Warning: If you are looking for serious privacy, use Tor. It is not perfect either, but *much* better. If you do, read its manual carefully. It explanins how to configure programs so that they do not leak personal information.
Cor tries to achieve a reasonable level of privacy. But its environment does not allow to get even closely to the level of Tor for these reasons:
- A network has to be big in order to provide good privacy. Often this will not be the case. Even if it is, the routing daemon will select internet uplinks which are close. I guess the IP address of the uplink will often identify less than 100 suspects.
- Sniffing wireless networks and installing a large number of active routers is way easier for attackers than doing the same globally in the internet. Even if data is reencrypted at each router (slow), it is still possible to identify individual streams via timing attacks. Protecting against this is very hard. The credit system provides additional hints to the attacker. Also, routing cannot be as random like in tor, because not all nodes see each other. To get good performance, the shortest routes must be used with little or no randomness. This will make traffic analysis even easier.
Basic countermeasures against this attack like artificial delays, padding and dummy traffic are not implemented in cor. This is basically because I think this situation is completely hopeless. Implementing them will probably achieve nothing except slowing everything down and giving users a false sense of security.
- Privacy will depend a lot on configuration. Cor transmissions can be anything from no plaintext to full onion encryption. Distributions may choose to unsecure defaults. Some routers might have crypto support disabled.
- Cor does not yet try to defend mobile nodes against of movement tracking.
- The same problems with exit node sniffing in the tor network apply here. But the chance that both personal data and another data, which should not be linked your personal data are transfered over the same connection will be much higher if lots of programs share the same connection.
- Your services are not hidden. Finding your location is only a matter of walking down the streets and looking where the signel comes from. Trying to protect against this is rather pointless because of the reasons listed above.
- Cor has received little review. Privacy networks are very hard to do right and even the best networks are anything but perfect.