123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- D Deferred
- X Abandoned
- . <nickm> "Let's try to find a way to make it run and make the version
- match, but if not, let's just make it run."
- - <arma> "should we detect if we have a --with-ssl-dir and try the -R
- by default, if it works?"
- Items for 0.1.2.x, real soon now:
- x - When we've been idle a long time, we stop fetching server
- descriptors. When we then get a socks request, we build circuits
- immediately using whatever descriptors we have, rather than waiting
- until we've fetched correct ones.
- x - If the client's clock is too far in the past, it will drop (or
- just not try to get) descriptors, so it'll never build circuits.
- N - Bug 326: make eventdns thrash less.
- N - Test guard unreachable logic; make sure that we actually attempt to
- connect to guards that we think are unreachable from time to time.
- Make sure that we don't freak out when the network is down.
- N - Stop recommending exits as guards?
- N - Clients stop dumping old descriptors if the network-statuses
- claim they're still valid.
- P - Figure out why dll's compiled in mingw don't work right in WinXP.
- P - Figure out why openssl 0.9.8d "make test" fails at sha256t test.
- Items for 0.1.2.x:
- - Now that we're avoiding exits when picking non-exit positions,
- we need to consider how to pick nodes for internal circuits. If
- we avoid exits for all positions, we skew the load balancing. If
- we accept exits for all positions, we leak whether it's an internal
- circuit at every step. If we accept exits only at the last hop, we
- reintroduce Lasse's attacks from the Oakland paper.
- - enumerate events of important things that occur in tor, so vidalia can
- react.
- N - Backend implementation
- R - Actually list all the events (notice and warn log messages are a good
- place to look.) Divide messages into categories, perhaps.
- N - Specify general event system
- R - Specify actual events.
- N . Have (and document) a BEGIN_DIR relay cell that means "Connect to your
- directory port."
- o Specify
- o Implement
- - Use for something, so we can be sure it works.
- - Test and debug
- N - Send back RELAY_END cells on malformed RELAY_BEGIN.
- N - Change the circuit end reason display a little for reasons from
- destroyed/truncated circuits. We want to indicate both that we're
- closing because somebody told us to, and why they told us they wanted to
- close.
- x - We should ship with a list of stable dir mirrors -- they're not
- trusted like the authorities, but they'll provide more robustness
- and diversity for bootstrapping clients.
- N - Simplify authority operation
- - Follow weasel's proposal, crossed with mixminion dir config format
- - Reject/invalidate by IP.
- - Servers are easy to setup and run: being a relay is about as easy as
- being a client.
- . Reduce resource load
- d - Tolerate clock skew on bridge relays.
- N - A way to examine router flags from controller.
- d - A way to adjust router flags from the controller
- d - a way to pick entries based wholly on extend_info equivalent;
- a way to export extend_info equivalent.
- R - option to dl directory info via tor
- - Make an option like __AllDirActionsPrivate that falls back to
- non-Tor DL when not enough info present.
- D Count TLS bandwidth more accurately
- - Improvements to bandwidth counting
- R - look into "uncounting" bytes spent on local connections, so
- we can bandwidthrate but still have fast downloads.
- R - "bandwidth classes", for incoming vs initiated-here conns.
- d - Write limiting; separate token bucket for write
- - Write-limit directory responses (need to research)
- N - DNS improvements
- o Option to deal with broken DNS of the "ggoogle.com? Ah, you meant
- ads.me.com!" variety.
- o Autodetect whether DNS is broken in this way.
- - Additional fix: allow clients to have some addresses that mean,
- notfound. Yes, this blacklists IPs for having ever been used by
- DNS hijackers.
- o Don't ask reject *:* nodes for DNS unless client wants you to.
- . Asynchronous DNS
- o Document and rename SearchDomains, ResolvConf options
- D Make API closer to getaddrinfo()
- - Teach it to be able to listen for A and PTR requests to be processed.
- Interface should be set_request_listener(sock, cb); [ cb(request) ]
- send_reply(request, answer);
- d - Add option to use /etc/hosts?
- d - Special-case localhost?
- - Verify that it works on windows
- . Make reverse DNS work.
- o Specify
- X Implement with dnsworkers
- (There's no point doing this, since we will throw away dnsworkers once
- eventdns is confirmed to work everywhere.)
- o Implement in eventdns
- o Connect to resolve cells, server-side.
- o Add element to routerinfo to note routers that aren't using eventdns,
- so we can avoid sending them reverse DNS etc.
- o Fix the bug with server-side caching, whatever is causing it.
- . Add client-side interface
- o SOCKS interface: specify
- o SOCKS interface: implement
- - Cache answers client-side
- o Add to Tor-resolve.py
- - Add to tor-resolve
- - Check for invalid characters in hostnames before trying to resolve
- them. (This will help catch attempts do to mean things to our DNS
- server, and bad software that tries to do DNS lookups on whole URLs.)
- - address_is_invalid_destination() is the right thing to call here
- (and feel free to make that function smarter)
- - Performance improvements
- x - Better estimates in the directory of whether servers have good uptime
- (high expected time to failure) or good guard qualities (high
- fractional uptime).
- - AKA Track uptime as %-of-time-up, as well as time-since-last-down
- - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
- x - spec
- d - implement
- o Changes towards a more efficient dir protocol.
- o Later, servers will stop generating new descriptors simply
- because 18 hours have passed: we must start tolerating this now.
- - Critical but minor bugs, backport candidates.
- d - Failed rend desc fetches sometimes don't get retried. True/false?
- R - support dir 503s better
- o clients don't log as loudly when they receive them
- - they don't count toward the 3-strikes rule
- - should there be some threshold of 503's after which we give up?
- - Delay when we get a lot of 503s.
- N - split "router is down" from "dirport shouldn't be tried for a while"?
- Just a separate bit.
- - authorities should *never* 503 a cache, but *should* 503 clients
- when they feel like it.
- - update dir-spec with what we decided for each of these
- o provide no-cache no-index headers from the dirport?
- o Specify
- o cacheing
- o Single network-statuses, single descriptors, "all", "authority",
- and v1 directory stuff are all cacheable for a short time.
- o Multiple network-statuses or descriptors are not cacheable.
- o Be sure to be correct wrt HTTP/1.0
- o indexing
- o robots.txt (oh, it was already there.)
- o Implement
- - Windows server usability
- - Solve the ENOBUFS problem.
- - make tor's use of openssl operate on buffers rather than sockets,
- so we can make use of libevent's buffer paradigm once it has one.
- - make tor's use of libevent tolerate either the socket or the
- buffer paradigm; includes unifying the functions in connect.c.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- M - rewrite how libevent does select() on win32 so it's not so very slow.
- - Add overlapped IO
- Nd- Have a mode that doesn't write to disk much, so we can run Tor on
- flash memory (e.g. Linksys routers or USB keys).
- o Add AvoidDiskWrites config option.
- - only write state file when it's "changed"
- - stop writing identity key / fingerprint / etc every restart
- - stop caching directory stuff -- and disable mmap?
- - more?
- NR. Write path-spec.txt
- - Packaging
- - Tell people about OSX Uninstaller
- - Quietly document NT Service options
- - Switch canonical win32 compiler to mingw.
- NR - Get some kind of "meta signing key" to be used solely to sign
- releases/to certify releases when signed by the right people/
- to certify sign the right people's keys? Also use this to cert the SSL
- key, etc.
- - If we haven't replaced privoxy, lock down its configuration in all
- packages, as documented in tor-doc-unix.html
- - Docs
- - More prominently, we should have a recommended apps list.
- - recommend gaim.
- - unrecommend IE because of ftp:// bug.
- - torrc.complete.in needs attention?
- - we should add a preamble to tor-design saying it's out of date.
- Topics to think about during 0.1.2.x development:
- * Figure out incentives.
- - (How can we make this tolerant of a bad v0?)
- * Figure out non-clique.
- * Figure out China.
- - Figure out partial network knowledge.
- - Figure out hidden services.
- - Design next-version protocol for directories
- - Design next-version protocol for connections
- For blocking-resistance scheme:
- X allow ordinary-looking ssl for dir connections. need a new dirport
- for this, or can we handle both ssl and non-ssl, or should we
- entirely switch to ssl in certain cases?
- d - need to figure out how to fetch status of a few servers from the BDA
- without fetching all statuses. A new URL to fetch I presume?
- Deferred from 0.1.2.x:
- - Directory guards
- - RAM use in directory authorities.
- - Memory use improvements:
- - Look into pulling serverdescs off buffers as they arrive.
- - Save and mmap v1 directories, and networkstatus docs; store them
- zipped, not uncompressed.
- - Switch cached_router_t to use mmap.
- - What to do about reference counts on windows? (On Unix, this is
- easy: unlink works fine. (Right?) On Windows, I have doubts. Do we
- need to keep multiple files?)
- - What do we do about the fact that people can't read zlib-
- compressed files manually?
- - Add IPv6 support to eventdns.c
- - Refactor DNS resolve implementation
- - Refactor exit side of resolve: do we need a connection_t?
- - Refactor entry side of resolve: do we need a connection_t?
- - A more efficient dir protocol.
- - Authorities should fetch the network-statuses amongst each
- other, consensus them, and advertise a communal network-status.
- This is not so much for safety/complexity as it is to reduce
- bandwidth requirements for Alice.
- - How does this interact with our goal of being able to choose
- your own dir authorities? I guess we're now assuming that all
- dir authorities know all the other authorities in their "group"?
- - Should we also look into a "delta since last network-status
- checkpoint" scheme, to reduce overhead further?
- - Extend the "r" line in network-status to give a set of buckets (say,
- comma-separated) for that router.
- - Buckets are deterministic based on IP address.
- - Then clients can choose a bucket (or set of buckets) to
- download and use.
- - Improvements to versioning.
- - When we connect to a Tor server, it sends back a cell listing
- the IP it believes it is using. Use this to block dvorak's attack.
- Also, this is a fine time to say what time you think it is.
- o Verify that a new cell type is okay with deployed codebase
- . Specify HELLO cells
- . Figure out v0 compatibility.
- - Implement
- Minor items for 0.1.2.x as time permits:
- - The Debian package now uses --verify-config when (re)starting,
- to distinguish configuration errors from other errors. Perhaps
- the RPM and other startup scripts should too?
- - add a "default.action" file to the tor/vidalia bundle so we can fix the
- https thing in the default configuration:
- http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
- - even if your torrc lists yourself in your myfamily line, don't list it in
- the descriptor.
- - Flesh out options_description array in src/or/config.c
- - Don't let 'newnym' be triggered more often than every n seconds.
- - change log_fn() to log() on notice/warn/err logs where we can.
- - the deb now uses --verify-config to distinguish between configuration
- errors and other errors. Should the rpm, the ports, etc do this too?
- X If we try to publish as a nickname that's already claimed, should
- we append a number (or increment the number) and try again? This
- way people who read their logs can fix it as before, but people
- who don't read their logs will still offer Tor servers.
- - Fall back to unnamed; warn user; sent controller event.
- ! - Tor should bind its ports before dropping privs, so users don't
- have to do the ipchains dance.
- - Rate limit exit connections to a given destination -- this helps
- us play nice with websites when Tor users want to crawl them; it
- also introduces DoS opportunities.
- ! - The bw_accounting file should get merged into the state file.
- - Streamline how we pick entry nodes.
- ! - Better installers and build processes.
- - Commit edmanm's win32 makefile to tor contrib, or write a new one.
- - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- - Specify, including thought about anonymity implications.
- - Display the reasons in 'destroy' and 'truncated' cells under some
- circumstances?
- - We need a way for the authorities to declare that nodes are
- in a family. Also, it kinda sucks that family declarations use O(N^2)
- space in the descriptors.
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - cpu fixes:
- - see if we should make use of truncate to retry
- X kill dns workers more slowly
- . Directory changes
- . Some back-out mechanism for auto-approval
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - packaging and ui stuff:
- . multiple sample torrc files
- . figure out how to make nt service stuff work?
- . Document it.
- - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- - Improve controller
- - a NEWSTATUS event similar to NEWDESC.
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- - What do we want here, exactly?
- - Specify and implement it.
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better" analogously
- - What do we want here, exactly?
- - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - It would be nice to request address lookups from the controller
- without using SOCKS.
- - Make everything work with hidden services
- - Directory system improvements
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Parse this.
- - Relay this in networkstatus.
- Future version:
- - Configuration format really wants sections.
- - Good RBL substitute.
- - Authorities should try using exits for http to connect to some URLS
- (specified in a configuration file, so as not to make the List Of Things
- Not To Censor completely obvious) and ask them for results. Exits that
- don't give good answers should have the BadExit flag set.
- - Our current approach to block attempts to use Tor as a single-hop proxy
- is pretty lame; we should get a better one.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we recognize
- ("port 443 worked once and port 9001 keeps not working").
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- - tor-resolve script should use socks5 to get better error messages.
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- - Specify; implement.
- - let each hidden service (or other thing) specify its own
- OutboundBindAddress?
- - Stop using tor_socketpair to make connection bridges: do an
- implementation that uses buffers only.
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
- Non-Coding:
- - Mark up spec; note unclear points about servers
- - Mention controller libs someplace.
- . more pictures from ren. he wants to describe the tor handshake
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Remove need for HACKING file.
- - Figure out licenses for website material.
- Website:
- - and remove home and make the "Tor" picture be the link to home.
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- R - make a page with the hidden service diagrams.
- - ask Jan to be the translation coordinator? add to volunteer page.
|