Circuit Dirty Timeout Enables Guard Discovery Attacks

A slow form of Guard discovery against clients is possible when a user leaves a tab open to a malicious website that is able to cause a disconnect and reconnect to itself roughly every 10 minutes, to cause Tor client to build new circuits.

This kind of circuit creation attack can be combined with browser traffic injection to determine the Guard node. From there, further traffic injection can be performed, in combination with requesting ISP netflow logs at the Guard node, to deanonymize the user.

The root cause of all of this is the circuit dirty timeout.

Circuit Dirty Timeout is also still awful UX for web users, because it logs them out of websites they are using, when those websites bind login to IP address.

I tried to fix both these problems 10 years ago when I led the Tor Browser team, but I was over-ruled by network-team, in part because we lacked a threat model that could articulate how guard discovery leads to deanonymization.

Basically we compromised to make the behavior less annoying to UX, but it still happens, and can still be actively exploited by malicious websites.