GitLab

Attack:

• The target hosts a hidden service.
• A linguist determines, the target is living in country X.
• Or it's a blog about things in country X.
• Thus, the assumption that the target's hidden service is running in country X has a high probability to be true.
• Easy to research (example): the fastest A Mbps line is only available in a very few parts of the country. Maybe only in one city. Most people have B Mbps and a few one still an old contract with the slow C Mbps.
• The adversary buys lots of servers in different countries, installs Tor on those servers and uses Tor as a client.
• The adversary can build now lots of circuits from geographical diverse places and probes the server by connecting to it's hidden service. The adversary can now accumulate how much down/upload speed the hidden service can provide.
• Thus, the adversary knows now something more about his target and if A Mbps is only available in a few places he has nailed down the amount of suspects.

Another unrelated open question:

• Preliminary consideration: Unless stream isolation is used, exit relays can correlate different activity from one user.
• Can exit nodes differentiate "This is the user who keeps on reading some.site with a A Mbps line vs this is the user who keeps reading some.site with a C Mbps line line?"?