How can I trust all my Tor nodes in path

[Seth David Schoen]

P.S. Even if it weren't possible to use TCP ports to link connections,
malicious nodes controlled by the same party could modify the Tor
protocol to add tracking features, and then all implement the same
tracking features.  For example, malicious nodes (which could all
know about each other by means of a malicious nodes table) could
implement a revised Tor protocol which adds a connection origin packet
(showing the originating IP address) during Tor connection setup.
Since the nodes are malicious, they will speak the same modified
protocol amongst themselves but not reveal this fact to the end user.

Some people have suggested that this is a good application for
trusted computing; proxies could prove that they're running the
real, official proxy software on top of real hardware.  Then timing
attacks are still possible, but actually logging data directly could
be prevented.  The problem with this seems to be that intentionally
doing timing attacks directly against a proxy you operate, from within
the same network, is probably pretty effective!  This approach might
be more relevant to lower-latency anonymity services such as e-mail
remailers.

-- 
Seth Schoen
Staff Technologist                                schoen at eff.org
Electronic Frontier Foundation                    http://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     1 415 436 9333 x107