roadmap-2007.tex 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690
  1. \documentclass{article}
  2. \usepackage{url}
  3. \newenvironment{tightlist}{\begin{list}{$\bullet$}{
  4. \setlength{\itemsep}{0mm}
  5. \setlength{\parsep}{0mm}
  6. % \setlength{\labelsep}{0mm}
  7. % \setlength{\labelwidth}{0mm}
  8. % \setlength{\topsep}{0mm}
  9. }}{\end{list}}
  10. \newcommand{\tmp}[1]{{\bf #1} [......] \\}
  11. \newcommand{\plan}[1]{ {\bf (#1)}}
  12. \begin{document}
  13. \title{Tor Development Roadmap: Wishlist for Nov 2006--Dec 2007}
  14. \author{Roger Dingledine \and Nick Mathewson \and Shava Nerad}
  15. \maketitle
  16. \pagestyle{plain}
  17. % TO DO:
  18. % add cites
  19. % add time estimates
  20. \section{Introduction}
  21. %Hi, Roger! Hi, Shava. This paragraph should get deleted soon. Right now,
  22. %this document goes into about as much detail as I'd like to go into for a
  23. %technical audience, since that's the audience I know best. It doesn't have
  24. %time estimates everywhere. It isn't well prioritized, and it doesn't
  25. %distinguish well between things that need lots of research and things that
  26. %don't. The breakdowns don't all make sense. There are lots of things where
  27. %I don't make it clear how they fit into larger goals, and lots of larger
  28. %goals that don't break down into little things. It isn't all stuff we can do
  29. %for sure, and it isn't even all stuff we can do for sure in 2007. The
  30. %tmp\{\} macro indicates stuff I haven't said enough about. That said, here
  31. %plangoes...
  32. Tor (the software) and Tor (the overall software/network/support/document
  33. suite) are now experiencing all the crises of success. Over the next year,
  34. we're probably going to grow more in terms of users, developers, and funding
  35. than before. This gives us the opportunity to perform long-neglected
  36. maintenance tasks.
  37. \section{Code and design infrastructure}
  38. \subsection{Protocol revision}
  39. To maintain backward compatibility, we've postponed major protocol
  40. changes and redesigns for a long time. Because of this, there are a number
  41. of sensible revisions we've been putting off until we could deploy several of
  42. them at once. To do each of these, we first need to discuss design
  43. alternatives with other cryptographers and outside collaborators to
  44. make sure that our choices are secure.
  45. First of all, our protocol needs better {\bf versioning support} so that we
  46. can make backward-incompatible changes to our core protocol. There are
  47. difficult anonymity issues here, since many naive designs would make it easy
  48. to tell clients apart (and then track them) based on their supported versions.
  49. With protocol versioning support would come the ability to {\bf future-proof
  50. our ciphersuites}. For example, not only our OR protocol, but also our
  51. directory protocol, is pretty firmly tied to the SHA-1 hash function, which
  52. though not yet known to be insecure for our purposes, has begun to show
  53. its age. We should
  54. remove assumptions throughout our design based on the assumption that public
  55. keys, secret keys, or digests will remain any particular size indefinitely.
  56. Our OR {\bf authentication protocol}, though provably
  57. secure\cite{tap:pet2006}, relies more on particular aspects of RSA and our
  58. implementation thereof than we had initially believed. To future-proof
  59. against changes, we should replace it with a less delicate approach.
  60. \plan{For all the above: 2 person-months to specify, spread over several
  61. months with time for interaction with external participants. One
  62. person-month to implement. Start specifying in early 2007.}
  63. We might design a {\bf stream migration} feature so that streams tunneled
  64. over Tor could be more resilient to dropped connections and changed IPs.
  65. \plan{Not in 2007.}
  66. A new protocol could support {\bf multiple cell sizes}. Right now, all data
  67. passes through the Tor network divided into 512-byte cells. This is
  68. efficient for high-bandwidth protocols, but inefficient for protocols
  69. like SSH or AIM that send information in small chunks. Of course, we need to
  70. investigate the extent to which multiple sizes could make it easier for an
  71. adversary to fingerprint a traffic pattern. \plan{Not in 2007.}
  72. As a part of our design, we should investigate possible {\bf cipher modes}
  73. other than counter mode. For example, a mode with built-in integrity
  74. checking, error propagation, and random access could simplify our protocol
  75. significantly. Sadly, many of these are patented and unavailable for us.
  76. \plan{Not in 2007.}
  77. \subsection{Scalability}
  78. \subsubsection{Improved directory efficiency}
  79. Right now, clients download a statement of the {\bf network status} made by
  80. each directory authority. We could reduce network bandwidth significantly by
  81. having the authorities jointly sign a statement reflecting their vote on the
  82. current network status. This would save clients up to 160K per hour, and
  83. make their view of the network more uniform. Of course, we'd need to make
  84. sure the voting process was secure and resilient to failures in the
  85. network.\plan{Must do; specify in 2006. 2 weeks to specify, 3-4 weeks to
  86. implement.}
  87. We should {\bf shorten router descriptors}, since the current format includes
  88. a great deal of information that's only of interest to the directory
  89. authorities, and not of interest to clients. We can do this by having each
  90. router upload a short-form and a long-form signed descriptor, and having
  91. clients download only the short form. Even a naive version of this would
  92. save about 40\% of the bandwidth currently spent by clients downloading
  93. descriptors.\plan{Must do; specify in 2006. 3-4 weeks.}
  94. We should {\bf have routers upload their descriptors even less often}, so
  95. that clients do not need to download replacements every 18 hours whether any
  96. information has changed or not. (As of Tor 0.1.2.3-alpha, clients tolerate
  97. routers that don't upload often, but routers still upload at least every 18
  98. hours to support older clients.) \plan{Must do, but not until 0.1.1.x is
  99. deprecated in mid 2007. 1 week.}
  100. \subsubsection{Non-clique topology}
  101. Our current network design achieves a certain amount of its anonymity by
  102. making clients act like each other through the simple expedient of making
  103. sure that all clients know all servers, and that any server can talk to any
  104. other server. But as the number of servers increases to serve an
  105. ever-greater number of clients, these assumptions become impractical.
  106. At worst, if these scalability issues become troubling before a solution is
  107. found, we can design and build a solution to {\bf split the network into
  108. multiple slices} until a better solution comes along. This is not ideal,
  109. since rather than looking like all other users from a point of view of path
  110. selection, users would ``only'' look like 200,000--300,000 other
  111. users.\plan{Not unless needed.}
  112. We are in the process of designing {\bf improved schemes for network
  113. scalability}. Some approaches focus on limiting what an adversary can know
  114. about what a user knows; others focus on reducing the extent to which an
  115. adversary can exploit this knowledge. These are currently in their infancy,
  116. and will probably not be needed in 2007, but they must be designed in 2007 if
  117. they are to be deployed in 2008.\plan{Design in 2007; unknown difficulty.
  118. Write a paper.}
  119. \subsubsection{Relay incentives}
  120. To support more users on the network, we need to get more servers. So far,
  121. we've relied on volunteerism to attract server operators, and so far it's
  122. served us well. But in the long run, we need to {\bf design incentives for
  123. users to run servers} and relay traffic for others. Most obviously, we
  124. could try to build the network so that servers offered improved service for
  125. other servers, but we would need to do so without weakening anonymity and
  126. making it obvious which connections originate from users running servers. We
  127. have some preliminary designs~\cite{incentives-txt,tor-challenges},
  128. but need to perform
  129. some more research to make sure they would be safe and effective.\plan{Write
  130. a draft paper; 2 person-months.}
  131. \subsection{Portability}
  132. Our {\bf Windows implementation}, though much improved, continues to lag
  133. behind Unix and Mac OS X, especially when running as a server. We hope to
  134. merge promising patches from Mike Chiussi to address this point, and bring
  135. Windows performance on par with other platforms.\plan{Do in 2007; 1.5 months
  136. to integrate not counting Mike's work.}
  137. We should have {\bf better support for portable devices}, including modes of
  138. operation that require less RAM, and that write to disk less frequently (to
  139. avoid wearing out flash RAM).\plan{Optional; 2 weeks.}
  140. We should {\bf stop using socketpair on Windows}; instead, we can use
  141. in-memory structures to communicate between cpuworkers and the main thread,
  142. and between connections.\plan{Optional; 1 week.}
  143. \subsection{Performance: resource usage}
  144. We've been working on {\bf using less RAM}, especially on servers. This has
  145. paid off a lot for directory caches in the 0.1.2, which in some cases are
  146. using 90\% less memory than they used to require. But we can do better,
  147. especially in the area around our buffer management algorithms, by using an
  148. approach more like the BSD and Linux kernels use instead of our current ring
  149. buffer approach. (For OR connections, we can just use queues of cell-sized
  150. chunks produced with a specialized allocator.) This could potentially save
  151. around 25 to 50\% of the memory currently allocated for network buffers, and
  152. make Tor a more attractive proposition for restricted-memory environments
  153. like old computers, mobile devices, and the like.\plan{Do in 2007; 2-3 weeks
  154. plus one week measurement.}
  155. We should improve our {\bf bandwidth limiting}. The current system has been
  156. crucial in making users willing to run servers: nobody is willing to run a
  157. server if it might use an unbounded amount of bandwidth, especially if they
  158. are charged for their usage. We can make our system better by letting users
  159. configure bandwidth limits independently for their own traffic and traffic
  160. relayed for others; and by adding write limits for users running directory
  161. servers.\plan{Do in 2006; 2-3 weeks.}
  162. On many hosts, sockets are still in short supply, and will be until we can
  163. migrate our protocol to UDP. We can {\bf use fewer sockets} by making our
  164. self-to-self connections happen internally to the code rather than involving
  165. the operating system's socket implementation.\plan{Optional; 1 week.}
  166. \subsection{Performance: network usage}
  167. We know too little about how well our current path
  168. selection algorithms actually spread traffic around the network in practice.
  169. We should {\bf research the efficacy of our traffic allocation} and either
  170. assure ourselves that it is close enough to optimal as to need no improvement
  171. (unlikely) or {\bf identify ways to improve network usage}, and get more
  172. users' traffic delivered faster. Performing this research will require
  173. careful thought about anonymity implications.
  174. We should also {\bf examine the efficacy of our congestion control
  175. algorithm}, and see whether we can improve client performance in the
  176. presence of a congested network through dynamic `sendme' window sizes or
  177. other means. This will have anonymity implications too if we aren't careful.
  178. \plan{For both of the above: research, design and write
  179. a measurement tool in 2007: 1 month. See if we can interest a graduate
  180. student.}
  181. We should work on making Tor's cell-based protocol perform better on
  182. networks with low bandwidth
  183. and high packet loss.\plan{Do in 2007 if we're funded to do it; 4-6 weeks.}
  184. \subsection{Performance scenario: one Tor client, many users}
  185. We should {\bf improve Tor's performance when a single Tor handles many
  186. clients}. Many organizations want to manage a single Tor client on their
  187. firewall for many users, rather than having each user install a separate
  188. Tor client. We haven't optimized for this scenario, and it is likely that
  189. there are some code paths in the current implementation that become
  190. inefficient when a single Tor is servicing hundreds or thousands of client
  191. connections. (Additionally, it is likely that such clients have interesting
  192. anonymity requirements the we should investigate.) We should profile Tor
  193. under appropriate loads, identify bottlenecks, and fix them.\plan{Do in 2007
  194. if we're funded to do it; 4-8 weeks.}
  195. \subsection{Tor servers on asymmetric bandwidth}
  196. Tor should work better on servers that have asymmetric connections like cable
  197. or DSL. Because Tor has separate TCP connections between each
  198. hop, if the incoming bytes are arriving just fine and the outgoing bytes are
  199. all getting dropped on the floor, the TCP push-back mechanisms don't really
  200. transmit this information back to the incoming streams.\plan{Do in 2007 since
  201. related to bandwidth limiting. 3-4 weeks.}
  202. \subsection{Running Tor as both client and server}
  203. Many performance tradeoffs and balances that might need more attention.
  204. We first need to track and fix whatever bottlenecks emerge; but we also
  205. need to invent good algorithms for prioritizing the client's traffic
  206. without starving the server's traffic too much.\plan{No idea; try
  207. profiling and improving things in 2007.}
  208. \subsection{Protocol redesign for UDP}
  209. Tor has relayed only TCP traffic since its first versions, and has used
  210. TLS-over-TCP to do so. This approach has proved reliable and flexible, but
  211. in the long term we will need to allow UDP traffic on the network, and switch
  212. some or all of the network to using a UDP transport. {\bf Supporting UDP
  213. traffic} will make Tor more suitable for protocols that require UDP, such
  214. as many VOIP protocols. {\bf Using a UDP transport} could greatly reduce
  215. resource limitations on servers, and make the network far less interruptible
  216. by lossy connections. Either of these protocol changes would require a great
  217. deal of design work, however. We hope to be able to enlist the aid of a few
  218. talented graduate students to assist with the initial design and
  219. specification, but the actual implementation will require significant testing
  220. of different reliable transport approaches.\plan{Maybe do a design in 2007 if
  221. we find an interested academic. Ian or Ben L might be good partners here.}
  222. \section{Blocking resistance}
  223. \subsection{Design for blocking resistance}
  224. We have written a design document explaining our general approach to blocking
  225. resistance. We should workshop it with other experts in the field to get
  226. their ideas about how we can improve Tor's efficacy as an anti-censorship
  227. tool.
  228. \subsection{Implementation: client-side and bridges-side}
  229. Our anticensorship design calls for some nodes to act as ``bridges''
  230. that are outside a national firewall, and others inside the firewall to
  231. act as pure clients. This part of the design is quite clear-cut; we're
  232. probably ready to begin implementing it. To {\bf implement bridges}, we
  233. need to have servers publish themselves as limited-availability relays
  234. to a special bridge authority if they judge they'd make good servers.
  235. We will also need to help provide documentation for port forwarding,
  236. and an easy configuration tool for running as a bridge.
  237. To {\bf implement clients}, we need to provide a flexible interface to
  238. learn about bridges and to act on knowledge of bridges. We also need
  239. to teach them how to know to use bridges as their first hop, and how to
  240. fetch directory information from both classes of directory authority.
  241. Clients also need to {\bf use the encrypted directory variant} added in Tor
  242. 0.1.2.3-alpha. This will let them retrieve directory information over Tor
  243. once they've got their initial bridges. We may want to get the rest of the
  244. Tor user base to begin using this encrypted directory variant too, to
  245. provide cover.
  246. Bridges will want to be able to {\bf listen on multiple addresses and ports}
  247. if they can, to give the adversary more ports to block.
  248. \subsection{Research: anonymity implications from becoming a bridge}
  249. \subsection{Implementation: bridge authority}
  250. The design here is also reasonably clear-cut: we need to run some
  251. directory authorities with a slightly modified protocol that doesn't leak
  252. the entire list of bridges. Thus users can learn up-to-date information
  253. for bridges they already know about, but they can't learn about arbitrary
  254. new bridges.
  255. \subsection{Normalizing the Tor protocol on the wire}
  256. Additionally, we should {\bf resist content-based filters}. Though an
  257. adversary can't see what users are saying, some aspects of our protocol are
  258. easy to fingerprint {\em as} Tor. We should correct this where possible.
  259. Look like Firefox; or look like nothing?
  260. Future research: investigate timing similarities with other protocols.
  261. \subsection{Access control for bridges}
  262. Design/impl: password-protecting bridges, in light of above.
  263. And/or more general access control.
  264. \subsection{Research: scanning-resistance}
  265. \subsection{Research/Design/Impl: how users discover bridges}
  266. Our design anticipates an arms race between discovery methods and censors.
  267. We need to begin the infrastructure on our side quickly, preferably in a
  268. flexible language like Python, so we can adapt quickly to censorship.
  269. phase one: personal bridges
  270. phase two: families of personal bridges
  271. phase three: more structured social network
  272. phase four: bag of tricks
  273. Research: phase five...
  274. Integration with Psiphon, etc?
  275. \subsection{Document best practices for users}
  276. Document best practices for various activities common among
  277. blocked users (e.g. WordPress use).
  278. \subsection{Research: how to know if a bridge has been blocked?}
  279. \subsection{GeoIP maintenance, and "private" user statistics}
  280. How to know if the whole idea is working?
  281. \subsection{Research: hiding whether the user is reading or publishing?}
  282. \subsection{Research: how many bridges do you need to know to maintain
  283. reachability?}
  284. \subsection{Resisting censorship of the Tor website, docs, and mirrors}
  285. We should take some effort to consider {\bf initial distribution of Tor and
  286. related information} in countries where the Tor website and mirrors are
  287. censored. (Right now, most countries that block access to Tor block only the
  288. main website and leave mirrors and the network itself untouched.) Falling
  289. back on word-of-mouth is always a good last resort, but we should also take
  290. steps to make sure it's relatively easy for users to get ahold of a copy.
  291. \section{Security}
  292. \subsection{Security research projects}
  293. We should investigate approaches with some promise to help Tor resist
  294. end-to-end traffic correlation attacks. It's an open research question
  295. whether (and to what extent) {\bf mixed-latency} networks, {\bf low-volume
  296. long-distance padding}, or other approaches can resist these attacks, which
  297. are currently some of the most effective against careful Tor users. We
  298. should research these questions and perform simulations to identify
  299. opportunities for strengthening our design without dropping performance to
  300. unacceptable levels. %Cite something
  301. \plan{Start doing this in 2007; write a paper. 8-16 weeks.}
  302. We've got some preliminary results suggesting that {\bf a topology-aware
  303. routing algorithm}~\cite{feamster:wpes2004} could reduce Tor users'
  304. vulnerability against local or ISP-level adversaries, by ensuring that they
  305. are never in a position to watch both ends of a connection. We need to
  306. examine the effects of this approach in more detail and consider side-effects
  307. on anonymity against other kinds of adversaries. If the approach still looks
  308. promising, we should investigate ways for clients to implement it (or an
  309. approximation of it) without having to download routing tables for the whole
  310. Internet. \plan{Not in 2007 unless a graduate student wants to do it.}
  311. %\tmp{defenses against end-to-end correlation} We don't expect any to work
  312. %right now, but it would be useful to learn that one did. Alternatively,
  313. %proving that one didn't would free up researchers in the field to go work on
  314. %other things.
  315. %
  316. % See above; I think I got this.
  317. We should research the efficacy of {\bf website fingerprinting} attacks,
  318. wherein an adversary tries to match the distinctive traffic and timing
  319. pattern of the resources constituting a given website to the traffic pattern
  320. of a user's client. These attacks work great in simulations, but in
  321. practice we hear they don't work nearly as well. We should get some actual
  322. numbers to investigate the issue, and figure out what's going on. If we
  323. resist these attacks, or can improve our design to resist them, we should.
  324. % add cites
  325. \plan{Possibly part of end-to-end correlation paper. Otherwise, not in 2007
  326. unless a graduate student is interested.}
  327. \subsection{Implementation security}
  328. Right now, each Tor node stores its keys unencrypted. We should {\bf encrypt
  329. more Tor keys} so that Tor authorities can require a startup password. We
  330. should look into adding intermediary medium-term ``signing keys'' between
  331. identity keys and onion keys, so that a password could be required to replace
  332. a signing key, but not to start Tor. This would improve Tor's long-term
  333. security, especially in its directory authority infrastructure.\plan{Design this
  334. as a part of the revised ``v2.1'' directory protocol; implement it in
  335. 2007. 3-4 weeks.}
  336. We should also {\bf mark RAM that holds key material as non-swappable} so
  337. that there is no risk of recovering key material from a hard disk
  338. compromise. This would require submitting patches upstream to OpenSSL, where
  339. support for marking memory as sensitive is currently in a very preliminary
  340. state.\plan{Nice to do, but not in immediate Tor scope.}
  341. There are numerous tools for identifying trouble spots in code (such as
  342. Coverity or even VS2005's code analysis tool) and we should convince somebody
  343. to run some of them against the Tor codebase. Ideally, we could figure out a
  344. way to get our code checked periodically rather than just once.\plan{Almost
  345. no time once we talk somebody into it.}
  346. We should try {\bf protocol fuzzing} to identify errors in our
  347. implementation.\plan{Not in 2007 unless we find a grad student or
  348. undergraduate who wants to try.}
  349. Our guard nodes help prevent an attacker from being able to become a chosen
  350. client's entry point by having each client choose a few favorite entry points
  351. as ``guards'' and stick to them. We should implement a {\bf directory
  352. guards} feature to keep adversaries from enumerating Tor users by acting as
  353. a directory cache.\plan{Do in 2007; 2 weeks.}
  354. \subsection{Detect corrupt exits and other servers}
  355. With the success of our network, we've attracted servers in many locations,
  356. operated by many kinds of people. Unfortunately, some of these locations
  357. have compromised or defective networks, and some of these people are
  358. untrustworthy or incompetent. Our current design relies on authority
  359. administrators to identify bad nodes and mark them as nonfunctioning. We
  360. should {\bf automate the process of identifying malfunctioning nodes} as
  361. follows:
  362. We should create a generic {\bf feedback mechanism for add-on tools} like
  363. Mike Perry's ``Snakes on a Tor'' to report failing nodes to authorities.
  364. \plan{Do in 2006; 1-2 weeks.}
  365. We should write tools to {\bf detect more kinds of innocent node failure},
  366. such as nodes whose network providers intercept SSL, nodes whose network
  367. providers censor popular websites, and so on. We should also try to detect
  368. {\bf routers that snoop traffic}; we could do this by launching connections
  369. to throwaway accounts, and seeing which accounts get used.\plan{Do in 2007;
  370. ask Mike Perry if he's interested. 4-6 weeks.}
  371. We should add {\bf an efficient way for authorities to mark a set of servers
  372. as probably collaborating} though not necessarily otherwise dishonest.
  373. This happens when an administrator starts multiple routers, but doesn't mark
  374. them as belonging to the same family.\plan{Do during v2.1 directory protocol
  375. redesign; 1-2 weeks to implement.}
  376. To avoid attacks where an adversary claims good performance in order to
  377. attract traffic, we should {\bf have authorities measure node performance}
  378. (including stability and bandwidth) themselves, and not simply believe what
  379. they're told. Measuring stability can be done by tracking MTBF. Measuring
  380. bandwidth can be tricky, since it's hard to distinguish between a server with
  381. low capacity, and a high-capacity server with most of its capacity in
  382. use.\plan{Do ``Stable'' in 2007; 2-3 weeks. ``Fast'' will be harder; do it
  383. if we can interest a grad student.}
  384. {\bf Operating a directory authority should be easier.} We rely on authority
  385. operators to keep the network running well, but right now their job involves
  386. too much busywork and administrative overhead. A better interface for them
  387. to use could free their time to work on exception cases rather than on
  388. adding named nodes to the network.\plan{Do in 2007; 4-5 weeks.}
  389. \subsection{Protocol security}
  390. In addition to other protocol changes discussed above,
  391. % And should we move some of them down here? -NM
  392. we should add {\bf hooks for denial-of-service resistance}; we have some
  393. preliminary designs, but we shouldn't postpone them until we really need them.
  394. If somebody tries a DDoS attack against the Tor network, we won't want to
  395. wait for all the servers and clients to upgrade to a new
  396. version.\plan{Research project; do this in 2007 if funded.}
  397. \section{Development infrastructure}
  398. \subsection{Build farm}
  399. We've begun to deploy a cross-platform distributed build farm of hosts
  400. that build and test the Tor source every time it changes in our development
  401. repository.
  402. We need to {\bf get more participants}, so that we can test a larger variety
  403. of platforms. (Previously, we've only found out when our code had broken on
  404. obscure platforms when somebody got around to building it.)
  405. We need also to {\bf add our dependencies} to the build farm, so that we can
  406. ensure that libraries we need (especially libevent) do not stop working on
  407. any important platform between one release and the next.
  408. \plan{This is ongoing as more buildbots arrive.}
  409. \subsection{Improved testing harness}
  410. Currently, our {\bf unit tests} cover only about 20\% of the code base. This
  411. is uncomfortably low; we should write more and switch to a more flexible
  412. testing framework.\plan{Ongoing basis, time permitting.}
  413. We should also write flexible {\bf automated single-host deployment tests} so
  414. we can more easily verify that the current codebase works with the
  415. network.\plan{Worthwhile in 2007; would save lots of time. 2-4 weeks.}
  416. We should build automated {\bf stress testing} frameworks so we can see which
  417. realistic loads cause Tor to perform badly, and regularly profile Tor against
  418. these loads. This would give us {\it in vitro} performance values to
  419. supplement our deployment experience.\plan{Worthwhile in 2007; 2-6 weeks.}
  420. We should improve our memory profiling code.\plan{...}
  421. \subsection{Centralized build system}
  422. We currently rely on a separate packager to maintain the packaging system and
  423. to build Tor on each platform for which we distribute binaries. Separate
  424. package maintainers is sensible, but separate package builders has meant
  425. long turnaround times between source releases and package releases. We
  426. should create the necessary infrastructure for us to produce binaries for all
  427. major packages within an hour or so of source release.\plan{We should
  428. brainstorm this at least in 2007.}
  429. \subsection{Improved metrics}
  430. We need a way to {\bf measure the network's health, capacity, and degree of
  431. utilization}. Our current means for doing this are ad hoc and not
  432. completely accurate
  433. We need better ways to {\bf tell which countries are users are coming from,
  434. and how many there are}. A good perspective of the network helps us
  435. allocate resources and identify trouble spots, but our current approaches
  436. will work less and less well as we make it harder for adversaries to
  437. enumerate users. We'll probably want to shift to a smarter, statistical
  438. approach rather than our current ``count and extrapolate'' method.
  439. \plan{All of this in 2007 if funded; 4-8 weeks}
  440. % \tmp{We'd like to know how much of the network is getting used.}
  441. % I think this is covered above -NM
  442. \subsection{Controller library}
  443. We've done lots of design and development on our controller interface, which
  444. allows UI applications and other tools to interact with Tor. We could
  445. encourage the development of more such tools by releasing a {\bf
  446. general-purpose controller library}, ideally with API support for several
  447. popular programming languages.\plan{2006 or 2007; 1-2 weeks.}
  448. \section{User experience}
  449. \subsection{Get blocked less, get blocked less broadly}
  450. Right now, some services block connections from the Tor network because
  451. they don't have a better
  452. way to keep vandals from abusing them than blocking IP addresses associated
  453. with vandalism. Our approach so far has been to educate them about better
  454. solutions that currently exist, but we should also {\bf create better
  455. solutions for limiting vandalism by anonymous users} like credential and
  456. blind-signature based implementations, and encourage their use. Other
  457. promising starting points including writing a patch and explanation for
  458. Wikipedia, and helping Freenode to document, maintain, and expand its
  459. current Tor-friendly position.\plan{Do a writeup here in 2007; 1-2 weeks.}
  460. Those who do block Tor users also block overbroadly, sometimes blacklisting
  461. operators of Tor servers that do not permit exit to their services. We could
  462. obviate innocent reasons for doing so by designing a {\bf narrowly-targeted Tor
  463. RBL service} so that those who wanted to overblock Tor could no longer
  464. plead incompetence.\plan{Possibly in 2007 if we decide it's a good idea; 3
  465. weeks.}
  466. \subsection{All-in-one bundle}
  467. We need a well-tested, well-documented bundle of Tor and supporting
  468. applications configured to use it correctly. We have an initial
  469. implementation well under way, but it will need additional work in
  470. identifying requisite Firefox extensions, identifying security threats,
  471. improving user experience, and so on. This will need significantly more work
  472. before it's ready for a general public release.
  473. \subsection{LiveCD Tor}
  474. We need a nice bootable livecd containing a minimal OS and a few applications
  475. configured to use it correctly. The Anonym.OS project demonstrated that this
  476. is quite feasible, but their project is not currently maintained.
  477. \subsection{A Tor client in a VM}
  478. \tmp{a.k.a JanusVM} which is quite related to the firewall-level deployment
  479. section below. JanusVM is a Linux kernel running in VMWare. It gets an IP
  480. address from the network, and serves as a DHCP server for its host Windows
  481. machine. It intercepts all outgoing traffic and redirects it into Privoxy,
  482. Tor, etc. This Linux-in-Windows approach may help us with scalability in
  483. the short term, and it may also be a good long-term solution rather than
  484. accepting all security risks in Windows.
  485. %\subsection{Interface improvements}
  486. %\tmp{Allow controllers to manipulate server status.}
  487. % (Why is this in the User Experience section?) -RD
  488. % I think it's better left to a generic ``make controller iface better'' item.
  489. \subsection{Firewall-level deployment}
  490. Another useful deployment mode for some users is using {\bf Tor in a firewall
  491. configuration}, and directing all their traffic through Tor. This can be a
  492. little tricky to set up currently, but it's an effective way to make sure no
  493. traffic leaves the host un-anonymized. To achieve this, we need to {\bf
  494. improve and port our new TransPort} feature which allows Tor to be used
  495. without SOCKS support; to {\bf add an anonymizing DNS proxy} feature to Tor;
  496. and to {\bf construct a recommended set of firewall configurations} to redirect
  497. traffic to Tor.
  498. This is an area where {\bf deployment via a livecd}, or an installation
  499. targeted at specialized home routing hardware, could be useful.
  500. \subsection{Assess software and configurations for anonymity risks}
  501. Right now, users and packagers are more or less on their own when selecting
  502. Firefox extensions. We should {\bf assemble a recommended list of browser
  503. extensions} through experiment, and include this in the application bundles
  504. we distribute.
  505. We should also describe {\bf best practices for using Tor with each class of
  506. application}. For example, Ethan Zuckerman has written a detailed
  507. tutorial on how to use Tor, Firefox, GMail, and Wordpress to blog with
  508. improved safety. There are many other cases on the Internet where anonymity
  509. would be helpful, and there are a lot of ways to screw up using Tor.
  510. The Foxtor and Torbutton extensions serve similar purposes; we should pick a
  511. favorite, and merge in the useful features of the other.
  512. %\tmp{clean up our own bundled software:
  513. %E.g. Merge the good features of Foxtor into Torbutton}
  514. %
  515. % What else did you have in mind? -NM
  516. \subsection{Localization}
  517. Right now, most of our user-facing code is internationalized. We need to
  518. internationalize the last few hold-outs (like the Tor expert installer), and get
  519. more translations for the parts that are already internationalized.
  520. Also, we should look into a {\bf unified translator's solution}. Currently,
  521. since different tools have been internationalized using the
  522. framework-appropriate method, different tools require translators to localize
  523. them via different interfaces. Inasmuch as possible, we should make
  524. translators only need to use a single tool to translate the whole Tor suite.
  525. \section{Support}
  526. It would be nice to set up some {\bf user support infrastructure} and
  527. {\bf contributor support infrastructure}, especially focusing on server
  528. operators and on coordinating volunteers.
  529. This includes intuitive and easy ticket systems for bug reports and
  530. feature suggestions (not just mailing lists with a half dozen people
  531. and no clear roles for who answers what), but it also includes a more
  532. personalized and efficient framework for interaction so we keep the
  533. attention and interest of the contributors, and so we make them feel
  534. helpful and wanted.
  535. \section{Documentation}
  536. \subsection{Unified documentation scheme}
  537. We need to {\bf inventory our documentation.} Our documentation so far has
  538. been mostly produced on an {\it ad hoc} basis, in response to particular
  539. needs and requests. We should figure out what documentation we have, which of
  540. it (if any) should get priority, and whether we can't put it all into a
  541. single format.
  542. We could {\bf unify the docs} into a single book-like thing. This will also
  543. help us identify what sections of the ``book'' are missing.
  544. \subsection{Missing technical documentation}
  545. We should {\bf revise our design paper} to reflect the new decisions and
  546. research we've made since it was published in 2004. This will help other
  547. researchers evaluate and suggest improvements to Tor's current design.
  548. Other projects sometimes implement the client side of our protocol. We
  549. encourage this, but we should write {\bf a document about how to avoid
  550. excessive resource use}, so we don't need to worry that they will do so
  551. without regard to the effect of their choices on server resources.
  552. \subsection{Missing user documentation}
  553. Our documentation falls into two broad categories: some is `discoursive' and
  554. explains in detail why users should take certain actions, and other
  555. documentation is `comprehensive' and describes all of Tor's features. Right
  556. now, we have no document that is both deep, readable, and thorough. We
  557. should correct this by identifying missing spots in our design.
  558. \bibliographystyle{plain} \bibliography{tor-design}
  559. \end{document}