Pretty much everything you said is correct, or correct to an extent. There are two things I would like to point out though. First of all, although it is true that an attacker who can watch your exit node and your entry node can link you to your destination with statistical attacks, the same thing is true if the attacker watches your entry node and your connection to the hidden service. It is a little bit harder for most attackers to know that they are watching your traffic arrive at a hidden service, but it is not at all outside the realm of possibility. Secondly, changing exit nodes (and thus circuits) frequently has advantages and disadvantages. The advantage is that a given attacker who controls an exit node you are using will not be able to spy on as much of your traffic, as you switch exit nodes early. Additionally, an attacker who owns an exit node you are using and who also owns the entry node you are using, may not be able to link you to as many of your destinations. The bad part about changing circuits frequently is that you will speed up the rate at which a given attacker will be able to spy on some of your exit traffic, or link you to some of your end destinations. The reason for this is simple: if you are currently using a good circuit, then changing your circuit can not give you a better circuit, but it can lead to you having a bad circuit. And as I said before, conversely, if you currently have a bad circuit the quicker you switch it the less damage the attacker who has compromised your current circuit can do. You should just let vidalia control your circuit rotation unless you have some reason to select a new identity, like a hidden service is not loading, or an exit is blocked by some destination server, or the circuit is going unbearably slow. I personally would be in favor of Tor extending the default circuit rotation time, perhaps from ten minutes to twenty or even thirty. The thing is, it doesn't matter if the DEA compromised one of your circuits to SR for five seconds or for fifty minutes, they still will have deanonymized you. By extending circuit rotation time it will increase the amount of time it takes the DEA to trace you. But extending the rotation time yourself, without it being applied to all Tor users, is a bad idea.