADDING cell mechanism in Tor simplifies generation of a signature traffic which is discarded at the recipient side, and is thus unnoticeable to the hidden
• The attacker sends a RELAY_COMMAND_INTRODUCE1 cell to one of the hidden service's introduction points (IP) indicating the address of the rendezvous point.
• The introduction point forwards the content in a RELAY_COMMAND_INTRODUCE2 cell to the hidden ser- vice.
• Upon receiving the RELAY_COMMAND_INTRODUCE2 cell, the hidden service establishes a three-hop cir- cuit to the indicated rendezvous point and sends it a RELAY_COMMAND_RENDEZVOUS1 cell.
• when the rendezvous point controlled by the attacker receives the RELAY_COMMAND_RENDEZVOUS1 cell, it sends 50 PADDING cells back along the rendezvous circuit which are then silently dropped by the hidden service.
• the rendezvous point sends a DESTROY cell down the rendezvous circuit leading to the closure of the circuit. Whenever the rendezvous point receives a RELAY_COMMAND_RENDEZVOUS1 with the same cookie as the attacker sent in the RELAY_COMMAND_INTRODUCTION1 cell it logs the reception. At the same time, the attacker's guard node monitors the circuits passing through it. Whenever it receives a DESTROY cell over a circuit it checks:
1) whether the cell was received just after the rendezvous point received the RELAY_COMMAND_RENDEZVOUS1 cell;
2) the number of the forwarded cells: 3 cells up the circuit and 53 cells down the circuit. Three cells more come from the fact that the hidden ser- vice established a circuit to the rendezvous point thus the attacker's guard node had to forward (2 × RELAY_COMMAND_EXTEND +1 × RENDEZVOUS1 ) cells up and (2 × RELAY_COMMAND_EXTENDED + 1 × DESTROY ) cells down. This is very important for our traffic signature since it allows us to distinguish the case when the attacker's node was chosen as the guard from the case when it was chosen as the middle.
If all the conditions are satisfied, the attacker decides that her guard node was chosen for the hidden service's rendezvous circuit and marks the previous node in the circuit as the origin of the hidden service. In order to estimate the reliability of the traffic signature, we collected a statistics on the number of forwarded cells per circuit. We examined 748,846 circuits on our guard node. None of the circuit exhibited the traffic pattern of 3 cells up the circuit and 53 cells down the circuit. This means that the proposed traffic signature is highly reliable. We implemented the approach to attack our own hidden service. We used a relay with a bandwidth of 500 Kbytes/s according to the consensus as the guard node and were scanning for the aforementioned traffic signature. For each RELAY_COMMAND_RENDEZVOUS1 cell receive events we col- lected the corresponding traffic pattern and got no false positives.
It's still safer than buying on the streets.