123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- d Deferrable
- D Deferred
- X Abandoned
- X <nickm> "Let's try to find a way to make it run and make the version
- match, but if not, let's just make it run."
- X <arma> "should we detect if we have a --with-ssl-dir and try the -R
- by default, if it works?"
- Items for 0.1.2.x, real soon now:
- ? - Bug: combination of things:
- When we've been idle a long time, we stop fetching server
- descriptors. When we then get a socks request, we build circuits
- immediately using whatever descriptors we have, rather than waiting
- until we've fetched correct ones.
- N - Test guard unreachable logic; make sure that we actually attempt to
- connect to guards that we think are unreachable from time to time.
- Make sure that we don't freak out when the network is down.
- o Stop recommending exits as guards?
- look at the overall fraction of exits in the network. if the
- fraction is too small, none of them get to be guards.
- R - Reconstruct ChangeLog; put rolled-up info in ReleaseNotes or something.
- Items for 0.1.2.x:
- - enumerate events of important things that occur in tor, so vidalia can
- react.
- o Backend implementation
- R - Actually list all the events (notice and warn log messages are a good
- place to look.) Divide messages into categories, perhaps.
- R - Specify general event system
- R - Specify actual events.
- R - and implement the rest
- . Have (and document) a BEGIN_DIR relay cell that means "Connect to your
- directory port."
- o Specify
- o Implement
- o Use for something, so we can be sure it works.
- o Test and debug
- R - turn the received socks addr:port into a digest for setting .exit
- - be able to connect without having a server descriptor, to bootstrap.
- R - handle connect-dir streams that don't have a chosen_exit_name set.
- o include ORPort in DirServers lines so we can know where to connect.
- list the orport as 0 if it can't handle begin_dir.
- o List versions in status page
- o A new line in the status entry. "Tor 0.1.2.2-alpha". If it's
- a version, treat it like one. If it's something else, assume
- it's at least 0.1.2.x.
- D maybe we could have it be a new 'v' line in the status, with
- key=value syntax. so we could have a 'tor' version, but we
- could also have a 'conn' version, a 'dir' version, etc down
- the road. and one day maybe the 'tor' key would be deprecated.
- o Give the right answer for X-Your-Address-Is on tunneled directory
- connections.
- o Document .noconnect addresses...
- A new file 'address-spec.txt' that describes .exit, .onion,
- .noconnect, etc?
- - Servers are easy to setup and run: being a relay is about as easy as
- being a client.
- . Reduce resource load
- o A way to alert controller when router flags change.
- o Specify: SETEVENTS NS
- o Implement
- R - Hunt for places that change networkstatus info that I might have
- missed.
- R . option to dl directory info via tor
- o Make an option like __AllDirActionsPrivate that falls back to
- non-Tor DL when not enough info present. (TunnelDirConns).
- - Set default to 0 before release candidate.
- - Think harder about whether TunnelDirConns should be on
- by default.
- - Handle case where we have no descriptors and so don't know who can
- handle BEGIN_DIR.
- N - DNS improvements
- o Don't ask reject *:* nodes for DNS unless client wants you to.
- . Asynchronous DNS
- - Make evdns use windows strerror equivalents.
- - Make sure patches get into libevent.
- - Verify that it works well on windows
- o Make reverse DNS work.
- o Add client-side interface
- o SOCKS interface: specify
- o SOCKS interface: implement
- o Cache answers client-side
- o Add to Tor-resolve.py
- o Add to tor-resolve
- D Be a DNS proxy.
- o Check for invalid characters in hostnames before trying to resolve
- them. (This will help catch attempts do to mean things to our DNS
- server, and bad software that tries to do DNS lookups on whole URLs.)
- o address_is_invalid_destination() is the right thing to call here
- (and feel free to make that function smarter)
- o add a config option to turn it off.
- o and a man page for that option
- o Bug 364: notice when all the DNS requests we get back (including a few
- well-known sites) are all going to the same place.
- o Bug 363: Warn and die if we can't find a nameserver and we're running a
- server; don't fall back to 127.0.0.1.
- o Re-check dns when we change IP addresses, rather than every 12 hours
- o Bug 326: Give fewer error messages from nameservers.
- o Only warn when _all_ nameservers are down; otherwise info.
- D Increase timeout; what's industry standard?
- D Alternatively, raise timeout when nameserver dies but comes back
- quickly?
- o Don't believe that our sole nameserver is dead? or, not until more
- failures than it would take to think one of several nameservers was
- dead?
- X Possibly, don't warn until second retry of a nameserver gets no
- answer?
- X warn if all of your nameservers go down and stay down for like
- 5 minutes.
- R o Take out the '5 second' timeout from the socks detach schedule.
- - Performance improvements
- - Critical but minor bugs, backport candidates.
- - support dir 503s better
- o clients don't log as loudly when they receive them
- o they don't count toward the 3-strikes rule
- D But eventually, we give up after getting a lot of 503s.
- N - Delay when we get a lot of 503s, rather than punting onto the
- servers that have given us 503s?
- o split "router is down" from "dirport shouldn't be tried for a while"?
- We want a field to hold "when did we last get a 503 from this
- directory server." Probably, it should go in local_routerstatus_t,
- not in routerinfo_t, since we can try to use servers as directories
- before we have their descriptors. Possibly, it should also go in
- trusted_dir_server_t.
- o Add a last_dir_503_at field.
- o Have it get updated correctly.
- o Prefer to use directories that haven't given us a 503 for the last
- 60 minutes.
- - authorities should *never* 503 a cache, and should never 503
- network status requests. They can 503 client descriptor requests
- when they feel like it.
- - update dir-spec with what we decided for each of these
- o Have a mode that doesn't write to disk much, so we can run Tor on
- flash memory (e.g. Linksys routers or USB keys).
- o Add AvoidDiskWrites config option.
- o only write state file when it's "changed"
- o crank up the numbers if avoiddiskwrites is on.
- D some things may not want to get written at all.
- o stop writing fingerprint every restart
- D more?
- NR. Write path-spec.txt
- - Packaging
- - Tell people about OSX Uninstaller
- - Quietly document NT Service options
- - Switch canonical win32 compiler to mingw.
- NR D Get some kind of "meta signing key" to be used solely to sign
- releases/to certify releases when signed by the right people/
- to certify sign the right people's keys? Also use this to cert the SSL
- key, etc.
- - If we haven't replaced privoxy, lock down its configuration in all
- packages, as documented in tor-doc-unix.html
- o script to look at config.c, torrc.sample, tor.1.in, to tell us
- what's missing in which and notice which descriptions are missing.
- - Docs
- - More prominently, we should have a recommended apps list.
- - recommend gaim.
- - unrecommend IE because of ftp:// bug.
- - torrc.complete.in needs attention?
- - we should add a preamble to tor-design saying it's out of date.
- - Document transport and natdport
- - Improvements to bandwidth counting
- R - look into "uncounting" bytes spent on local connections, so
- we can bandwidthrate but still have fast downloads.
- R - "bandwidth classes", for incoming vs initiated-here conns,
- and to give dir conns lower priority.
- . Write limiting; separate token bucket for write
- o preemptively give a 503 to some v1 dir requests
- - preemptively give a 503 to some v2 dir requests
- - per-conn write buckets
- - separate config options for read vs write limiting
- - Forward compatibility fixes
- o Stop requiring "opt" to ignore options in descriptors, networkstatuses,
- and so on.
- - Caches should start trying to cache consensus docs?
- - Start uploading short and long descriptors; authorities should support
- URLs to retrieve long descriptors, and should discard short descriptors
- for now. Later, once tools use the "long descriptor" URLs, authorities
- will serve the short descriptors every time they're asked for
- a descriptor.
- Topics to think about during 0.1.2.x development:
- * Figure out incentives.
- - (How can we make this tolerant of a bad v0?)
- * Figure out non-clique.
- * Figure out China.
- - Figure out partial network knowledge.
- - Figure out hidden services.
- - Design next-version protocol for directories
- - Design next-version protocol for connections
- For blocking-resistance scheme:
- o allow ordinary-looking ssl for dir connections. need a new dirport
- for this, or can we handle both ssl and non-ssl, or should we
- entirely switch to ssl in certain cases?
- D need to figure out how to fetch status of a few servers from the BDA
- without fetching all statuses. A new URL to fetch I presume?
- Deferred from 0.1.2.x:
- P - Figure out why dll's compiled in mingw don't work right in WinXP.
- P - Figure out why openssl 0.9.8d "make test" fails at sha256t test.
- - Directory guards
- - RAM use in directory authorities.
- - Memory use improvements:
- - Look into pulling serverdescs off buffers as they arrive.
- - Save and mmap v1 directories, and networkstatus docs; store them
- zipped, not uncompressed.
- - Switch cached_router_t to use mmap.
- - What to do about reference counts on windows? (On Unix, this is
- easy: unlink works fine. (Right?) On Windows, I have doubts. Do we
- need to keep multiple files?)
- - What do we do about the fact that people can't read zlib-
- compressed files manually?
- - Refactor DNS resolve implementation
- - Refactor exit side of resolve: do we need a connection_t?
- - Refactor entry side of resolve: do we need a connection_t?
- - If the client's clock is too far in the past, it will drop (or
- just not try to get) descriptors, so it'll never build circuits.
- - Tolerate clock skew on bridge relays.
- - A more efficient dir protocol.
- - Authorities should fetch the network-statuses amongst each
- other, consensus them, and advertise a communal network-status.
- This is not so much for safety/complexity as it is to reduce
- bandwidth requirements for Alice.
- - How does this interact with our goal of being able to choose
- your own dir authorities? I guess we're now assuming that all
- dir authorities know all the other authorities in their "group"?
- - Should we also look into a "delta since last network-status
- checkpoint" scheme, to reduce overhead further?
- - Extend the "r" line in network-status to give a set of buckets (say,
- comma-separated) for that router.
- - Buckets are deterministic based on IP address.
- - Then clients can choose a bucket (or set of buckets) to
- download and use.
- - Improvements to versioning.
- - When we connect to a Tor server, it sends back a cell listing
- the IP it believes it is using. Use this to block dvorak's attack.
- Also, this is a fine time to say what time you think it is.
- o Verify that a new cell type is okay with deployed codebase
- . Specify HELLO cells
- . Figure out v0 compatibility.
- - Implement
- - Eventdns improvements
- - Have a way to query for AAAA and A records simultaneously.
- - Improve request API: At the very least, add the ability to construct
- a more-or-less arbitrary request and get a response.
- - (Can we suppress cnames? Should we?)
- - Now that we're avoiding exits when picking non-exit positions,
- we need to consider how to pick nodes for internal circuits. If
- we avoid exits for all positions, we skew the load balancing. If
- we accept exits for all positions, we leak whether it's an internal
- circuit at every step. If we accept exits only at the last hop, we
- reintroduce Lasse's attacks from the Oakland paper.
- - We should ship with a list of stable dir mirrors -- they're not
- trusted like the authorities, but they'll provide more robustness
- and diversity for bootstrapping clients.
- - Simplify authority operation
- - Follow weasel's proposal, crossed with mixminion dir config format
- - A way to adjust router flags from the controller.
- (How do we prevent the authority from clobbering them soon after?)
- - a way to pick entry guards based wholly on extend_info equivalent;
- a way to export extend_info equivalent.
- o Count TLS bandwidth more accurately
- - Better estimates in the directory of whether servers have good uptime
- (high expected time to failure) or good guard qualities (high
- fractional uptime).
- - AKA Track uptime as %-of-time-up, as well as time-since-last-down
- - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
- - spec
- - implement
- - Failed rend desc fetches sometimes don't get retried. True/false?
- - Windows server usability
- - Solve the ENOBUFS problem.
- - make tor's use of openssl operate on buffers rather than sockets,
- so we can make use of libevent's buffer paradigm once it has one.
- - make tor's use of libevent tolerate either the socket or the
- buffer paradigm; includes unifying the functions in connect.c.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- M - rewrite how libevent does select() on win32 so it's not so very slow.
- - Add overlapped IO
- - Add an option (related to AvoidDiskWrites) to disable directory caching.
- Minor items for 0.1.2.x as time permits:
- R - add d64 and fp64 along-side d and fp so people can paste status
- entries into a url. since + is a valid base64 char, only allow one
- at a time. spec and then do.
- D don't do dns hijacking tests if we're reject *:* exit policy?
- (deferred until 0.1.1.x is less common)
- - When we export something from foo.c file for testing purposes only,
- make a foo_test.h file for test.c to include.
- - The Debian package now uses --verify-config when (re)starting,
- to distinguish configuration errors from other errors. Perhaps
- the RPM and other startup scripts should too?
- - add a "default.action" file to the tor/vidalia bundle so we can fix the
- https thing in the default configuration:
- http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
- o even if your torrc lists yourself in your myfamily line, don't list it in
- the descriptor.
- . Flesh out options_description array in src/or/config.c
- - Don't let 'newnym' be triggered more often than every n seconds.
- o change log_fn() to log() on notice/warn/err logs where we can.
- X If we try to publish as a nickname that's already claimed, should
- we append a number (or increment the number) and try again? This
- way people who read their logs can fix it as before, but people
- who don't read their logs will still offer Tor servers.
- - Fall back to unnamed; warn user; send controller event. ("When we
- notice a 'Rejected: There is already a named server with this nickname'
- message... or maybe instead when we see in the networkstatuses that
- somebody else is Named with the name we want: warn the user, send a
- STATUS_SERVER message, and fall back to unnamed.")
- ! - Tor should bind its ports before dropping privs, so users don't
- have to do the ipchains dance.
- - Rate limit exit connections to a given destination -- this helps
- us play nice with websites when Tor users want to crawl them; it
- also introduces DoS opportunities.
- o The bw_accounting file should get merged into the state file.
- - Streamline how we pick entry nodes: Make choose_random_entry() have
- less magic and less control logic.
- - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- - Specify, including thought about anonymity implications.
- - Display the reasons in 'destroy' and 'truncated' cells under some
- circumstances?
- - We need a way for the authorities to declare that nodes are
- in a family. Also, it kinda sucks that family declarations use O(N^2)
- space in the descriptors.
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - cpu fixes:
- - see if we should make use of truncate to retry
- X kill dns workers more slowly
- . Directory changes
- . Some back-out mechanism for auto-approval
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - packaging and ui stuff:
- . multiple sample torrc files
- . figure out how to make nt service stuff work?
- . Document it.
- - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- - Improve controller
- - a NEWSTATUS event similar to NEWDESC.
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- - What do we want here, exactly?
- - Specify and implement it.
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better" analogously
- - What do we want here, exactly?
- - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - Make everything work with hidden services
- - Directory system improvements
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Parse this.
- - Relay this in networkstatus.
- - Be a DNS proxy.
- - Need a way to request address lookups (and allocate a stream ID for
- them) without having a corresponding client socket.
- - Once this is done, it would be nice to have a way to request address
- lookups from the controller without using SOCKS.
- Future version:
- - Configuration format really wants sections.
- - Good RBL substitute.
- - Authorities should try using exits for http to connect to some URLS
- (specified in a configuration file, so as not to make the List Of Things
- Not To Censor completely obvious) and ask them for results. Exits that
- don't give good answers should have the BadExit flag set.
- - Our current approach to block attempts to use Tor as a single-hop proxy
- is pretty lame; we should get a better one.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we recognize
- ("port 443 worked once and port 9001 keeps not working").
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- - tor-resolve script should use socks5 to get better error messages.
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- - Specify; implement.
- - let each hidden service (or other thing) specify its own
- OutboundBindAddress?
- - Stop using tor_socketpair to make connection bridges: do an
- implementation that uses buffers only.
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
- Non-Coding:
- - Mark up spec; note unclear points about servers
- - Mention controller libs someplace.
- . more pictures from ren. he wants to describe the tor handshake
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Remove need for HACKING file.
- - Figure out licenses for website material.
- - Specify the keys and key rotation schedules and stuff
- Website:
- - and remove home and make the "Tor" picture be the link to home.
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- R - make a page with the hidden service diagrams.
- - ask Jan to be the translation coordinator? add to volunteer page.
- - add a page for localizing all tor's components.
|