GitLab

Robert Ransom found a possible timing side-channel in how we select routers by bandwidth: we finish faster if we're selecting a router earlier in the list than we do if we select a router later in the list. If this timing information is available on the wire, it could be used to tell which nodes a client is selecting based on how long it takes to pick them.

This is probably not an end-of-the-world attack, since:

• There is a lot of noise in client timing information, especially in this case, since after picking a circuit we do a bunch of crypto, pk, and network ops too.
• For exit nodes at least, we pick them at circuit_establish_circuit(), before we send any data to the network.
• The timing information isn't likely to be finegrained enough to leak particular nodes; rather, if it is available at all, it is likelier to leak which general segment of the node list was selected.

Nevertheless, this isn't something we should even risk exposing, and there might be other factors here too that I'm not analyzing right. Better safe than sorry. Let's fix this one.