prevent single-hop proxy usage
Controllers that allow Tor clients to use Tor servers as single-hop proxies present a danger to the Tor network. This use not only reduces the anonymity attained by the client but also creates new incentives for adversaries to run malicious Tor servers, compromise existing Tor servers, or request logs from Tor servers.
Nevertheless, some users of the Tor network may have an incentive to use Tor servers in this manner. Those users include (a) those who are interested in anonymity from the server but not from the network and (b) those who want to use Tor as a perspective access network but do not care about anonymity.
Servers can defend against this particular attack by requiring that for any given circuit extension request it receives, either (a) the host from which the request was received OR (b) the server to which the request will be extended is a valid Tor server. This assures that each circuit involving this server includes at least two Tor servers (though the first may actually be a client).
To my knowledge, there is no way for servers to ensure that they are only carrying circuits of length greater than two without compromising some of the anonymity properties of the circuit.
This approach creates some new irregularities. For example, it presumes that all servers have a (roughly) equivalent list of all Tor servers. In particular, there will be a certain period of time during which a new Tor server will not be accepted as the second hop in a three-hop circuit while the other servers learn about its existence.
[Automatically added by flyspray2trac: Operating System: All]