Entry Guards usage implications

I don’t fully understand the usage implications of the Entry Guards security mechanism as described here and here.

Does this mean one copy of Tor Browser will always use a select few fixed nodes as entry points to Tor? Would a newly created copy in a different directory use a different but also fixed set of nodes that would also always be the same?
Does this mean it is better to keep using the same copy of Tor Browser and update it than to often create new clean copies and use those?

Glad you found those links.

The Workstation (and therefore Tor Browser) doesn’t know anything about your Entry Guards. If it did, that could be problematic should your Workstation become compromised. All traffic leaving a specific Gateway uses the same entry guard (or a fallback). (Will likely soon change to 2 entry guards.)

So usage implications are limited to what the Gateway does, ie connecting to external networks. [tor-dev] entry guards and linkability If you connect to only one network, the default strategy is the recommended one. (ie nothing you need to do)

This page may also be relevant to you: Multiple Whonix-Workstation ™

1 Like

On Tor entry guards, see also:

1 Like

Here’s more to read

From what I understand the answer to all my questions is yes! The first relay is always the same if available. Because of this it is generally better to use one and the same Tor browser copy or Whonix gateway, than to change them. I think the Tor project should really put this behavior on their list of warnings, because it goes completely against user expectations.

Still some questions remain

Why are the three nodes listed in the circuit always different? Shouldn’t the first one always be the same?
How does an adversary find out which entry guards you’ve choosen? How this can be used to unmask is clear.

If those relays are observed or controlled by the attacker, then they see a larger fraction of the user’s traffic

Why a fraction, don’t they see everything if they’re the primary relay, which is always chosen when available?

1 Like

The best place to deep-dive on these issues is the tor-talk mailing list where you can engage the Tor devs directly.


A standalone Tor Browser has its own Tor process, so yes. Tor Browser in Whonix uses the Tor daemon in the Gateway, so also yes but with different mechanics.

Standalone, my guess is yes but don’t quote me on that. Whonix, no.

Standalone, yes. Whonix, doesn’t matter.

You can observe the expected behavior by running onioncircuits from jessie-backports in your Gateway.

Adversary should not be able to discover your entry guards unless (this is a weakness of any low-latency network), they have visibility on both ends and use end-to-end correlation attacks.

IIRC, fraction refers to proportion of visible end-to-end traffic. They see only a fraction because they presumably don’t observe every endpoint.



But I haven’t tried to run two instances in different folders at the
same time. I don’t think that’s supported. If you use one after another
it as its own distinct Tor data directory. You can monitor changes in
that directory such as with git.

Fixed: you could all entry guards somewhat “fixed” but it’s still
"dynamic" (these are rotated as per Tor’s implementation).

nodes: deprecated term. Now referenced to as relays.

path selection: always dynamic (unless it’s a long living circuit).