Re: Hodge-podge report, much?
Five Eyes and other Big-Brother-wannabes are trying to set up a critical mass of TOR exit nodes (likely through shills) so that they can pick up enough end-to-end traffic to make connections?
First you'll notice that the claim in the tweet referredt to TOR hidden services, no exit node involved in these, but fair enough, I'm game.
Protectiong against end-to-end attacks is not an aim of TOR. Anyone watching both the user's traffick to TOR and the exit node can, with timing correlations, determine that this user connected to that external ressource. However, this is rather computationally intensive compared to just watching packet streams at a big Net node and registering "to" and "from" IPs; it requires close monitoring and matching of both specific connections, something that is at present almost impossible to automatize on a large scale, notably because the vulnerable path between the user and the TOR network is typically short, and the TOR route changes every 10 minutes or so (which would disrupt timing attacks), with a lot of exit nodes in diplomatically adverse regions of the world. i.e. it works if you have a warrant against an individual target AND a way to direct traffic to exit nodes under your control. Not impossible, but you'd have to be an identified target to worry about that, it's certainly no "routine surveillance" as I intended to mean it.
What about improvements in browser fingerprinting attacks that can help make correlations even when all the traffic is encrypted (and TOR can't use a lot of padding due to latency issues)
The padding is irrelevant to browser fingerprinting. It is always possible to come up with new techniques to create a user's "virtual fingerprint". Info leaked, actively or passively, by the browser are a part of it; writing/typing patterns are another. That is not a TOR vulnerability, but the guys at the TOR project do offer advice to mitigate this. It was always advised that you used a different browser for TOR and non-TOR traffic, partly to make it more difficult to match your TOR fingerprint to your non-anonymous clearnet one. A step further, and available for a while now, the TOR bundle should help a great deal in making your traffic look just like that of any other Bundle user.
The other "patterning" issues remains; it is up to you to use different writing styles if you wish. As for the typing patterns, you could always hook up a Dvorak USB keyboard for your TOR session should you feel this is a problem, that should disrupt your pattern enough!