Hello, I a developer of an anonymity-centric distribution. Called
Whonix, it's similar to TAILS but optimized for virtual machines.
We need to use a source to calibrate our system clock. For obvious and
non-obvious reasons, that source can't be NTP. The way we do it at the
moment is to fetch HTTP headers over SSL from trusted servers and use
the timestamp data.
We want to get rid of SSL and make use of the strong security properties
of Tor's end-to-end encryption for Hidden Services in order to safeguard
against clearnet SSL MITM attacks, which are within reach of powerful
adversaries.
Our plan is to contact hidden service operators, adding multiple
trustworthy hidden services to the list for both redundancy and load
distribution. Our estimated user base is 5000. The requests will only
involve fetching an HTTP header from the server, similar to `curl --head
atlas777hhh7mcs7.onion`.
Before simply implementing this feature and hoping Tor handles the load
without issue, we'd like expert (deep knowledge of Tor internals,
network size, paths, etc) and (hopefully) official responses to our idea.