On Sat, Oct 15, 2016 at 07:02:19PM -0400, Aaron Johnson wrote:
A concern with this proposal that I have not seen mentioned is that exit pinning would cause the Tor path itself to leak more information about the intended destination. For example, a destination could (possibly without malicious intent) pin a single exit that is otherwise unlikely to be used. Simply choosing that exit would thus make it appear much more likely to be visiting that destination from the view of an adversary that can identify the exit (e.g. by being chosen as the middle relay or by performing a congestion attack that identifies relays on a circuit). This gets worse when connections can be linked together as originating at the same client because without pinning it is unlikely to repeatedly choose the same exit (or from any small set of exits). Connections can be linked as originating at the same client by the guard (or anybody observing a guard) or by middle relays that observe the same guard being used in a short period of time, indicating activity by the same client.
Whenever the Tor client gets told which exit to use for a circuit, it uses a 4-hop path for that circuit, i.e., it uses 3 hops like normal and then the fourth hop is the chosen exit.
Though it's actually more complex than that, because if it knows it'll be using a 4-hop circuit, the 2nd and 3rd hop are both chosen like middles, so "like normal" is not wholly true. It's effectively like choosing a 3-hop internal circuit and then appending your chosen exit.
So some of the attacks you worry about shouldn't work, but I bet some of them still would.
--Roger