You are correct, each and every application must be individually configured to use TOR. Applications that cannot be so configured, will not use TOR, and the connection will not be obfuscated. This Application Leakage (especially for DNS) can put your anonymity at risk, to observers who can see your local connections activity. Proxy Leakage does not present a risk on the far end of the connection however.
While application leakage leaks at the local end, and may expose your activities to your ISP, Data Leakage may expose information about you to observers after you exit the network. If you transmit your Kaspersky license key to them to validate an update, and that key is observed, an adversary may be able to identify you by asking Kaspersky. Your weather applet may send your zip code or address when asking for updates. Who knows what MS sends with Windows update. TOR does NOTHING to protect against this kind of disclosure. For this reason, the first rule of using TOR, is don't mix anonymous and non-anonymous operations on the same system. When you use tor, it should be all or nothing to be effective. I recommend using Tails as a Live CD (see below) when using TOR because it has no data about you to leak.
There are several approaches you can take to limit or eliminate Application Leakage.
The most reliable is to use a hardware router like Safeplug,
which plugs in to your network between your existing router and ISP
demarc (cable/dsl modem). it passes all traffic passed to it through
tor automatically. This approach has the most vulnerability to data leakage, however. Mobile applications that have GPS capabilities using the network may have a european IP address, but if the data contains the devices GPS coordinates, it would be trivial for someone observing the exit relay to tell where you are.
The most secure is to use a virtual machine or boot from a Live CD, specially configured to
use tor, and use it only when and for apps in which you need
anonymity. One such Live CD is
Tails.
The least reliable and secure, but often the easiest to configure, is a
transparent or isolated proxy. This approach is susceptible to a subset of application leakage, and a great deal of data leakage, which is really hard to control, unless you dedicate the box to anonymous activities.
Last, note that TOR is about forward secrecy (obscuring the source or destination of a communication from observers) rather than about encryption. TOR encrypts data while it is in the network, to prevent risks from people putting up malicious TOR relays, but once your traffic leaves the network, it is only encrypted if the remote site negotiates SSL as part of the connection (eg: did you connect with an https url?). Your IP address will be hidden, but if you put plaintext onto tor, its plaintext when it comes out on the far side.
What about the traffic from the exit relay in vulnerable right?.An attacker can see your IP address coming through the exit relay. – will ferell – 2015-01-03T06:11:28.310
1@willferell, if you are asking what I think you are asking, no, your real ISP-given IP address will NOT be visible to sites you visit on or through the TOR network. your IP address will appear to sites you access as that of the exit relays exit interface. when your end point is in Germany, and you access google, it will be google.de, because you appear to have a German IP address. – Frank Thomas – 2015-01-03T09:57:05.443
@willferell: The entry node doesn't see where you connect, and exit node doesn't see who is connecting; that's a property of 'onion routing'. – user1686 – 2015-01-03T13:25:47.560