Persistent Tor Entry Guards Introduction
What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.
Many well known enhanced anonymity designs such as Tor, Whonix, and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.
|Note: Guard fingerprinting techniques are similar to methods that track users via MAC addresses. If this is a realistic threat, then MAC address randomization is also recommended.|
In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.  
|Warning: In some situations it is safer to not use the usual guard relay!|
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards  and de-anonymize a user. For instance:
- The same entry guards are used across various physical locations and access points.
- The same entry guards are used after permanently moving to a different physical location.
Consider the following scenario. A user connects to Tor via a laptop at their home address. Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.
Network adversaries who are monitoring traffic have a high degree of certainty that the “anonymous” posts from the city location are related to the same person who connected to that specific guard relay at home. The relative uncommonness of Tor usage exacerbates the potential for de-anonymization.
There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:
- Configure Tor to use Alternate Bridges.
- If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.
- Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
torproject.org What are Entry Guards? (w)
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
- The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
- Prop 291 indicates a 3.5 month guard rotation.
- The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
- The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.