For the past few days, I have been unable to even get a CAPTCHA without changing Tor circuits.  I did some rough testing, hitting “New Identity” in the login page and then changing circuits until I could get a CAPTCHA.  Rinse, repeat.  At worst, I had to try a total of six different circuits before Google would even deign to waste my time clicking pictures.

This brings to mind another thought:  Google could force Tor users to rapidly rebuild circuits to the same endpoint, then potentially watch for any other network activity which could be correlated by timing, size, etc.  Hmmm.  How many Tor nodes are hosted on Google Compute, or otherwise network-visible to Google?  —  Next question:  Does the NSA like to see Tor users rapidly rebuild circuits to the same endpoint?

Those are the sorts of subtle questions which make for papers on anonbib.  Or for attacks.  For a “cloud” provider who hosts many Tor nodes, I think I smell at least the possibility of a guard-discovery attack here.  Tor is known to be weak against an adversary who can observe both endpoints.  If Google forces Tor users to build circuits until they hit a Google-hosted middle node, then I conjecture they could use a similar attack to find the guard (counting the guard as if an “endpoint”).  They then know that a user with guard X logged into bitcointalk.org at dates and times which can, in turn, be correlated with a bitcointalk username (assuming they can’t just use some XSS to grab that off the login page—or share/cross-reference databases with Cloudflare).  Every little bit helps a network observer gathering data for deanonymization.

As an aside, Tor Browser/Torbutton could really use a feature which permits conveniently changing exits without rebuilding the entire circuit.