The problem with Tor is that it still uses these 1024 bit keys for much of its crypto, particularly because most people are still using older versions of the software. The older 2.3 versions of Tor uses keys the NSA can crack, but few have upgraded to the newer 2.4 version with better keys.
You can see this for yourself by going to a live listing of Tor servers, like http://torstatus.blutmagie.de/. Only 10% of the servers have upgraded to version 2.4.
Recently, I ran a "hostile" exit node and recorded the encryption negotiated by incoming connections (the external link encryption, not the internal circuits). This tells me whether they are using the newer or older software. Only about 24% of incoming connections were using the newer software. Here's a list of the counts:
14134 -- 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
5566 -- 0xc013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
2314 -- 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
905 -- 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1 -- 0xc012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
The older software negotiates "DHE", which are 1024 bit Diffie-Hellman keys. The newer software chooses ECDHE, which are Elliptical-Curve keys. I show the raw data because I'm confused by the last entry, I'm not sure how the software might negotiate ECDHE+3DES, it seems like a lulz-worthy combination (not that it's insecure -- just odd). Those selecting DHE+3DES are also really old I think. I don't know enough about Tor, but I suspect anything using DHE+3DES is likely more than 5 years old.
(By the way, I used my Ferret tool to generate this, typing "ferret suites -r
The reason software is out of date is because it takes a long time for repositories to be updated. If you type "apt-get install tor" on a Debian/Ubuntu computer, you get the 2.3 version. And this is what pops up as the suggestion of what you should do when you go to the Tor website. Sure, it warns you that the software might be out-of-date, but it doesn't do a good job pointing out that it's almost a year out of date, and the crypto the older version is using is believed to be crackable by the NSA.
Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking.
Therefore, I'd suggest that the Tor community do a better job getting people to upgrade to 2.4. Old servers with crackable crypto, combined with the likelyhood the NSA runs hostile Tor nodes, means that it's of much greater importance.
Update: The above list are the incoming connections from other Tor servers. The following is a list of outgoing connections (since this is an exit node). This has nothing to do with the above discussion, I just include it here for completeness.
count suite - description
39611 0x0005 - TLS_RSA_WITH_RC4_128_SHA
30138 0x0035 - TLS_RSA_WITH_AES_256_CBC_SHA
14569 0xc011 - TLS_ECDHE_RSA_WITH_RC4_128_SHA
10043 0x0004 - TLS_RSA_WITH_RC4_128_MD5
8576 0xc007 - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
7100 0x0039 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
4081 0x002f - TLS_RSA_WITH_AES_128_CBC_SHA
2077 0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1900 0x0088 - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
1090 0x0084 - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
481 0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
337 0x000a - TLS_RSA_WITH_3DES_EDE_CBC_SHA
102 0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
101 0x0016 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
83 0x009f -
78 0xc030 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
35 0xc02f - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
16 0x0033 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
6 0x003d - TLS_RSA_WITH_AES_256_CBC_SHA256
6 0xc028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384