123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- S - Steven claims
- M - Matt claims
- J - Jeff claims
- - Not done
- * Top priority
- . Partially done
- o Done
- d Deferrable
- D Deferred
- X Abandoned
- For Tor 0.2.0.13-alpha:
- - Put a consensus in place of the empty fallback-consensus file in
- src/config and see what breaks.
- - let bridges set relaybandwidthrate as low as 5kb
- - config option FetchDirInfoEagerly so the dnsel can fetch dir
- info like a mirror without needing to be a tor server.
- - nick has to pick a name for it
- Features blocking 0.2.0.x:
- - mirror tor downloads on (via) tor dir caches
- R . spec
- d deploy
- - geoip caching and publishing for bridges
- R . spec
- ? - deploy
- d let Vidalia use the geoip data too rather than doing its own
- anonymized queries
- - bridge address disbursal strategies
- o get the cached-descriptors* to bridges@moria
- - parse out bridge addresses from cached-descriptors*
- (or parse them out before Tonga sends them)
- (or get Tonga's Tor to write them out better in the first place)
- N * answer by IP/timestamp
- - run a little web server on moria?
- N d answer by answering email to bridges@torproject
- - keep track of which addresses have been answered already
- R d some sort of reachability testing on bridges
- R - bridge communities
- - spec
- - deploy
- - interface for letting soat modify flags that authorities assign
- R . spec
- - deploy
- - add an AuthDirBadexit torrc option if we decide we want one.
- S * tor usb windows image (vidalia, polipo, tor, firefox)
- S/M - vidalia can launch firefox
- - build a community version of firefox
- - pick our favorite extensions
- Things we'd like to do in 0.2.0.x:
- - See also Flyspray tasks.
- - See also all items marked XXXX020 and DOCDOC in the code
- - https://www.torproject.org/eff/legal-faq.html#License doesn't mention
- licenses for other components of the bundles.
- - Before the feature freeze: (Nick)
- D 118 if feasible and obvious
- D Maintain a skew estimate and use ftime consistently.
- - 105+TLS, if possible.
- . TLS backend work
- - New list of ciphers for clients
- o Servers detect new ciphers, and only send ID cert when they
- get an older cipher list, and only request client cert when
- they get an older cipher list.
- - Clients only send certificates when asked for them.
- o Servers disable callback once negotiation is finished, so
- that renegotiation happens according to the old rules.
- o Clients initiate renegotiation immediately on completing
- a v2 connection.
- o Servers detect renegotiation, and if there is now a client
- cert, they adust the client ID.
- o Detect.
- o Adjust.
- - New revised handshake: post-TLS:
- - start by sending VERSIONS cells
- - once we have a version, send a netinfo and become open
- - Ban most cell types on a non-OPEN connection.
- - NETINFO fallout
- - Don't extend a circuit over a noncanonical connection with
- mismatched address.
- - Learn our outgoing IP address from netinfo cells?
- o Protocol revision.
- o Earliest stages of 110 (infinite-length) in v2 protocol:
- add support for RELAY_EARLY.
- - get more v3 authorities before 0.2.0.x comes out.
- - brainstorm about who those should be
- - Bugs.
- - Bug reports Roger has heard along the way that don't have enough
- details/attention to solve them yet.
- - arma noticed that when his network went away and he tried
- a new guard node and the connect() syscall failed to it,
- the guard wasn't being marked as down. 0.2.0.x.
- - after being without network for 12 hours, arma's tor decided
- it couldn't fetch any network statuses, and never tried again
- even when the network came back and arma clicked on things.
- also 0.2.0.
- - we need a config option to turn off proposal 109 behavior, else
- running a private tor network on your own computer is very hard.
- . man page entry for HidServDirectoryV2 and
- MinUptimeHidServDirectoryV2.
- d Tor logs the libevent version on startup, for debugging purposes.
- This is great. But it does this before configuring the logs, so
- it only goes to stdout and is then lost.
- d we should do another bandwidth test every 12 hours or something
- if we're showing less than 50KB and our bandwidthrate says we can
- do more than that. I think some servers are forgetting the results
- of their first test, and then never seeing use.
- - Proposals:
- o 101: Voting on the Tor Directory System (plus 103)
- D Use if-modified-since on consensus download
- - Controller support
- - GETINFO to get consensus
- - Event when new consensus arrives
- - 105: Version negotiation for the Tor protocol
- . 111: Prioritize local traffic over relayed.
- - Merge into tor-spec.txt.
- - Refactoring:
- . Make cells get buffered on circuit, not on the or_conn.
- . Switch to pool-allocation for cells?
- - Benchmark pool-allocation vs straightforward malloc.
- - Adjust memory allocation logic in pools to favor a little less
- slack memory.
- . Remove socketpair-based bridges conns, and the word "bridge". (Use
- shared (or connected) buffers for communication, rather than sockets.)
- . Implement
- - Handle rate-limiting on directory writes to linked directory
- connections in a more sensible manner.
- - Find more ways to test this.
- D Do TLS connection rotation more often than "once a week" in the
- extra-stable case.
- D Streamline how we pick entry nodes: Make choose_random_entry() have
- less magic and less control logic.
- - Refactor networkstatus generation:
- - Include "v" line in getinfo values.
- - Bridges:
- . Bridges users (rudimentary version)
- o Ability to specify bridges manually
- o Config option 'UseBridges' that bridge users can turn on.
- o uses bridges as first hop rather than entry guards.
- o if you don't have any routerinfos for your bridges, or you don't
- like the ones you have, ask a new bridge for its server/authority.
- . Ask all directory questions to bridge via BEGIN_DIR.
- - use the bridges for dir fetches even when our dirport is open.
- R - drop 'authority' queries if they're to our own identity key; accept
- them otherwise.
- X Design/implement the "local-status" or something like it, from the
- "Descriptor purposes: how to tell them apart" section of
- http://archives.seul.org/or/dev/May-2007/msg00008.html
- o timeout and retry schedules for fetching bridge descriptors
- - give extend_info_t a router_purpose again
- o react faster to download networkstatuses after the first bridge
- descriptor arrives
- o be more robust to bridges being marked as down and leaving us
- stranded without any known "running" bridges.
- - Bridges operators (rudimentary version)
- o Ability to act as dir cache without a dir port.
- o Bridges publish to bridge authorities
- o Fix BEGIN_DIR so that you connect to bridge of which you only
- know IP (and optionally fingerprint), and then use BEGIN_DIR to learn
- more about it.
- R - look at server_mode() and decide if it always applies to bridges too.
- - Bridges
- o Clients can ask bridge authorities for updates on known bridges.
- - Misc
- * Make BEGIN_DIR mandatory for asking questions of bridge authorities?
- (but only for bridge descriptors. not for ordinary cache stuff.)
- - Features (other than bridges):
- - Audit how much RAM we're using for buffers and cell pools; try to
- trim down a lot.
- - Base relative control socket paths on datadir.
- - Make TrackHostExits expire TrackHostExitsExpire seconds after their
- *last* use, not their *first* use.
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Or maybe close connections from same IP when we get a lot from one.
- - Or maybe block IPs that connect too many times at once.
- - Testing
- N - Hack up a client that gives out weird/no certificates, so we can
- test to make sure that this doesn't cause servers to crash.
- - Deprecations:
- - can we deprecate 'getinfo network-status'?
- - can we deprecate the FastFirstHopPK config option?
- - Documentation
- - HOWTO for DNSPort.
- - Quietly document NT Service options
- - More prominently, we should have a recommended apps list.
- - recommend pidgin (gaim is renamed)
- - unrecommend IE because of ftp:// bug.
- - we should add a preamble to tor-design saying it's out of date.
- . Document transport and natdport in a good HOWTO.
- - Publicize torel. (What else?
- . Finish path-spec.txt
- P - Packaging:
- P - Plan a switch to polipo. Perhaps we'll offer two http proxies in
- the future.
- P - Make documentation realize that location of system configuration file
- will depend on location of system defaults, and isn't always /etc/torrc.
- P - Figure out why dll's compiled in mingw don't work right in WinXP.
- - Create packages for Nokia 800, requested by Chris Soghoian
- P - Consider creating special Tor-Polipo-Vidalia test packages,
- requested by Dmitri Vitalev
- o Get Vidalia supporting protocolinfo and using auth by default.
- P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
- P - Flyspray 487, create a universal binary privoxy for inclusion in
- packages.
- Planned for 0.2.1.x:
- - we try to build 4 test circuits to break them over different
- servers. but sometimes our entry node is the same for multiple
- test circuits. this defeats the point.
- - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout.
- - configurable timestamp granularity. defaults to 'seconds'.
- - consider making 'safelogging' extend to info-level logs too.
- - we should consider a single config option TorPrivateNetwork that
- turns on all the config options for running a private test tor
- network. having to keep updating all the tools, and the docs,
- just isn't working.
- - consider whether a single Guard flag lets us distinguish between
- "was good enough to be a guard when we picked it" and "is still
- adequate to be used as a guard even after we've picked it". We should
- write a real proposal for this.
- - switch out privoxy in the bundles and replace it with polipo.
- - make the new tls handshake blocking-resistant.
- - figure out some way to collect feedback about what countries are using
- bridges, in a way that doesn't screw anonymity too much.
- - let tor dir mirrors proxy connections to the tor download site, so
- if you know a bridge you can fetch the tor software.
- - more strategies for distributing bridge addresses in a way that
- doesn't rely on knowing somebody who runs a bridge for you.
- - A way to adjust router status flags from the controller. (How do we
- prevent the authority from clobbering them soon afterward?)
- - Bridge authorities should do reachability testing but only on the
- purpose==bridge descriptors they have.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Investigate RAM use in Tor servers.
- - Start on the WSAENOBUFS solution.
- - Start on Windows auto-update for Tor
- Deferred from 0.2.0.x:
- - Proposals
- - 113: Simplifying directory authority administration
- - 110: prevent infinite-length circuits (phase one)
- - 118: Listen on and advertise multiple ports:
- - Tor should be able to have a pool of outgoing IP addresses that it is
- able to rotate through. (maybe. Possible overlap with proposal 118.)
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- (This is very similar to proposal 118.)
- - 117: IPv6 Exits
- - Internal code support for ipv6:
- o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
- - Most address variables need to become tor_addr_t
- - Teach resolving code how to handle ipv6.
- - Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
- - Features
- - Let controller set router flags for authority to transmit, and for
- client to use.
- - add an 'exit-address' line in the descriptor for servers that exit
- from something that isn't their published address.
- - More work on AvoidDiskWrites?
- - Features
- - Make a TCP DNSPort
- - Protocol work
- - MAYBE kill stalled circuits rather than stalled connections. This is
- possible thanks to cell queues, but we need to consider the anonymity
- implications.
- - Implement TLS shutdown properly when possible.
- - Bugs
- - If the client's clock is too far in the past, it will drop (or just not
- try to get) descriptors, so it'll never build circuits.
- - Refactoring
- - Make resolves no longer use edge_connection_t unless they are actually
- _on_ a socks connection: have edge_connection_t and (say)
- dns_request_t both extend an edge_stream_t, and have p_streams and
- n_streams both be linked lists of edge_stream_t.
- - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
- online config documentation from a single source.
- - Move all status info out of routerinfo into local_routerstatus. Make
- "who can change what" in local_routerstatus explicit. Make
- local_routerstatus (or equivalent) subsume all places to go for "what
- router is this?"
- - Blocking/scanning-resistance
- - It would be potentially helpful to respond to https requests on
- the OR port by acting like an HTTPS server.
- - Do we want to maintain our own set of entryguards that we use as
- next hop after the bridge? Open research question; let's say no
- for 0.2.0 unless we learn otherwise.
- - Some mechanism for specifying that we want to stop using a cached
- bridge.
- - Build:
- - Detect correct version of libraries from autoconf script.
- Future versions:
- - See also Flyspray tasks.
- - See also all OPEN/ACCEPTED proposals.
- - See also all items marked XXXX and FFFF in the code.
- - Protocol:
- - Our current approach to block attempts to use Tor as a single-hop proxy
- is pretty lame; we should get a better one.
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity,
- etc. But see paper breaking morphmix.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully DTLS into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
- - Directory system
- - BEGIN_DIR items
- X turn the received socks addr:port into a digest for setting .exit
- - handle connect-dir streams that don't have a chosen_exit_name set.
- - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
- - Add an option (related to AvoidDiskWrites) to disable directory
- caching. (Is this actually a good idea??)
- - Add d64 and fp64 along-side d and fp so people can paste status
- entries into a url. since + is a valid base64 char, only allow one
- at a time. Consider adding to controller as well.
- - Some back-out mechanism for auto-approval on authorities
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Hidden services:
- - Standby/hotswap/redundant hidden services.
- . Update the hidden service stuff for the new dir approach. (Much
- of this will be superseded by 114.)
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Let each hidden service (or other thing) specify its own
- OutboundBindAddress?
- - Hidserv offerers shouldn't need to define a SocksPort
- - Server operation
- X When we notice a 'Rejected: There is already a named server with
- this nickname' message... or maybe instead when we see in the
- networkstatuses that somebody else is Named with the name we
- want: warn the user, send a STATUS_SERVER message, and fall back
- to unnamed.
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - When we hit a funny error from a dir request (eg 403 forbidden),
- but tor is working and happy otherwise, and we haven't seen many
- such errors recently, then don't warn about it.
- - Controller
- - Implement missing status events and accompanying getinfos
- - DIR_REACHABLE
- - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
- a firewall.)
- - BAD_PROXY (Bad http or https proxy)
- - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
- - Status events related to hibernation
- - something about failing to parse our address?
- from resolve_my_address() in config.c
- - sketchy OS, sketchy threading
- - too many onions queued: threading problems or slow CPU?
- - Implement missing status event fields:
- - TIMEOUT on CHECKING_REACHABILITY
- - GETINFO status/client, status/server, status/general: There should be
- some way to learn which status events are currently "in effect."
- We should specify which these are, what format they appear in, and so
- on.
- - More information in events:
- - Include bandwidth breakdown by conn->type in BW events.
- - Change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- - Change stream status events analogously.
- - Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - Make everything work with hidden services
- - Performance/resources
- - per-conn write buckets
- - separate config options for read vs write limiting
- (It's hard to support read > write, since we need better
- congestion control to avoid overfull buffers there. So,
- defer the whole thing.)
- - Look into pulling serverdescs off buffers as they arrive.
- - Rate limit exit connections to a given destination -- this helps
- us play nice with websites when Tor users want to crawl them; it
- also introduces DoS opportunities.
- - Consider truncating rather than destroying failed circuits,
- in order to save the effort of restarting. There are security
- issues here that need thinking, though.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Misc
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - Display the reasons in 'destroy' and 'truncated' cells under
- some circumstances?
- - Make router_is_general_exit() a bit smarter once we're sure what
- it's for.
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we
- recognize ("port 443 worked once and port 9001 keeps not
- working").
- - Security
- - some better fix for bug #516?
- - don't do dns hijacking tests if we're reject *:* exit policy?
- (deferred until 0.1.1.x is less common)
- - Directory guards
- - Mini-SoaT:
- - Servers might check certs for known-good ssl websites, and if
- they come back self-signed, declare themselves to be
- non-exits. Similar to how we test for broken/evil dns now.
- - Authorities should try using exits for http to connect to some
- URLS (specified in a configuration file, so as not to make the
- List Of Things Not To Censor completely obvious) and ask them
- for results. Exits that don't give good answers should have
- the BadExit flag set.
- - Alternatively, authorities should be able to import opinions
- from Snakes on a Tor.
- - More consistent error checking in router_parse_entry_from_string().
- I can say "banana" as my bandwidthcapacity, and it won't even squeak.
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Audit everything to make sure rend and intro points are just as
- likely to be us as not.
- - Do something to prevent spurious EXTEND cells from making
- middleman nodes connect all over. Rate-limit failed
- connections, perhaps?
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Needs thinking
- - Now that we're avoiding exits when picking non-exit positions,
- we need to consider how to pick nodes for internal circuits. If
- we avoid exits for all positions, we skew the load balancing. If
- we accept exits for all positions, we leak whether it's an
- internal circuit at every step. If we accept exits only at the
- last hop, we reintroduce Lasse's attacks from the Oakland paper.
- - Windows server usability
- - Solve the ENOBUFS problem.
- - make tor's use of openssl operate on buffers rather than sockets,
- so we can make use of libevent's buffer paradigm once it has one.
- - make tor's use of libevent tolerate either the socket or the
- buffer paradigm; includes unifying the functions in connect.c.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- - Merge code from Urz into libevent
- - Make Tor use evbuffers.
- - Documentation
- - a way to generate the website diagrams from source, so we can
- translate them as utf-8 text rather than with gimp. (svg? or
- imagemagick?)
- . Flesh out options_description array in src/or/config.c
- . multiple sample torrc files
- . figure out how to make nt service stuff work?
- . Document it.
- - Refactor tor man page to divide generally useful options from
- less useful ones?
- - Add a doxygen style checker to make check-spaces so nick doesn't drift
- too far from arma's undocumented styleguide. Also, document that
- styleguide in HACKING. (See r9634 for example.)
- - exactly one space at beginning and at end of comments, except i
- guess when there's line-length pressure.
- - if we refer to a function name, put a () after it.
- - only write <b>foo</b> when foo is an argument to this function.
- - doxygen comments must always end in some form of punctuation.
- - capitalize the first sentence in the doxygen comment, except
- when you shouldn't.
- - avoid spelling errors and incorrect comments. ;)
- - Packaging
- - The Debian package now uses --verify-config when (re)starting,
- to distinguish configuration errors from other errors. Perhaps
- the RPM and other startup scripts should too?
- - add a "default.action" file to the tor/vidalia bundle so we can
- fix the https thing in the default configuration:
- http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
- - Related tools
- - Patch privoxy and socks protocol to pass strings to the browser.
- Documentation, non-version-specific.
- - Specs
- - Mark up spec; note unclear points about servers
- NR - write a spec appendix for 'being nice with tor'
- - Specify the keys and key rotation schedules and stuff
- - Mention controller libs someplace.
- - Remove need for HACKING file.
- - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
- P - figure out why x86_64 won't build rpms from tor.spec
- P - figure out spec files for bundles of vidalia-tor-polipo
- P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
- - figure out selinux policy for tor
- P - change packaging system to more automated and specific for each
- platform, suggested by Paul Wouter
- P - Setup repos for redhat and suse rpms & start signing the rpms the
- way package management apps prefer
- Website:
- J - tor-in-the-media page
- P - Figure out licenses for website material.
- (Phobos reccomends the Open Publication License at
- http://opencontent.org/openpub/)
- P - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- P - put the source image for the stickers on the website, so people can
- print their own
- P - figure out a license for the logos and docs we publish (trademark
- figures into this)
- (Phobos reccomends the Open Publication License at
- http://opencontent.org/openpub/)
- R - make a page with the hidden service diagrams.
- P - ask Jan/Jens to be the translation coordinator? add to volunteer page.
- - add a page for localizing all tor's components.
- - It would be neat if we had a single place that described _all_ the
- tor-related tools you can use, and what they give you, and how well they
- work. Right now, we don't give a lot of guidance wrt
- torbutton/foxproxy/privoxy/polipo in any consistent place.
- P - create a 'blog badge' for tor fans to link to and feature on their
- blogs. A sample can be found at http://interloper.org/tmp/tor/tor-button.png
- - Tor mirrors
- - make a mailing list with the mirror operators
- - make an automated tool to check /project/trace/ at mirrors to
- learn which ones are lagging behind.
- - auto (or manually) cull the mirrors that are broken; and
- contact their operator?
- - a set of instructions for mirror operators to make their apaches
- serve our charsets correctly, and bonus points for language
- negotiation.
- - figure out how to load-balance the downloads across mirrors?
- - ponder how to get users to learn that they should google for
- "tor mirrors" if the main site is blocked.
- - find a mirror volunteer to coordinate all of this
|