Persistent Tor Entry Guards Introduction
What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.
Many well known enhanced anonymity designs such as Tor, Whonix and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.
In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.  
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards  and de-anonymize a user. For instance:
- The same entry guards are used across various physical locations and access points.
- The same entry guards are used after permanently moving to a different physical location.
For details on how this is possible, press Expand on the right.
Consider the following scenario. A user connects to Tor via a laptop at their home address. An advanced adversary has observed the client-to-guard-node network path to discover the user's entry point to the Tor network.
Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.
To understand the potential threat, consider the following:
- There are only around 2,500 Tor guards in 2018. 
- By design, Tor is picking one primary guard and using it for a few months. Since the Tor user base is relatively small, it is possible that a guard might only be used by one person in an entire region.
- As the IP address of Tor entry guards is static and Tor network traffic is easily distinguishable, this information becomes public knowledge.
- It is feasible that if a user-guard relationship is unique in a city location, and that user moves, it is likely (but not certain) that there was a location change.
- At the event, the user might be the only one using Tor (or among a handful).
- If the user posts about the event and an adversary who is passively monitoring network traffic conducts the same successful observation of the client-to-guard network path, then it’s likely the "anonymous" posts will be linked with the same person who normally connects to that guard at home.
The relative uncommonness of Tor usage simply exacerbates the potential for de-anonymization.
There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:
- Clone Whonix-Gateway ™ (sys-whonix) with New Entry Guards.
- Regenerate the Tor State File after Saving the Current Tor State.
- Configure Tor to use Alternating Bridges.
- If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.
- Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
torproject.org What are Entry Guards? (w)
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
- The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
- Prop 291 indicates a 3.5 month guard rotation.
- The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
- The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.