[tor-dev] Tor Browser 4.5a5 will change circuit expiry to 2hrs

[A. Johnson]

>> Would you still set a max lifetime for a circuit to accept new streams of 2 hours, or would the circuit potentially persist forever?
> 
> Nick set a max lifetime in his updated version of the patch that also
> deals with non-Tor Browser activity, but I am not convinced that a max
> is a great idea yet. He also randomized the per-circuit max from
> [0,max], which seemed not great for usability.

Regardless of whether you use a maximum, I think it is an obvious improvement to randomize the “typical” circuit switch time (use a new randomly-selected time with each new circuit). A deterministic time makes it possible to predict when a client should switch circuits and thereby facilitates tracking. This is a recommendation from Hutha and Danezis’s “Linking Tor Circuits” (Sec. 5.3) [0].

>> In fact, I think it would be great for TorBrowser to treat each 
>> tab/window as a separate identity and send *all* streams in a
>> given tab/window over the same path (i.e. sequence of relays).
> 
> The 4.5 series of Tor Browser actually already does a form of this, but
> instead of per tab, we do per URL bar domain. If you have two tabs open
> to Facebook, all of those content elements will use the same circuit,
> but Facebook like buttons on cnn.com will use the cnn.com circuit.

> In addition to being a more sane way of handling web browsing, it also
> enables a very simple circuit status UI. The Torbutton menu now tells
> you the current circuit for the site in the URL bar in a compact display
> that is no larger than the dropdown menu itself.

Interesting - I did not know this! An adversarial destinations could still observe new circuits by including resources from other domains that he controls, which would be prevented by per-tab circuits, but this does seem like very good feature.

Cheers,
Aaron