Would you still set a max lifetime for a circuit to accept new streams of 2 hours, or would the circuit potentially persist forever?
Nick set a max lifetime in his updated version of the patch that also deals with non-Tor Browser activity, but I am not convinced that a max is a great idea yet. He also randomized the per-circuit max from [0,max], which seemed not great for usability.
Regardless of whether you use a maximum, I think it is an obvious improvement to randomize the “typical” circuit switch time (use a new randomly-selected time with each new circuit). A deterministic time makes it possible to predict when a client should switch circuits and thereby facilitates tracking. This is a recommendation from Hutha and Danezis’s “Linking Tor Circuits” (Sec. 5.3) [0].
In fact, I think it would be great for TorBrowser to treat each tab/window as a separate identity and send *all* streams in a given tab/window over the same path (i.e. sequence of relays).
The 4.5 series of Tor Browser actually already does a form of this, but instead of per tab, we do per URL bar domain. If you have two tabs open to Facebook, all of those content elements will use the same circuit, but Facebook like buttons on cnn.com will use the cnn.com circuit.
In addition to being a more sane way of handling web browsing, it also enables a very simple circuit status UI. The Torbutton menu now tells you the current circuit for the site in the URL bar in a compact display that is no larger than the dropdown menu itself.
Interesting - I did not know this! An adversarial destinations could still observe new circuits by including resources from other domains that he controls, which would be prevented by per-tab circuits, but this does seem like very good feature.
Cheers, Aaron