123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- - Not done
- * Top priority
- . Partially done
- o Done
- D Deferred
- X Abandoned
- Non-Coding, Soon:
- N - Mark up spec; note unclear points about servers
- N - Mention controller libs someplace.
- D FAQ entry: why gnutls is bad/not good for tor
- P - flesh out the rest of the section 6 of the faq
- P - gather pointers to livecd distros that include tor
- R . more pictures from ren. he wants to describe the tor handshake, i want to
- talk about hidden services.
- NR- write a spec appendix for 'being nice with tor'
- - tor-in-the-media page
- - Remove need for HACKING file.
- Website:
- - and remove home and make the "Tor" picture be the link to home.
- - put the logo on the website, in source form, so people can put it on
- stickers directly, etc.
- for 0.1.1.x:
- N - building on freebsd 6.0: (with multiple openssl installations)
- . <nickm> "Let's try to find a way to make it run and make the version
- match, but if not, let's just make it run."
- - <arma> should we detect if we have a --with-ssl-dir and try the -R
- by default, if it works?
- o Split into ReachableDirAddresses and ReachableORAddresses
- o document
- R - Jan 26 10:25:04.832 [warn] add_an_entry_guard(): Tried finding a
- new entry, but failed. Bad news. XXX.
- N - look at the proposed os x uninstaller:
- http://archives.seul.org/or/talk/Jan-2006/msg00038.html
- - support dir 503s better
- o clients don't log as loudly when they receive them
- - they don't count toward the 3-strikes rule
- - should there be some threshold of 503's after which we give up?
- - think about how to split "router is down" from "dirport shouldn't
- be tried for a while"?
- - authorities should *never* 503 a cache, but *should* 503 clients
- when they feel like it.
- - update dir-spec with what we decided for each of these
- N - commit edmanm's win32 makefile to tor cvs contrib
- - when logging unknown http headers, this could include bad escape codes?
- - more generally, attacker-controller log entries with newlines in them
- are dangerous for our users.
- o make log entries include function names in win32 again.
- - ...and make it compile and work right on Windows again.
- - Make "setconf" and "hup" behavior cleaner for LINELIST config
- options (e.g. Log). Bug 238.
- R - streamline how we define a guard node as 'up'. document it
- somewhere.
- R - reduce log severity for guard nodes.
- R - make guard node timeout higher.
- R - look into "uncounting" bytes spent on local connections. so
- we can bandwidthrate but still have fast downloads.
- N . Clean and future-proof exit policy formats a bit.
- o Likewise accept, but don't generate /bits formats (unless they're
- accepted in 0.0.9 and later).
- o Warn when we see a netmask that isn't a prefix.
- - Make clients understand "private:*" in exit policies, even though
- we don't generate it yet.
- R - Christian Grothoff's attack of infinite-length circuit.
- the solution is to have a separate 'extend-data' cell type
- which is used for the first N data cells, and only
- extend-data cells can be extend requests.
- - Specify, including thought about
- - Implement
- R - When we connect to a Tor server, it sends back a signed cell listing
- the IP it believes it is using. Use this to block dvorak's attack.
- Also, this is a fine time to say what time you think it is.
- - Verify that a new cell type is okay with deployed codebase
- - Specify
- - Implement
- - find 10 dirservers.
- - Make it no longer default for v2 dirservers to support v1.
- - non-versioning dirservers don't need to set recommended*versions.
- - non-naming dirservers don't need to have an approved-routers file.
- - What are criteria to be a dirserver? Write a policy.
- - Document AuthDirInvalid, AuthDirReject, AuthDirRejectUnlisted
- - are there other options that we haven't documented so far?
- Deferred from 0.1.1.x:
- R - failed rend desc fetches sometimes don't get retried.
- - Add config options to not publish and not fetch rend descs.
- - Add controller interfaces to hear rend desc events and learn
- about rend descs. In base16 I guess for now.
- N - Display the reasons in 'destroy' and 'truncated' cells under some
- circumstances?
- - If the server is spewing complaints about raising your ulimit -n,
- we should add a note about this to the server descriptor so other
- people can notice too.
- - We need a getrlimit equivalent on Windows so we can reserve some
- file descriptors for saving files, etc. Otherwise we'll trigger
- asserts when we're out of file descriptors and crash.
- X <weasel> it would be nice to support a unix socket for the control thing.
- The main motivation behind this was that we could let unix permissions
- take care of the authentication step: everybody who can connect to the
- socket is authenticated. However, the linux unix(7) manual page suggests
- that requiring read/write permissions on the socket in order to use it
- is Linux specific, and that many BSD-derived systems ignore the permissions
- on the socket file. Portable programs should not rely on this feature for
- security, therefore the motivation for this feature is gone.
- - the tor client can do the "automatic proxy config url" thing?
- R - clients prefer to avoid exit nodes for non-exit path positions.
- - Automatically determine what ports are reachable and start using
- those, if circuits aren't working and it's a pattern we recognize
- ("port 443 worked once and port 9001 keeps not working").
- N - Should router info have a pointer to routerstatus?
- - We should at least do something about the duplicated fields.
- N . Additional controller features
- - change circuit status events to give more details, like purpose,
- whether they're internal, when they become dirty, when they become
- too dirty for further circuits, etc.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Change stream status events analogously.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Make other events "better".
- - Change stream status events analogously.
- R - What do we want here, exactly?
- N - Specify and implement it.
- - Make other events "better" analogously
- R - What do we want here, exactly?
- N - Specify and implement it.
- . Expose more information via getinfo:
- - import and export rendezvous descriptors
- - Review all static fields for additional candidates
- - Allow EXTENDCIRCUIT to unknown server.
- - We need some way to adjust server status, and to tell tor not to
- download directories/network-status, and a way to force a download.
- - It would be nice to request address lookups from the controller
- without using SOCKS.
- - Make everything work with hidden services
- X switch accountingmax to count total in+out, not either in or
- out. it's easy to move in this direction (not risky), but hard to
- back out if we decide we prefer it the way it already is. hm.
- - cpu fixes:
- - see if we should make use of truncate to retry
- R - kill dns workers more slowly
- . Directory changes
- . Some back-out mechanism for auto-approval
- - a way of rolling back approvals to before a timestamp
- - Consider minion-like fingerprint file/log combination.
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Parse this.
- - Relay this in networkstatus.
- - Non-directories don't need to keep descriptors in memory.
- o Make descriptor-fetching happen via an indirection function.
- - Remember file and offset.
- - Keep a journal FD for appending router descriptors.
- - packaging and ui stuff:
- . multiple sample torrc files
- - uninstallers
- . for os x
- . figure out how to make nt service stuff work?
- . Document it.
- . Add version number to directory.
- N - Vet all pending installer patches
- - Win32 installer plus privoxy, sockscap/freecap, etc.
- - Vet win32 systray helper code
- - document:
- - torcp needs more attention in the tor-doc-win32.
- - recommend gaim.
- - unrecommend IE because of ftp:// bug.
- - torrc.complete.in needs attention?
- - Bind to random port when making outgoing connections to Tor servers,
- to reduce remote sniping attacks.
- - Have new people be in limbo and need to demonstrate usefulness
- before we approve them.
- - Clients should estimate their skew as median of skew from servers
- over last N seconds.
- - Security
- - Alices avoid duplicate class C nodes.
- - Analyze how bad the partitioning is or isn't.
- . Update the hidden service stuff for the new dir approach.
- - switch to an ascii format, maybe sexpr?
- - authdirservers publish blobs of them.
- - other authdirservers fetch these blobs.
- - hidserv people have the option of not uploading their blobs.
- - you can insert a blob via the controller.
- - and there's some amount of backwards compatibility.
- - teach clients, intro points, and hidservs about auth mechanisms.
- - come up with a few more auth mechanisms.
- . Come up with a coherent strategy for bandwidth buckets and TLS. (The
- logic for reading from TLS sockets is likely to overrun the bandwidth
- buckets under heavy load. (Really, the logic was never right in the
- first place.) Also, we should audit all users of get_pending_bytes().)
- - Make it harder to circumvent bandwidth caps: look at number of bytes
- sent across sockets, not number sent inside TLS stream.
- - Make router_is_general_exit() a bit smarter once we're sure what it's for.
- - rewrite how libevent does select() on win32 so it's not so very slow.
- - Write limiting; separate token bucket for write
- - Audit everything to make sure rend and intro points are just as likely to
- be us as not.
- - Do something to prevent spurious EXTEND cells from making middleman
- nodes connect all over. Rate-limit failed connections, perhaps?
- Major items for 0.1.2.x:
- - Directory guards
- R - Server usability
- N - Better hidden service performance
- - Improve controller
- - Asynchronous DNS
- - Better estimates in the directory of whether servers have good uptime
- (high expected time to failure) or good guard qualities (high
- fractional uptime).
- - memory usage on dir servers.
- copy less!
- N - oprofile including kernel time.
- Topics to think about during 0.1.2.x development:
- - Figure out non-clique.
- - Figure out partial network knowledge.
- - Figure out incentives.
- Future version:
- - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
- - Handle full buffers without totally borking
- - Rate-limit OR and directory connections overall and per-IP and
- maybe per subnet.
- - Hold-open-until-flushed now works by accident; it should work by
- design.
- - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
- - Specify?
- - tor-resolve script should use socks5 to get better error messages.
- - make min uptime a function of the available choices (say, choose 60th
- percentile, not 1 day.)
- - Track uptime as %-of-time-up, as well as time-since-last-down.
- - hidserv offerers shouldn't need to define a SocksPort
- * figure out what breaks for this, and do it.
- - auth mechanisms to let hidden service midpoint and responder filter
- connection requests.
- - Relax clique assumptions.
- X start handling server descriptors without a socksport?
- - tor should be able to have a pool of outgoing IP addresses
- that it is able to rotate through. (maybe)
- Blue-sky:
- - Patch privoxy and socks protocol to pass strings to the browser.
- - Standby/hotswap/redundant hidden services.
- - Robust decentralized storage for hidden service descriptors.
- - The "China problem"
- - Allow small cells and large cells on the same network?
- - Cell buffering and resending. This will allow us to handle broken
- circuits as long as the endpoints don't break, plus will allow
- connection (tls session key) rotation.
- - Implement Morphmix, so we can compare its behavior, complexity, etc.
- - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
- link crypto, unless we can bully openssl into it.
- - Need a relay teardown cell, separate from one-way ends.
- (Pending a user who needs this)
- - Handle half-open connections: right now we don't support all TCP
- streams, at least according to the protocol. But we handle all that
- we've seen in the wild.
- (Pending a user who needs this)
|