123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- d Deferrable
- D Deferred
- X Abandoned
- Documentation and testing on 0.1.2.x-final series
- N - Test guard unreachable logic; make sure that we actually attempt to
- connect to guards that we think are unreachable from time to time.
- Make sure that we don't freak out when the network is down.
- . Forward compatibility fixes
- N - Hack up a client that gives out weird/no certificates, so we can
- test to make sure that this doesn't cause servers to crash.
- NR. Write path-spec.txt
- - Docs
- - Tell people about OSX Uninstaller
- - Quietly document NT Service options
- - More prominently, we should have a recommended apps list.
- - recommend gaim.
- - unrecommend IE because of ftp:// bug.
- N - we should add a preamble to tor-design saying it's out of date.
- N . Document transport and natdport
- o In man page
- - In a good HOWTO.
- - Update dir-spec with decisions made on these issues:
- o clients don't log as loudly when they receive them
- o they don't count toward the 3-strikes rule
- D But eventually, we give up after getting a lot of 503s.
- D Delay when we get a lot of 503s, rather than punting onto the
- servers that have given us 503s?
- o Add a 'BadDirectory' flag to statuses.
- o authorities should *never* 503 a cache, and should never 503
- network status requests.
- D They can 503 client descriptor requests when they feel like it.
- How can they distinguish? Not implemented for now, maybe
- should abandon.
- - update dir-spec with what we decided for each of these
- Things we'd like to do in 0.2.0.x:
- - Proposals:
- - 101: Voting on the Tor Directory System
- - Prepare ASAP for new voting formats
- - Don't flip out with warnings when voting-related URLs are
- uploaded/downloaded.
- - Finalize proposal
- - Get authorities voting
- - Implement parsing for new document formats
- - Code to generate votes
- - Code to generate consensus from a list of votes
- - Add a signature to a consensus.
- - Code to check signatures on a consensus
- - Push/pull documents as appropriate.
- - Start caching consensus documents once authorities make them
- - Start downloading and using consensus documents once caches serve them
- . 104: Long and Short Router Descriptors (by Jun 1)
- . Finalize proposal
- o Implement parsing for extra-info documents
- o Have routers generate extra-info documents.
- . Have have authorities accept them and serve them from specified URLs
- o Implement directory-protocol side.
- o Implement storage in memory
- - Implement cache on disk.
- - Have routers upload extra-info documents.
- - Implement option to download and cache extra-info documents.
- - Drop bandwidth history from router-descriptors
- - 105: Version negotiation for the Tor protocol (finalize by Jun 1)
- - 108: Base "Stable" Flag on Mean Time Between Failures
- - 109: No more than one server per IP address
- - 103: Splitting identity key from regularly used signing key
- - 113: Simplifying directory authority administration
- - 110: prevent infinite-length circuits (phase one)
- - servers should recognize relay_extend cells and pass them
- on just like relay cells
- - Refactoring:
- - Make resolves no longer use edge_connection_t unless they are actually
- _on_ on a socks connection: have edge_connection_t and (say)
- dns_request_t both extend an edge_stream_t, and have p_streams and
- n_streams both be linked lists of edge_stream_t.
- . Make cells get buffered on circuit, not on the or_conn.
- O Implement cell queues
- o Keep doubly-linked list of active circuits on each or_conn.
- o Put all relay data on the circuit cell queue, not on the outbuf.
- o Don't move them into the target conn until there is space on the
- target conn's outbuf.
- o When making a circuit active on a connection with an empty buf,
- we need to "prime" the buffer, so that we can trigger the "I flushed
- some" test.
- X Change how directory-bridge-choking works: choke when circuit queue
- is full, not when the orconn is "too full".
- [No need to do this: the edge-connection choking will already take
- care of this a bit, and rewriting the 'bridged connection' code
- to not use socketpairs will give us even more control.]
- . Do we switch to pool-allocation for cells?
- o Implement pool-allocation
- o Have Tor use it for packed cells.
- o Document it.
- o Do something smart with freeing unused chunks.
- - Benchmark pool-allocation vs straightforward malloc.
- - Adjust memory allocation logic in pools to favor a little less
- slack memory.
- D Can we stop doing so many memcpys on cells?
- o Also, only package data from exitconns when there is space on the
- target OR conn's outbuf? or when the circuit is not too full.
- - MAYBE kill stalled circuits rather than stalled connections; consider
- anonymity implications.
- - Move all status info out of routerinfo into local_routerstatus. Make
- "who can change what" in local_routerstatus explicit. Make
- local_routerstatus (or equivalent) subsume all places to go for "what
- router is this?"
- . Remove socketpair-based bridges conns, and the word "bridge". (Use
- shared (or connected) buffers for communication, rather than sockets.)
- o Design
- o Pick a term. The term is now "linked connection."
- o Figure out how to ensure that handle_read is always called.
- (Use event_active; keep active events in a list; use event_once
- to make sure that we call the event base dispatch function enough.)
- . Implement
- o Count connections and sockets separately
- . Allow connections with s == -1
- o Add a linked_conn field; it should get marked when we're marked.
- o Add a function to move bytes from buffer to buffer.
- o Have read_to_buf dtrt for linked connections
- o Have handle_read dtrt for linked connections
- o Have an activate/deactivate_linked_connection function.
- o Have activated connections added to a list on first activation, and
- that list made active before calls to event_loop.
- o Have connections get deactivated when no more data to write on
- linked conn outbuf.
- o Handle closing connections properly.
- o Actually create and use linked connections.
- - Handle rate-limiting on directory writes to linked directory
- connections in a more sensible manner.
- o Rename want_to_read and want_to_write; they're actually about
- being blocked, not about wanting to read/write.
- - Find more ways to test this.
- D Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
- online config documentation from a single source.
- - Have clients do TLS connection rotation less often than "every 10
- minutes" in the thrashy case, and more often than "once a week" in the
- extra-stable case.
- - Streamline how we pick entry nodes: Make choose_random_entry() have
- less magic and less control logic.
- - Implement TLS shutdown properly when possible.
- - Maybe move NT services into their own module.
- . Autoconf cleanups and improvements:
- o Remove redundant event.h check.
- o Check for zlib with the same machinery as for libevent and openssl.
- o Make the "no longer strictly accurate" message accurate.
- . Tell the user what -dev package to install based on OS.
- - Detect correct version of libraries.
- o Run autoupdate
- - Refactor networkstatus generation:
- - Use networkstatus_getinfo_helper_single() as base of
- networkstatus generation; eliminate duplicate code.
- - Include "v" line in getinfo values.
- - Features:
- - Traffic priorities (by Jun 1)
- - Ability to prioritize own traffic over relayed traffic.
- - Implement a DNS proxy
- - Add a way to request DNS resolves from the controller.
- - A better UI for authority ops.
- - Follow weasel's proposal, crossed with mixminion dir config format
- - Write a proposal
- - Bridges users (rudimentary version) (By Jun 1)
- - Ability to specify bridges manually
- D cache of bridges that we've learned about and use but aren't
- manually listed in the torrc.
- D and some mechanism for specifying that we want to stop using
- a given bridge in this cache.
- - Config option 'UseBridges' that bridge users can turn on.
- - uses bridges as first hop rather than entry guards.
- D Do we want to maintain our own set of entryguards that we use
- after the bridge? Open research question; let's say no for 0.2.0
- unless we learn otherwise.
- - Ask all directory questions to bridge via BEGIN_DIR.
- - Bridges operators (rudimentary version) (By Jun 1)
- - Ability to act as dir cache without a dir port.
- - Bridges publish to bridge authorities
- - Fix BEGIN_DIR so that you connect to bridge of which you only
- know IP (and optionally fingerprint), and then use BEGIN_DIR to learn
- more about it.
- - Bridges authorities (rudimentary version) (By Jun 1)
- - Rudimentary "do not publish networkstatus" option for bridge
- authorities.
- - Clients can ask bridge authorities for more bridges.
- - Bridges (not necessarily by Jun 1)
- - Clients can ask bridge authorities for updates on known bridges.
- - More TLS normalization work: make Tor less easily
- fingerprinted. (Researched by Jun 1)
- - Directory system improvements
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Let controller set router flags for authority to transmit, and for
- client to use.
- - Support relaying streams to ipv6.
- - Let servers decide to support BEGIN_DIR but not DirPort.
- - Tor should bind its ports before dropping privs, so users don't
- have to do the ipchains dance.
- - Blocking-resistance.
- - It would be potentially helpful to https requests on the OR port by
- acting like an HTTPS server.
- - add an 'exit-address' line in the descriptor for servers that exit
- from something that isn't their published address.
- - Audit how much RAM we're using for buffers and cell pools; try to
- trim down a lot.
- o Deprecations:
- o Remove v0 control protocol.
- P - Packaging:
- P - Can we switch to polipo? (Jun 1)
- P - If we haven't replaced privoxy, lock down its configuration in all
- packages, as documented in tor-doc-unix.html
- P - Figure out why dll's compiled in mingw don't work right in WinXP.
- P - Figure out why openssl 0.9.8d "make test" fails at sha256t test.
- - add an AuthDirBadexit torrc option if we decide we want one.
- Deferred from 0.1.2.x:
- - BEGIN_DIR items
- - turn the received socks addr:port into a digest for setting .exit
- - handle connect-dir streams that don't have a chosen_exit_name set.
- - 'networkstatus arrived' event
- - More work on AvoidDiskWrites?
- - Get some kind of "meta signing key" to be used solely to sign
- releases/to certify releases when signed by the right people/
- to certify sign the right people's keys? Also use this to cert the SSL
- key, etc. (Proposal 103)
- - per-conn write buckets
- - separate config options for read vs write limiting
- (It's hard to support read > write, since we need better
- congestion control to avoid overfull buffers there. So,
- defer the whole thing.)
- - don't do dns hijacking tests if we're reject *:* exit policy?
- (deferred until 0.1.1.x is less common)
- - Directory guards
- - RAM use in directory authorities.
- - Memory use improvements:
- - Look into pulling serverdescs off buffers as they arrive.
- - Save and mmap v1 directories, and networkstatus docs; store them
- zipped, not uncompressed.
- - Switch cached_router_t to use mmap.
- - What to do about reference counts on windows? (On Unix, this is
- easy: unlink works fine. (Right?) On Windows, I have doubts. Do we
- need to keep multiple files?)
- - What do we do about the fact that people can't read zlib-
- compressed files manually?
- - If the client's clock is too far in the past, it will drop (or
- just not try to get) descriptors, so it'll never build circuits.
- - Tolerate clock skew on bridge relays.
- X Eventdns improvements
- X Have a way to query for AAAA and A records simultaneously.
- X Improve request API: At the very least, add the ability to construct
- a more-or-less arbitrary request and get a response.
- X (Can we suppress cnames? Should we?)
- - Now that we're avoiding exits when picking non-exit positions,
- we need to consider how to pick nodes for internal circuits. If
- we avoid exits for all positions, we skew the load balancing. If
- we accept exits for all positions, we leak whether it's an internal
- circuit at every step. If we accept exits only at the last hop, we
- reintroduce Lasse's attacks from the Oakland paper.
- - We should ship with a list of stable dir mirrors -- they're not
- trusted like the authorities, but they'll provide more robustness
- and diversity for bootstrapping clients.
- - A way to adjust router flags from the controller.
- (How do we prevent the authority from clobbering them soon after?)
- - Better estimates in the directory of whether servers have good uptime
- (high expected time to failure) or good guard qualities (high
- fractional uptime).
- - AKA Track uptime as %-of-time-up, as well as time-since-last-down
- - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
- - spec
- - implement
- - Windows server usability
- - Solve the ENOBUFS problem.
- - make tor's use of openssl operate on buffers rather than sockets,
- so we can make use of libevent's buffer paradigm once it has one.
- - make tor's use of libevent tolerate either the socket or the
- buffer paradigm; includes unifying the functions in connect.c.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- M - rewrite how libevent does select() on win32 so it's not so very slow.
- - Add overlapped IO
- - Add an option (related to AvoidDiskWrites) to disable directory caching.
- - Finish status event implementation and accompanying getinfos
- - Missing events:
- - DIR_REACHABLE
- - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
- a firewall.)
- - BAD_PROXY (Bad http or https proxy)
- - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
- - Status events related to hibernation
- - something about failing to parse our address?
- from resolve_my_address() in config.c
- - sketchy OS, sketchy threading
- - too many onions queued: threading problems or slow CPU?
- - Missing fields:
- - TIMEOUT on CHECKING_REACHABILITY
- - GETINFO status/client, status/server, status/general: There should be
- some way to learn which status events are currently "in effect."
- We should specify which these are, what format they appear in, and so
- on.
- Minor items for 0.1.2.x as time permits:
- - include bandwidth breakdown by conn->type in BW events.
- o Unify autoconf search code for libevent and openssl. Make code
- suggest platform-appropriate "devel" / "dev" / whatever packages
- if we can link but we can't find the headers.
- - Recommend polipo? Please?
- - Make documentation realize that location of system configuration file
- will depend on location of system defaults, and isn't always /etc/torrc.
- - Review torrc.sample to make it more discursive.
- - a way to generate the website diagrams from source, so we can
- translate them as utf-8 text rather than with gimp.
- R - add d64 and fp64 along-side d and fp so people can paste status
- entries into a url. since + is a valid base64 char, only allow one
- at a time. spec and then do.
- o When we export something from foo.c file for testing purposes only,
- make a foo_test.h file for test.c to include... or put them behind an
- #ifdef FOO_PRIVATE.
- - The Debian package now uses --verify-config when (re)starting,
- to distinguish configuration errors from other errors. Perhaps
- the RPM and other startup scripts should too?
- - add a "default.action" file to the tor/vidalia bundle so we can fix the
- https thing in the default configuration:
- http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
- . Flesh out options_description array in src/or/config.c
- X If we try to publish as a nickname that's already claimed, should
- we append a number (or increment the number) and try again? This
- way people who read their logs can fix it as before, but people
- who don't read their logs will still offer Tor servers.
- - Fall back to unnamed; warn user; send controller event. ("When we
- notice a 'Rejected: There is already a named server with this nickname'
- message... or maybe instead when we see in the networkstatuses that
- somebody else is Named with the name we want: warn the user, send a
- STATUS_SERVER message, and fall back to unnamed.")
- - Rate limit exit connections to a given destination -- this helps
- us play nice with websites when Tor users want to crawl them; it
- also introduces DoS opportunities.
- - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- . Specify, including thought about anonymity implications. [proposal 110]
- - Display the reasons in 'destroy' and 'truncated' cells under some
- circumstances?
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - cpu fixes:
- - see if we should make use of truncate to retry
- . Directory changes
- . Some back-out mechanism for auto-approval
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - packaging and ui stuff:
- . multiple sample torrc files
- . figure out how to make nt service stuff work?
- . Document it.
- - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- (2007-04-15 phobos, do we still need these installer patches?)
- - Improve controller
- - a NEWSTATUS event similar to NEWDESC.
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- - What do we want here, exactly?
- - Specify and implement it.
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- - What do we want here, exactly?
- - Specify and implement it.
- - Make other events "better" analogously
- - What do we want here, exactly?
- - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - Make everything work with hidden services
- Future version:
- - servers might check certs for known-good ssl websites, and if they
- come back self-signed, declare themselves to be non-exits. similar
- to how we test for broken/evil dns now.
- - we try to build 4 test circuits to break them over different
- servers. but sometimes our entry node is the same for multiple
- test circuits. this defeats the point.
- - when we hit a funny error from a dir request (eg 403 forbidden),
- but tor is working and happy otherwise, and we haven't seen many
- such errors recently, then don't warn about it.
- - More consistent error checking in router_parse_entry_from_string().
- I can say "banana" as my bandwidthcapacity, and it won't even squeak.
- o Include the output of svn info in the binary, so it's trivial to see what
- version a binary was built from.
- o Do the same for svk info.
- - Add a doxygen style checker to make check-spaces so nick doesn't drift
- too far from arma's undocumented styleguide. Also, document that
- styleguide in HACKING. (See r9634 for example.)
- - exactly one space at beginning and at end of comments, except i
- guess when there's line-length pressure.
- - if we refer to a function name, put a () after it.
- - only write <b>foo</b> when foo is an argument to this function.
- - doxygen comments must always end in some form of punctuation.
- - capitalize the first sentence in the doxygen comment, except
- when you shouldn't.
- - avoid spelling errors and incorrect comments. ;)
- - Should TrackHostExits expire TrackHostExitsExpire seconds after their
- *last* use, not their *first* use?
- X Configuration format really wants sections.
- . Good RBL substitute.
- - Play with the implementations; link them from somewhere; add a
- round-robin link from torel.torproject.org; describe how to
- use them in the FAQ.
- - Authorities should try using exits for http to connect to some URLS
- (specified in a configuration file, so as not to make the List Of Things
- Not To Censor completely obvious) and ask them for results. Exits that
- don't give good answers should have the BadExit flag set.
- - Our current approach to block attempts to use Tor as a single-hop proxy
- is pretty lame; we should get a better one.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we recognize
- ("port 443 worked once and port 9001 keeps not working").
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- o tor-resolve script should use socks5 to get better error messages.
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- - Specify; implement.
- - let each hidden service (or other thing) specify its own
- OutboundBindAddress?
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
- Non-Coding:
- - Mark up spec; note unclear points about servers
- - Mention controller libs someplace.
- . more pictures from ren. he wants to describe the tor handshake
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Remove need for HACKING file.
- - Figure out licenses for website material.
- - Specify the keys and key rotation schedules and stuff
- P - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
- P - figure out why x86_64 won't build rpms from tor.spec
- P - figure out spec files for bundles of vidalia-tor-polipo
- P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
- P - evaluate https://sourceforge.net/projects/kleanup/
- P - evaluate TorK
- P - evaluate Tor under CentOS5/RHES5
- P - figure out selinux policy for tor
- P - make the nsis mingw packaging scripts fail if it tries to parse
- Website:
- - and remove home and make the "Tor" picture be the link to home.
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- - put the source image for the stickers on the website, so people can
- print their own
- R - make a page with the hidden service diagrams.
- - ask Jan to be the translation coordinator? add to volunteer page.
- - add a page for localizing all tor's components.
- - It would be neat if we had a single place that described _all_ the
- tor-related tools you can use, and what they give you, and how well they
- work. Right now, we don't give a lot of guidance wrt
- torbutton/foxproxy/privoxy/polipo in any consistent place.
|