C = compromised node g = good node x = either/or any single circuit is good so long as it is not C <-> x <-> C Tor client keeps half a dozen to a dozen or so circuits open C <-> g <-> g g <-> C <-> g g <-> g <-> C g <-> g <-> g g <-> C <-> g g <-> g <-> C by default the currently active circuit changes approximately once every ten minutes, other circuits are kept open to avoid delay of circuit construction when switching active circuit none of the open circuits presented are bad as none fall into the C <-> x <-> C pattern on exit Tor client sends close circuit packet down all circuits from entry to exit, informing nodes to shut down the open circuit assume active circuit is client <-> g <-> g <-> C <-> destination C can see client destination but not the client as entry and middle are good on shut down packet is sent down all circuits, including Client -> C -> g -> g -> Nil Client -> g -> C -> g -> Nil Client -> g -> g -> C (<->) Destination server timing attack on circuit shut down packet can probably be used to link traffic across multiple circuits, thus deanonymizing client traffic that exited from g <-> g <-> C, even though none of the individual circuits are compromised circuits.