[kxo]

I personally like the idea of building a machine that terminates TOR (exclusively) into VMs, allowing no other outbound (non-whitelisted) traffic.

The biggest and most obvious threat to a lot of these hidden services are application-layer attacks.

You should not be using platforms that have the ability to do vast inspection of their runtime environment or make arbitrary outbound requests.

I'm not necessarily a fan of the "SOA-over-Tor" approach for something like a Bitcoin price: the explicitly-whitelisted bitcoin-price-checker-service communicating over a small-surface API (0MQ, Rabbit (albeit this is a bit of a larger attack surface, internally)) to another VM that has externally-terminated Tor-only outbound internet access is probably easier to work with.

I should spin up a CoreOS distribution with all guest VM outbound access turned off and try out host-level Tor termination.