TODO 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341
  1. $Id$
  2. Legend:
  3. SPEC!! - Not specified
  4. SPEC - Spec not finalized
  5. N - nick claims
  6. R - arma claims
  7. P - phobos claims
  8. - Not done
  9. * Top priority
  10. . Partially done
  11. o Done
  12. D Deferred
  13. X Abandoned
  14. Non-Coding, Soon:
  15. N - Mark up spec; note unclear points about servers
  16. N - Mention controller libs someplace.
  17. D FAQ entry: why gnutls is bad/not good for tor
  18. P - flesh out the rest of the section 6 of the faq
  19. P - gather pointers to livecd distros that include tor
  20. R . more pictures from ren. he wants to describe the tor handshake, i want to
  21. talk about hidden services.
  22. NR- write a spec appendix for 'being nice with tor'
  23. - tor-in-the-media page
  24. - Remove need for HACKING file.
  25. Website:
  26. - we need to merge documentation and support
  27. - and pare it down
  28. - and merge developers into documentation too
  29. - or at least, remove developers from the title bar
  30. - and remove home and make the "Tor" picture be the link to home.
  31. - put the logo on the website, in source form, so people can put it on
  32. stickers directly, etc.
  33. for 0.1.1.x:
  34. N - if they're trying to be a tor server and they're running
  35. win 98 or win me, give them a message talking about The Bug.
  36. . Helper nodes
  37. . More testing and debugging
  38. o If your helper nodes are unavailable, don't abandon them unless
  39. other nodes *are* reachable.
  40. o Make EntryNodes and StrictEntrynodes do what we want.
  41. N - Destroy and truncated cells should have reasons.
  42. - Specify
  43. - Implement
  44. N . Only use a routerdesc if you recognize its hash.
  45. o (Must defer till dirservers are upgraded to latest code, which
  46. actually generates these hashes.)
  47. . Of course, authdirservers must not do this.
  48. o If we have a routerdesc for Bob, and he says, "I'm 0.1.0.x", don't
  49. fetch a new one if it was published in the last 2 hours.
  50. X Don't, actually. This is the authorities' job to straighten out.
  51. o Do not ask for any routers until we have 2 networkstatuses.
  52. . Client side:
  53. o Keep a record of which hash is most desirable for each router inside
  54. local_routerstatus_t.
  55. o If any hash is listed by two or more networkstatuses, the most
  56. recent such hash is most desirable.
  57. o Otherwise, the most recent is desirable.
  58. o Once we've accepted a router, it's okay.
  59. o Do not accept a router that no networkstatus lists. (This should maybe
  60. get stricter.)
  61. o Download by descriptor digest.
  62. o Reset failure count to zero when hash changes.
  63. . Test
  64. - Do we want to rate-limit downloads of each identity?
  65. . Mirrors and authorities:
  66. o Every time we hear a new networkstatus, we want every hash it lists.
  67. o Make sure that we are always willing to keep at least N routerinfos
  68. per router, where N = number of authorities.
  69. o Do whatever else is needed to be sure that we don't request
  70. hashes that would be immediately discarded, or discard hashes
  71. that would be immediately re-requested.
  72. o Only fetch routerinfo from an authority that mentions is.
  73. o Only ask each authority once.
  74. o Retry soon after failure.
  75. o We need one bit per routerstatus for "should we download from
  76. this guy."
  77. - Verify that we are actually storing retained old descriptors to our
  78. cache.
  79. - Test.
  80. - Non-directories don't need to keep descriptors in memory.
  81. N - Should router info have a pointer to routerstatus?
  82. - We should at least do something about the duplicated fields.
  83. R - Christian Grothoff's attack of infinite-length circuit.
  84. the solution is to have a separate 'extend-data' cell type
  85. which is used for the first N data cells, and only
  86. extend-data cells can be extend requests.
  87. - Specify, including thought about
  88. - Implement
  89. R - When we connect to a Tor server, it sends back a signed cell listing
  90. the IP it believes it is using. Use this to block dvorak's attack.
  91. Also, this is a fine time to say what time you think it is.
  92. - Verify that a new cell type is okay with deployed codebase
  93. - Specify
  94. - Implement
  95. R - clients prefer to avoid exit nodes for non-exit path positions.
  96. - find 10 dirservers.
  97. - What are criteria to be a dirserver? Write a policy.
  98. Deferred from 0.1.1.x:
  99. - Automatically determine what ports are reachable and start using
  100. those, if circuits aren't working and it's a pattern we recognize
  101. ("port 443 worked once and port 9001 keeps not working").
  102. N . Additional controller features
  103. o Find a way to make event info more extensible
  104. - change circuit status events to give more details, like purpose,
  105. whether they're internal, when they become dirty, when they become
  106. too dirty for further circuits, etc.
  107. R - What do we want here, exactly?
  108. N - Specify and implement it.
  109. - Change stream status events analogously.
  110. R - What do we want here, exactly?
  111. N - Specify and implement it.
  112. - Make other events "better".
  113. - Change stream status events analogously.
  114. R - What do we want here, exactly?
  115. N - Specify and implement it.
  116. - Make other events "better" analogously
  117. R - What do we want here, exactly?
  118. N - Specify and implement it.
  119. . Expose more information via getinfo:
  120. - import and export rendezvous descriptors
  121. - Review all static fields for additional candidates
  122. - Allow EXTENDCIRCUIT to unknown server.
  123. - We need some way to adjust server status, and to tell tor not to
  124. download directories/network-status, and a way to force a download.
  125. - It would be nice to request address lookups from the controller
  126. without using SOCKS.
  127. - Make everything work with hidden services
  128. X switch accountingmax to count total in+out, not either in or
  129. out. it's easy to move in this direction (not risky), but hard to
  130. back out if we decide we prefer it the way it already is. hm.
  131. - cpu fixes:
  132. - see if we should make use of truncate to retry
  133. o hardware accelerator support (configure engines.)
  134. o hardware accelerator support (use instead of aes.c when reasonable)
  135. - Benchmark this somehow to see whether using EVP_foo is slower in the
  136. non-engine case than AES_foo. If so, check for AES engine and fall
  137. back to AES_foo when it's not found.
  138. R - kill dns workers more slowly
  139. . Directory changes
  140. o recommended-versions for client / server ?
  141. . Some back-out mechanism for auto-approval
  142. o dirservers have blacklist of IPs and keys they hate
  143. - a way of rolling back approvals to before a timestamp
  144. - Consider minion-like fingerprint file/log combination.
  145. - Decentralization
  146. o Dirservers publish compressed network-status objects.
  147. o Support retrieving several-at-once
  148. o Everyone downloads network-status objects
  149. o Clients: from all directories, round-robin
  150. o Basic implementation: disable until 0.1.1.x is out.
  151. o On failure, mark trusted_dir_server as having failed
  152. o Retry, up to a point.
  153. X Launch retry immediately on failure.
  154. o Parse them
  155. o Cache them, reload on restart
  156. o Serve cached directories
  157. o Directories expose individual descriptors
  158. X By 'if-newer-than' (Does the spec require this??)
  159. o Support compression.
  160. o Alice acts on network-status objects
  161. o Alice downloads descriptors as needed.
  162. o Figure out what's needed
  163. o Store it
  164. o Implement store
  165. o Implement reload-from-store
  166. o Store downloaded descriptors
  167. o Download it
  168. o As-needed if we have 2 network-status objs.
  169. o Download "all" if we have less than 2 network-status objs.
  170. (This has vulnerabilities if we're not careful)
  171. o Call directory_has_arrived as needed; rename it.
  172. o Set has_fetched_directory properly.
  173. o Retry descriptors on failure
  174. o Give up after a while.
  175. - But try again after a long while (???)
  176. o Check software versions according to some sane plan.
  177. - Warn again after 24 hours.
  178. o Alice sets descriptor status from network-status
  179. o Implement
  180. o Use
  181. o Routerdesc download changes
  182. o Refactor combined-status to be its own type.
  183. o Change rule from "do not launch new connections when one exists" to
  184. "do not request any fingerprint that we're currently requesting."
  185. o Launch connections every minute, or whenever a download fails
  186. o Retry failed routerdescs after 0, 1, 5, 10 minutes.
  187. o Mirrors retry harder and more often. (0, 0, 1, 1, 2, 5, and 15)
  188. o Reset failure count every 60 minutes
  189. o Drop fallback to download-all. Also, always split download.
  190. o Use has_fetched_directory sanely, whatever that means.
  191. o Downgrade new directory events from notice to info
  192. o Call dirport_is_reachable from somewhere else.
  193. o Networkstatus should list who's an authority.
  194. o Add nickname element to dirserver line. Log this along with IP:Port.
  195. o Warn when using non-default directory servers.
  196. o When giving up on a non-finished dir request, log how many bytes
  197. dropped, to see whether it's worthwhile to use partial info.
  198. - config option to publish what ports you listen on, beyond
  199. ORPort/DirPort. It should support ranges and bit prefixes (?) too.
  200. - Parse this.
  201. - Relay this in networkstatus.
  202. X Make authorities rate-limit logging their complaints about given
  203. servers?
  204. o All versions of Tor should get cosmetic changes rate-limited.
  205. o Pick directories from networkstatus objects, not from routerlist.
  206. o But! We can't do this easily, since we want to know about platform,
  207. and networkstatus doesn't tell us Tor version. Can we solve this?
  208. Should we do it by adding flags to networkstatus or what?
  209. - packaging and ui stuff:
  210. . multiple sample torrc files
  211. - uninstallers
  212. . for os x
  213. . figure out how to make nt service stuff work?
  214. . Document it.
  215. . Add version number to directory.
  216. N - Vet all pending installer patches
  217. - Win32 installer plus privoxy, sockscap/freecap, etc.
  218. - Vet win32 systray helper code
  219. - document:
  220. - torcp needs more attention in the tor-doc-win32.
  221. - recommend gaim.
  222. - unrecommend IE because of ftp:// bug.
  223. - torrc.complete.in needs attention?
  224. o Dump "ports" from routerparse?
  225. o Let more config options (e.g. ORPort) change dynamically.
  226. o Add TTLs to DNS-related replies, and use them (when present) to adjust
  227. addressmap values.
  228. - Bind to random port when making outgoing connections to Tor servers,
  229. to reduce remote sniping attacks.
  230. - Have new people be in limbo and need to demonstrate usefulness
  231. before we approve them.
  232. - Clients should estimate their skew as median of skew from servers
  233. over last N seconds.
  234. - Security
  235. - Alices avoid duplicate class C nodes.
  236. - Analyze how bad the partitioning is or isn't.
  237. . Update the hidden service stuff for the new dir approach.
  238. - switch to an ascii format, maybe sexpr?
  239. - authdirservers publish blobs of them.
  240. - other authdirservers fetch these blobs.
  241. - hidserv people have the option of not uploading their blobs.
  242. - you can insert a blob via the controller.
  243. - and there's some amount of backwards compatibility.
  244. - teach clients, intro points, and hidservs about auth mechanisms.
  245. - come up with a few more auth mechanisms.
  246. . Come up with a coherent strategy for bandwidth buckets and TLS. (The
  247. logic for reading from TLS sockets is likely to overrun the bandwidth
  248. buckets under heavy load. (Really, the logic was never right in the
  249. first place.) Also, we should audit all users of get_pending_bytes().)
  250. - Make it harder to circumvent bandwidth caps: look at number of bytes
  251. sent across sockets, not number sent inside TLS stream.
  252. o Research memory use on Linux: what's happening?
  253. X Is it threading? (Maybe, maybe not)
  254. X Is it the buf_shrink bug? (Quite possibly)
  255. o Instrument the 0.1.1 code to figure out where our memory is going;
  256. apply the results. (all platforms?)
  257. - Make router_is_general_exit() a bit smarter once we're sure what it's for.
  258. - Directory "helper".
  259. - rewrite how libevent does select() on win32 so it's not so very slow.
  260. o enclaves (at least preliminary)
  261. - Write limiting; separate token bucket for write
  262. - Audit everything to make sure rend and intro points are just as likely to
  263. be us as not.
  264. - Do something to prevent spurious EXTEND cells from making middleman
  265. nodes connect all over. Rate-limit failed connections, perhaps?
  266. Future version:
  267. - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
  268. - Handle full buffers without totally borking
  269. - Rate-limit OR and directory connections overall and per-IP and
  270. maybe per subnet.
  271. - Hold-open-until-flushed now works by accident; it should work by
  272. design.
  273. - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
  274. - Specify?
  275. - tor-resolve script should use socks5 to get better error messages.
  276. - make min uptime a function of the available choices (say, choose 60th
  277. percentile, not 1 day.)
  278. - Track uptime as %-of-time-up, as well as time-since-last-down.
  279. - hidserv offerers shouldn't need to define a SocksPort
  280. * figure out what breaks for this, and do it.
  281. - auth mechanisms to let hidden service midpoint and responder filter
  282. connection requests.
  283. - Relax clique assumptions.
  284. - start handling server descriptors without a socksport?
  285. - tor should be able to have a pool of outgoing IP addresses
  286. that it is able to rotate through. (maybe)
  287. Blue-sky:
  288. - Patch privoxy and socks protocol to pass strings to the browser.
  289. - Standby/hotswap/redundant hidden services.
  290. - Robust decentralized storage for hidden service descriptors.
  291. - The "China problem"
  292. - Allow small cells and large cells on the same network?
  293. - Cell buffering and resending. This will allow us to handle broken
  294. circuits as long as the endpoints don't break, plus will allow
  295. connection (tls session key) rotation.
  296. - Implement Morphmix, so we can compare its behavior, complexity, etc.
  297. - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
  298. link crypto, unless we can bully openssl into it.
  299. . Conn key rotation (we switch to a new one after a week, but
  300. old circuits don't get any benefit from this).
  301. - Need a relay teardown cell, separate from one-way ends.
  302. (Pending a user who needs this)
  303. - Handle half-open connections: right now we don't support all TCP
  304. streams, at least according to the protocol. But we handle all that
  305. we've seen in the wild.
  306. (Pending a user who needs this)