[pmjordan]

The participating entry-nodes (proxies?) could be systematically determined with a scanner

How, exactly? Measuring the run-time of packets and comparing to the expected run-time? I suspect this could be masked by the proxy, but I'm not sure.

You have to trust the people running the entry nodes

You can encrypt the payload independently and then re-encrypt it for the HTTPS tunnel. But as with any proxy, they know the ultimate destination for your traffic, even if they can't get at the data itself.

[daten]

If your path requires a participating station for the proxy-connection to succeed, just measure successful and unsuccessful proxy-connections against different network paths and logically determine which paths have participating nodes and which don't. Compare the results and expand your search until you narrow down which hops in your path are required for a success.