As far as I can tell, the SSL stuff is wrapped in TLS before going
over TOR, so no -- you wouldn't see the original IP (there are other
ways, like with Javascript or flash, to get this information -- so
hopefully you're running Firefox + NoScript + Flashblock at a minimum)
As for getting the logs, there aren't any (unless you turn on
debugging) -- and firewall logs (et.al) can be configured to ignore
the TOR server.
I am (for example) running syslog-ng on our firewall logs. My TOR
server is 137.148.5.13, thus my syslog-ng filter entry for firewall
stuff looks like this :
filter f_firewall { host(firewall) and not match("137\\.148\\.5\\.13\\
Accessed\\ URL") \
and not match("137\\.148\\.5\\.13\\/") and \
not match("Accessed\\ URL\\ 137\\.148\\.5\\.13"); };
Therefore, nothing from the TOR box gets logged anywhere (this also
omits directory requests inbound to the TOR server). Argus is
similarly configured via a BPF expression.
IMNAL, but I think that makes my traffic data pretty subponea-proof,
since I can honestly say under oath that it dosen't exist (albeit
intentionally). There's no law that says I can't selectively ignore
something in the logs -- provided I haven't already been told to do it
(eg: such a configuration AFTER receiving a subponea would be illegal).
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University