There is a nice little feature in Tor 3.3.1. Maybe we can enable this for users (via torrc.d) running onion services because it will provide considerable protection against guard enumeration.
Major features (onion services):
Provide torrc options to pin the second and third hops of onion service circuits to a list of nodes. The option HSLayer2Guards pins the second hop, and the option HSLayer3Guards pins the third hop. These options are for use in conjunction with experiments with “vanguards” for preventing guard enumeration attacks. Closes ticket 13837.
My guess is that they are still testing it but really I feel confident about their code quality to trust this. Also even if it doesn’t work users won’t be any worse off than they are now.
IFIRC, and AFAIK, that’s why it’s not enabled by default until that problem is fixed, i.e. when the rest of the padding negotiation proposal is implemented: http://jqs44zhtxl2uo6gk.onion/torspec.git/tree/proposals/254-padding-negotiation.txt
I.e. one has to pick nodes (Tor relays). I don’t think we should pick a default list for all Whonix users. Looks like at best this is something to document on this page:
How practical is it to have a script enumerate the available Tor nodes from the consensus and draw a list of randomly selected nodes for each category?