2007-10-08 04:24:07 +02:00
|
|
|
$Id$
|
2003-03-18 00:19:25 +01:00
|
|
|
Legend:
|
|
|
|
SPEC!! - Not specified
|
|
|
|
SPEC - Spec not finalized
|
2005-12-07 22:45:53 +01:00
|
|
|
N - nick claims
|
|
|
|
R - arma claims
|
|
|
|
P - phobos claims
|
2003-03-18 00:19:25 +01:00
|
|
|
- Not done
|
|
|
|
* Top priority
|
|
|
|
. Partially done
|
|
|
|
o Done
|
2006-12-18 19:13:03 +01:00
|
|
|
d Deferrable
|
2003-03-18 00:19:25 +01:00
|
|
|
D Deferred
|
|
|
|
X Abandoned
|
|
|
|
|
2007-06-15 06:14:01 +02:00
|
|
|
Things we'd like to do in 0.2.0.x:
|
2007-08-28 01:42:46 +02:00
|
|
|
- See also Flyspray tasks.
|
|
|
|
- See also all items marked XXXX020 and DOCDOC in the code
|
2007-09-19 06:19:27 +02:00
|
|
|
- http://tor.eff.org/eff/legal-faq.html#License doesn't mention
|
2007-09-19 10:47:24 +02:00
|
|
|
licenses for other components of the bundles.
|
2007-08-28 01:42:46 +02:00
|
|
|
|
2007-10-27 00:14:11 +02:00
|
|
|
- Before the feature freeze: (Nick)
|
2007-10-26 16:57:28 +02:00
|
|
|
- Support for preconfigured mirror lists
|
2007-10-27 00:14:11 +02:00
|
|
|
- Use a pre-shipped fallback consensus.
|
2007-10-26 16:57:28 +02:00
|
|
|
- Download consensuses (et al) via if-modified-since
|
2007-10-27 00:50:40 +02:00
|
|
|
o Saner TLS rotation
|
|
|
|
o Bump up OR the "connection timeout" value to be 1.5
|
2007-10-27 00:14:11 +02:00
|
|
|
circuit dirtiness interval.
|
2007-10-27 00:50:40 +02:00
|
|
|
o Document this in tor-spec
|
2007-10-27 00:50:42 +02:00
|
|
|
o base Guard flag on WFU rather than on MTBF.
|
|
|
|
o Change guard calculation
|
|
|
|
o Change dir-spec.txt
|
|
|
|
- What should we do about hosts that have been up for only 1 hour,
|
2007-10-27 01:31:05 +02:00
|
|
|
but have been up for 100% of that one hour? -NM
|
|
|
|
Perhaps the guard flag should only be assigned if the measurement
|
|
|
|
period for that server is at least some large period, like a
|
|
|
|
week; but ignore this exception if "most" servers have too-short
|
|
|
|
measurement periods. -RD
|
2007-10-27 00:14:11 +02:00
|
|
|
D 118 if feasible and obvious
|
|
|
|
D Maintain a skew estimate and use ftime consistently.
|
2007-10-26 16:57:28 +02:00
|
|
|
- 105+TLS, if possible.
|
2007-10-27 00:14:11 +02:00
|
|
|
- Skew issues:
|
|
|
|
- if you load (nick says receive/set/anything) a consensus that's
|
|
|
|
in the future, then log about skew.
|
|
|
|
- should change the "skew complaint" to specify in largest units
|
|
|
|
rather than just seconds.
|
2007-10-27 00:09:36 +02:00
|
|
|
- karsten's patches
|
2007-10-27 00:08:26 +02:00
|
|
|
|
2007-10-27 00:14:11 +02:00
|
|
|
- Before the feature freeze: (Roger)
|
|
|
|
- Make tunnelled dir conns use begin_dir if enabled
|
|
|
|
- make bridge users fall back from bridge authority to direct attempt
|
2007-10-27 00:08:26 +02:00
|
|
|
|
|
|
|
- get more v3 authorities before 0.2.0.x comes out.
|
|
|
|
- brainstorm about who those should be
|
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
- Bugs.
|
|
|
|
- Bug reports Roger has heard along that way that don't have enough
|
2007-07-18 12:53:43 +02:00
|
|
|
details/attention to solve them yet.
|
2007-07-12 17:24:56 +02:00
|
|
|
- tup said that when he set FetchUselessDescriptors, after
|
|
|
|
24 or 48 hours he wasn't fetching any descriptors at all
|
|
|
|
anymore. This was in 0.2.0 but worked fine in 0.1.2.
|
|
|
|
- arma noticed that when his network went away and he tried
|
|
|
|
a new guard node and the connect() syscall failed to it,
|
|
|
|
the guard wasn't being marked as down. 0.2.0.x.
|
|
|
|
- after being without network for 12 hours, arma's tor decided
|
|
|
|
it couldn't fetch any network statuses, and never tried again
|
|
|
|
even when the network came back and arma clicked on things.
|
|
|
|
also 0.2.0.
|
2007-07-18 12:53:43 +02:00
|
|
|
- phobos says relaybandwidth* sometimes don't do what we expect.
|
|
|
|
http://interloper.org/tmp/2007-06-bw-usage.png
|
|
|
|
- this notion of authorities notifying servers that they're
|
|
|
|
unreachable is bunk -- it's leftover from the time when all
|
|
|
|
servers ran 24/7. now it triggers every time a server goes
|
|
|
|
away and then returns before the old descriptor has expired.
|
2007-08-19 06:34:56 +02:00
|
|
|
- add a --quiet commandline option that suppresses logs. useful
|
|
|
|
for --hashed-password and maybe others.
|
2007-08-30 08:17:17 +02:00
|
|
|
- Tor logs the libevent version on startup, for debugging purposes.
|
|
|
|
This is great. But it does this before configuring the logs, so
|
|
|
|
it only goes to stdout and is then lost.
|
2007-10-11 01:43:02 +02:00
|
|
|
- we should do another bandwidth test every 12 hours or something
|
|
|
|
if we're showing less than 50KB and our bandwidthrate says we can
|
|
|
|
do more than that. I think some servers are forgetting the results
|
|
|
|
of their first test, and then never seeing use.
|
2007-02-13 00:39:34 +01:00
|
|
|
|
2007-02-10 22:26:36 +01:00
|
|
|
- Proposals:
|
2007-05-22 19:58:25 +02:00
|
|
|
. 101: Voting on the Tor Directory System (plus 103)
|
2007-10-26 16:57:28 +02:00
|
|
|
- Handle badly timed certificates properly.
|
2007-10-08 21:56:57 +02:00
|
|
|
. Start caching consensus documents once authorities make them;
|
|
|
|
start downloading consensus documents once caches serve
|
|
|
|
them
|
2007-10-24 21:53:11 +02:00
|
|
|
o Code to delay next download while fetching certificates to verify
|
2007-10-10 21:33:19 +02:00
|
|
|
a consensus we already got.
|
2007-10-24 21:53:11 +02:00
|
|
|
o Code to retry consensus download if we got one we already have.
|
2007-10-10 21:33:19 +02:00
|
|
|
- Use if-modified-since on consensus download
|
|
|
|
- Use if-modified-since on certificate download
|
2007-08-28 00:19:30 +02:00
|
|
|
- Controller support
|
|
|
|
- GETINFO to get consensus
|
|
|
|
- Event when new consensus arrives
|
2007-06-09 09:05:19 +02:00
|
|
|
- 105: Version negotiation for the Tor protocol
|
2007-08-28 01:42:46 +02:00
|
|
|
. 111: Prioritize local traffic over relayed.
|
|
|
|
- Merge into tor-spec.txt.
|
2007-08-21 07:37:24 +02:00
|
|
|
|
2007-02-10 22:26:36 +01:00
|
|
|
- Refactoring:
|
2007-03-26 16:07:59 +02:00
|
|
|
. Make cells get buffered on circuit, not on the or_conn.
|
2007-08-13 20:47:17 +02:00
|
|
|
. Switch to pool-allocation for cells?
|
2007-04-11 02:30:34 +02:00
|
|
|
- Benchmark pool-allocation vs straightforward malloc.
|
2007-04-21 19:48:45 +02:00
|
|
|
- Adjust memory allocation logic in pools to favor a little less
|
|
|
|
slack memory.
|
2007-04-21 19:24:18 +02:00
|
|
|
. Remove socketpair-based bridges conns, and the word "bridge". (Use
|
2007-03-09 23:49:15 +01:00
|
|
|
shared (or connected) buffers for communication, rather than sockets.)
|
2007-04-21 19:24:18 +02:00
|
|
|
. Implement
|
2007-04-21 19:26:12 +02:00
|
|
|
- Handle rate-limiting on directory writes to linked directory
|
|
|
|
connections in a more sensible manner.
|
|
|
|
- Find more ways to test this.
|
2007-10-27 00:50:40 +02:00
|
|
|
o Do TLS rotation less often than "every 10 minutes" in the thrashy case.
|
|
|
|
D Do TLS connection rotation more often than "once a week" in the
|
2007-03-02 21:00:26 +01:00
|
|
|
extra-stable case.
|
2007-03-09 23:49:15 +01:00
|
|
|
- Streamline how we pick entry nodes: Make choose_random_entry() have
|
|
|
|
less magic and less control logic.
|
|
|
|
- Refactor networkstatus generation:
|
|
|
|
- Include "v" line in getinfo values.
|
2007-08-24 16:41:19 +02:00
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
- Bridges:
|
2007-07-30 08:18:56 +02:00
|
|
|
. Bridges users (rudimentary version)
|
2007-06-09 09:05:19 +02:00
|
|
|
o Ability to specify bridges manually
|
2007-06-15 06:14:01 +02:00
|
|
|
o Config option 'UseBridges' that bridge users can turn on.
|
|
|
|
o uses bridges as first hop rather than entry guards.
|
2007-06-12 11:17:23 +02:00
|
|
|
o if you don't have any routerinfos for your bridges, or you don't
|
|
|
|
like the ones you have, ask a new bridge for its server/authority.
|
|
|
|
. Ask all directory questions to bridge via BEGIN_DIR.
|
|
|
|
- use the bridges for dir fetches even when our dirport is open.
|
2007-07-12 17:24:56 +02:00
|
|
|
R - drop 'authority' queries if they're to our own identity key; accept
|
|
|
|
them otherwise.
|
2007-09-27 18:08:10 +02:00
|
|
|
X Design/implement the "local-status" or something like it, from the
|
2007-06-04 04:57:23 +02:00
|
|
|
"Descriptor purposes: how to tell them apart" section of
|
2007-06-04 04:49:45 +02:00
|
|
|
http://archives.seul.org/or/dev/May-2007/msg00008.html
|
2007-07-18 12:06:03 +02:00
|
|
|
o timeout and retry schedules for fetching bridge descriptors
|
2007-06-12 11:17:23 +02:00
|
|
|
- give extend_info_t a router_purpose again
|
2007-06-15 06:14:01 +02:00
|
|
|
o react faster to download networkstatuses after the first bridge
|
2007-06-12 11:17:23 +02:00
|
|
|
descriptor arrives
|
2007-07-30 08:18:56 +02:00
|
|
|
o be more robust to bridges being marked as down and leaving us
|
2007-06-12 11:17:23 +02:00
|
|
|
stranded without any known "running" bridges.
|
2007-06-09 09:05:19 +02:00
|
|
|
- Bridges operators (rudimentary version)
|
2007-03-09 22:40:10 +01:00
|
|
|
- Ability to act as dir cache without a dir port.
|
2007-06-09 09:05:19 +02:00
|
|
|
o Bridges publish to bridge authorities
|
2007-07-18 12:06:03 +02:00
|
|
|
o Fix BEGIN_DIR so that you connect to bridge of which you only
|
2007-03-09 22:40:10 +01:00
|
|
|
know IP (and optionally fingerprint), and then use BEGIN_DIR to learn
|
|
|
|
more about it.
|
2007-06-15 06:14:01 +02:00
|
|
|
- look at server_mode() and decide if it always applies to bridges too.
|
2007-06-09 09:05:19 +02:00
|
|
|
- Bridges authorities (rudimentary version)
|
|
|
|
o Rudimentary "do not publish networkstatus" option for bridge
|
2007-04-25 07:59:30 +02:00
|
|
|
authorities.
|
|
|
|
- Clients can ask bridge authorities for more bridges.
|
2007-06-09 09:05:19 +02:00
|
|
|
- Bridges
|
2007-07-30 08:18:56 +02:00
|
|
|
o Clients can ask bridge authorities for updates on known bridges.
|
2007-03-09 22:40:10 +01:00
|
|
|
- More TLS normalization work: make Tor less easily
|
2007-06-09 09:05:19 +02:00
|
|
|
fingerprinted.
|
2007-03-09 23:49:15 +01:00
|
|
|
- Directory system improvements
|
2007-08-29 19:21:57 +02:00
|
|
|
- Misc
|
|
|
|
- Make BEGIN_DIR mandatory for asking questions of bridge authorities?
|
2007-08-28 01:42:46 +02:00
|
|
|
|
|
|
|
- Features (other than bridges):
|
2007-03-09 23:49:15 +01:00
|
|
|
- Blocking-resistance.
|
2007-08-28 00:19:30 +02:00
|
|
|
- Write a proposal; make this part of 105.
|
2007-04-21 19:26:12 +02:00
|
|
|
- Audit how much RAM we're using for buffers and cell pools; try to
|
|
|
|
trim down a lot.
|
2007-08-28 00:19:30 +02:00
|
|
|
- Base relative control socket paths on datadir.
|
2007-08-28 01:42:46 +02:00
|
|
|
- We should ship with a list of stable dir mirrors -- they're not
|
|
|
|
trusted like the authorities, but they'll provide more robustness
|
|
|
|
and diversity for bootstrapping clients.
|
2007-10-19 04:28:47 +02:00
|
|
|
- Implement this as a list of routerstatus, like fake_routerstatus in
|
|
|
|
trusted_dir_derver_t?
|
2007-08-28 01:42:46 +02:00
|
|
|
- Better estimates in the directory of whether servers have good uptime
|
|
|
|
(high expected time to failure) or good guard qualities (high
|
|
|
|
fractional uptime).
|
|
|
|
- AKA Track uptime as %-of-time-up, as well as time-since-last-down
|
2007-09-17 20:27:43 +02:00
|
|
|
o Implement tracking
|
|
|
|
- Make uptime info persist too.
|
|
|
|
- Base Guard on weighted fractional uptime.
|
2007-08-29 21:02:43 +02:00
|
|
|
- Make TrackHostExits expire TrackHostExitsExpire seconds after their
|
|
|
|
*last* use, not their *first* use.
|
2007-08-28 01:42:46 +02:00
|
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
|
|
- Or maybe close connections from same IP when we get a lot from one.
|
|
|
|
- Or maybe block IPs that connect too many times at once.
|
|
|
|
- add an AuthDirBadexit torrc option if we decide we want one.
|
|
|
|
|
|
|
|
- Testing
|
|
|
|
N - Hack up a client that gives out weird/no certificates, so we can
|
|
|
|
test to make sure that this doesn't cause servers to crash.
|
|
|
|
|
|
|
|
- Deprecations:
|
2007-05-04 09:24:01 +02:00
|
|
|
- can we deprecate 'getinfo network-status'?
|
2007-05-21 15:48:55 +02:00
|
|
|
- can we deprecate the FastFirstHopPK config option?
|
2007-08-28 00:19:30 +02:00
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
- Documentation
|
|
|
|
- HOWTO for DNSPort.
|
|
|
|
- Quietly document NT Service options
|
|
|
|
- More prominently, we should have a recommended apps list.
|
2007-09-25 03:43:18 +02:00
|
|
|
- recommend pidgin (gaim is renamed)
|
2007-08-28 01:42:46 +02:00
|
|
|
- unrecommend IE because of ftp:// bug.
|
|
|
|
- we should add a preamble to tor-design saying it's out of date.
|
|
|
|
. Document transport and natdport in a good HOWTO.
|
|
|
|
- Publicize torel. (What else?
|
|
|
|
. Finish path-spec.txt
|
|
|
|
|
2007-05-04 09:24:01 +02:00
|
|
|
P - Packaging:
|
2007-08-28 01:42:46 +02:00
|
|
|
P - Can we switch to polipo? Please?
|
2007-09-25 03:43:18 +02:00
|
|
|
P - Make documentation realize that location of system configuration file
|
2007-08-28 01:42:46 +02:00
|
|
|
will depend on location of system defaults, and isn't always /etc/torrc.
|
2007-04-15 15:33:40 +02:00
|
|
|
P - If we haven't replaced privoxy, lock down its configuration in all
|
2007-03-09 23:49:15 +01:00
|
|
|
packages, as documented in tor-doc-unix.html
|
2007-04-15 15:33:40 +02:00
|
|
|
P - Figure out why dll's compiled in mingw don't work right in WinXP.
|
2007-06-28 06:32:12 +02:00
|
|
|
P - Create packages for Nokia 800, requested by Chris Soghoian
|
|
|
|
P - Consider creating special Tor-Polipo-Vidalia test packages,
|
|
|
|
requested by Dmitri Vitalev
|
2007-10-24 05:31:12 +02:00
|
|
|
o Get Vidalia supporting protocolinfo and using auth by default.
|
2007-10-25 15:54:37 +02:00
|
|
|
P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton
|
|
|
|
bundle
|
2006-12-19 00:08:18 +01:00
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
Nice-to-have items for 0.2.0.x, time permitting:
|
|
|
|
- Proposals
|
|
|
|
- 113: Simplifying directory authority administration
|
|
|
|
- 110: prevent infinite-length circuits (phase one)
|
|
|
|
. Robust decentralized storage for hidden service descriptors.
|
|
|
|
(Karsten is working on this; proposal 114.)
|
|
|
|
- 118: Listen on and advertise multiple ports:
|
|
|
|
- Tor should be able to have a pool of outgoing IP addresses that it is
|
|
|
|
able to rotate through. (maybe. Possible overlap with proposal 118.)
|
|
|
|
- config option to publish what ports you listen on, beyond
|
|
|
|
ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
|
|
(This is very similar to proposal 118.)
|
|
|
|
- 117: IPv6 Exits
|
|
|
|
- Internal code support for ipv6:
|
|
|
|
o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
|
|
|
|
- Most address variables need to become tor_addr_t
|
|
|
|
- Teach resolving code how to handle ipv6.
|
|
|
|
- Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
|
|
|
|
|
|
|
|
- Features
|
|
|
|
- Let controller set router flags for authority to transmit, and for
|
|
|
|
client to use.
|
|
|
|
- add an 'exit-address' line in the descriptor for servers that exit
|
|
|
|
from something that isn't their published address.
|
|
|
|
- Clients should estimate their skew as median of skew from servers
|
|
|
|
over last N seconds.
|
|
|
|
- More work on AvoidDiskWrites?
|
|
|
|
|
|
|
|
- Protocol work
|
|
|
|
- MAYBE kill stalled circuits rather than stalled connections. This is
|
|
|
|
possible thanks to cell queues, but we need to consider the anonymity
|
|
|
|
implications.
|
|
|
|
- Implement TLS shutdown properly when possible.
|
2006-12-19 00:08:18 +01:00
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
- Low-priority bugs:
|
|
|
|
- we try to build 4 test circuits to break them over different
|
|
|
|
servers. but sometimes our entry node is the same for multiple
|
|
|
|
test circuits. this defeats the point.
|
|
|
|
- If the client's clock is too far in the past, it will drop (or just not
|
|
|
|
try to get) descriptors, so it'll never build circuits.
|
|
|
|
|
|
|
|
- Refactoring:
|
|
|
|
- Move all status info out of routerinfo into local_routerstatus. Make
|
|
|
|
"who can change what" in local_routerstatus explicit. Make
|
|
|
|
local_routerstatus (or equivalent) subsume all places to go for "what
|
|
|
|
router is this?"
|
|
|
|
|
|
|
|
- Build:
|
|
|
|
- Detect correct version of libraries from autoconf script.
|
|
|
|
|
|
|
|
- Documentation:
|
|
|
|
- Review torrc.sample to make it more discursive.
|
|
|
|
|
|
|
|
Deferred from 0.2.0.x:
|
|
|
|
- Features
|
|
|
|
- Make a TCP DNSPort
|
|
|
|
- Refactoring
|
|
|
|
- Make resolves no longer use edge_connection_t unless they are actually
|
|
|
|
_on_ a socks connection: have edge_connection_t and (say)
|
|
|
|
dns_request_t both extend an edge_stream_t, and have p_streams and
|
|
|
|
n_streams both be linked lists of edge_stream_t.
|
|
|
|
- Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
|
|
|
|
online config documentation from a single source.
|
|
|
|
- Blocking/scanning-resistance
|
|
|
|
- It would be potentially helpful to https requests on the OR port by
|
|
|
|
acting like an HTTPS server.
|
|
|
|
- Do we want to maintain our own set of entryguards that we use as
|
|
|
|
next hop after the bridge? Open research question; let's say no
|
|
|
|
for 0.2.0 unless we learn otherwise.
|
|
|
|
- Should do reachability testing but only on the purpose==bridge
|
|
|
|
descriptors we have.
|
|
|
|
- Some mechanism for specifying that we want to stop using a cached
|
|
|
|
bridge.
|
|
|
|
|
|
|
|
|
|
|
|
Future versions:
|
|
|
|
- See also Flyspray tasks.
|
|
|
|
- See also all OPEN/ACCEPTED proposals.
|
|
|
|
- See also all items marked XXXX and FFFF in the code.
|
|
|
|
|
|
|
|
- Protocol:
|
|
|
|
- Our current approach to block attempts to use Tor as a single-hop proxy
|
|
|
|
is pretty lame; we should get a better one.
|
|
|
|
- Allow small cells and large cells on the same network?
|
|
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
|
|
connection (tls session key) rotation.
|
|
|
|
- Implement Morphmix, so we can compare its behavior, complexity,
|
|
|
|
etc. But see paper breaking morphmix.
|
|
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
|
|
link crypto, unless we can bully DTLS into it.
|
|
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
|
|
(Pending a user who needs this)
|
|
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
|
|
streams, at least according to the protocol. But we handle all that
|
|
|
|
we've seen in the wild.
|
|
|
|
(Pending a user who needs this)
|
|
|
|
|
|
|
|
- Directory system
|
|
|
|
- BEGIN_DIR items
|
|
|
|
- turn the received socks addr:port into a digest for setting .exit
|
|
|
|
- handle connect-dir streams that don't have a chosen_exit_name set.
|
|
|
|
- Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
|
|
|
|
- Add an option (related to AvoidDiskWrites) to disable directory
|
|
|
|
caching. (Is this actually a good idea??)
|
|
|
|
- Add d64 and fp64 along-side d and fp so people can paste status
|
|
|
|
entries into a url. since + is a valid base64 char, only allow one
|
|
|
|
at a time. Consider adding to controller as well.
|
|
|
|
- Some back-out mechanism for auto-approval on authorities
|
|
|
|
- a way of rolling back approvals to before a timestamp
|
|
|
|
- Consider minion-like fingerprint file/log combination.
|
|
|
|
- Have new people be in limbo and need to demonstrate usefulness
|
|
|
|
before we approve them.
|
|
|
|
|
|
|
|
- Hidden services:
|
|
|
|
- Standby/hotswap/redundant hidden services.
|
|
|
|
. Update the hidden service stuff for the new dir approach. (Much
|
|
|
|
of this will be superseded by 114.)
|
|
|
|
- switch to an ascii format, maybe sexpr?
|
|
|
|
- authdirservers publish blobs of them.
|
|
|
|
- other authdirservers fetch these blobs.
|
|
|
|
- hidserv people have the option of not uploading their blobs.
|
|
|
|
- you can insert a blob via the controller.
|
|
|
|
- and there's some amount of backwards compatibility.
|
|
|
|
- teach clients, intro points, and hidservs about auth mechanisms.
|
|
|
|
- come up with a few more auth mechanisms.
|
|
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
|
|
connection requests.
|
|
|
|
- Let each hidden service (or other thing) specify its own
|
|
|
|
OutboundBindAddress?
|
|
|
|
- Hidserv offerers shouldn't need to define a SocksPort
|
|
|
|
|
|
|
|
- Server operation
|
|
|
|
- When we notice a 'Rejected: There is already a named server with
|
|
|
|
this nickname' message... or maybe instead when we see in the
|
|
|
|
networkstatuses that somebody else is Named with the name we
|
|
|
|
want: warn the user, send a STATUS_SERVER message, and fall back
|
|
|
|
to unnamed.
|
|
|
|
- If the server is spewing complaints about raising your ulimit -n,
|
|
|
|
we should add a note about this to the server descriptor so other
|
|
|
|
people can notice too.
|
|
|
|
- When we hit a funny error from a dir request (eg 403 forbidden),
|
|
|
|
but tor is working and happy otherwise, and we haven't seen many
|
|
|
|
such errors recently, then don't warn about it.
|
|
|
|
|
|
|
|
- Controller
|
|
|
|
- A way to adjust router flags from the controller. (How do we
|
|
|
|
prevent the authority from clobbering them soon afterward?)
|
|
|
|
- Implement missing status events and accompanying getinfos
|
2007-01-19 22:25:32 +01:00
|
|
|
- DIR_REACHABLE
|
|
|
|
- BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
|
|
|
|
a firewall.)
|
|
|
|
- BAD_PROXY (Bad http or https proxy)
|
|
|
|
- UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
|
|
|
|
- Status events related to hibernation
|
|
|
|
- something about failing to parse our address?
|
|
|
|
from resolve_my_address() in config.c
|
|
|
|
- sketchy OS, sketchy threading
|
|
|
|
- too many onions queued: threading problems or slow CPU?
|
2007-08-28 01:42:46 +02:00
|
|
|
- Implement missing status event fields:
|
2007-01-19 22:25:32 +01:00
|
|
|
- TIMEOUT on CHECKING_REACHABILITY
|
|
|
|
- GETINFO status/client, status/server, status/general: There should be
|
|
|
|
some way to learn which status events are currently "in effect."
|
|
|
|
We should specify which these are, what format they appear in, and so
|
|
|
|
on.
|
2007-08-28 01:42:46 +02:00
|
|
|
- More information in events:
|
|
|
|
- Include bandwidth breakdown by conn->type in BW events.
|
|
|
|
- Change circuit status events to give more details, like purpose,
|
2006-05-30 22:41:22 +02:00
|
|
|
whether they're internal, when they become dirty, when they become
|
|
|
|
too dirty for further circuits, etc.
|
|
|
|
- Change stream status events analogously.
|
2007-08-28 01:42:46 +02:00
|
|
|
- Expose more information via getinfo:
|
|
|
|
- import and export rendezvous descriptors
|
|
|
|
- Review all static fields for additional candidates
|
|
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
2006-05-30 22:41:22 +02:00
|
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
|
|
download directories/network-status, and a way to force a download.
|
|
|
|
- Make everything work with hidden services
|
2005-09-21 06:02:54 +02:00
|
|
|
|
2007-08-28 01:42:46 +02:00
|
|
|
- Performance/resources
|
|
|
|
- per-conn write buckets
|
|
|
|
- separate config options for read vs write limiting
|
|
|
|
(It's hard to support read > write, since we need better
|
|
|
|
congestion control to avoid overfull buffers there. So,
|
|
|
|
defer the whole thing.)
|
|
|
|
- Investigate RAM use in directory authorities.
|
|
|
|
- Look into pulling serverdescs off buffers as they arrive.
|
|
|
|
- Rate limit exit connections to a given destination -- this helps
|
|
|
|
us play nice with websites when Tor users want to crawl them; it
|
|
|
|
also introduces DoS opportunities.
|
|
|
|
- Consider truncating rather than destroying failed circuits,
|
|
|
|
in order to save the effort of restarting. There are security
|
|
|
|
issues here that need thinking, though.
|
|
|
|
- Handle full buffers without totally borking
|
|
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
|
|
maybe per subnet.
|
|
|
|
|
|
|
|
- Misc
|
|
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
|
|
design.
|
|
|
|
- Display the reasons in 'destroy' and 'truncated' cells under
|
|
|
|
some circumstances?
|
|
|
|
- Make router_is_general_exit() a bit smarter once we're sure what
|
|
|
|
it's for.
|
|
|
|
- Automatically determine what ports are reachable and start using
|
|
|
|
those, if circuits aren't working and it's a pattern we
|
|
|
|
recognize ("port 443 worked once and port 9001 keeps not
|
|
|
|
working").
|
|
|
|
|
|
|
|
- Security
|
2007-10-11 01:43:02 +02:00
|
|
|
- some better fix for bug #516?
|
2007-08-28 01:42:46 +02:00
|
|
|
- don't do dns hijacking tests if we're reject *:* exit policy?
|
|
|
|
(deferred until 0.1.1.x is less common)
|
|
|
|
- Directory guards
|
|
|
|
- Mini-SoaT:
|
|
|
|
- Servers might check certs for known-good ssl websites, and if
|
|
|
|
they come back self-signed, declare themselves to be
|
|
|
|
non-exits. Similar to how we test for broken/evil dns now.
|
|
|
|
- Authorities should try using exits for http to connect to some
|
|
|
|
URLS (specified in a configuration file, so as not to make the
|
|
|
|
List Of Things Not To Censor completely obvious) and ask them
|
|
|
|
for results. Exits that don't give good answers should have
|
|
|
|
the BadExit flag set.
|
|
|
|
- Alternatively, authorities should be able to import opinions
|
|
|
|
from Snakes on a Tor.
|
|
|
|
- More consistent error checking in router_parse_entry_from_string().
|
|
|
|
I can say "banana" as my bandwidthcapacity, and it won't even squeak.
|
|
|
|
- Bind to random port when making outgoing connections to Tor servers,
|
|
|
|
to reduce remote sniping attacks.
|
|
|
|
- Audit everything to make sure rend and intro points are just as
|
|
|
|
likely to be us as not.
|
|
|
|
- Do something to prevent spurious EXTEND cells from making
|
|
|
|
middleman nodes connect all over. Rate-limit failed
|
|
|
|
connections, perhaps?
|
|
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
|
|
|
|
|
|
- Bridges
|
|
|
|
- Tolerate clock skew on bridge relays.
|
|
|
|
|
|
|
|
- Needs thinking
|
|
|
|
- Now that we're avoiding exits when picking non-exit positions,
|
|
|
|
we need to consider how to pick nodes for internal circuits. If
|
|
|
|
we avoid exits for all positions, we skew the load balancing. If
|
|
|
|
we accept exits for all positions, we leak whether it's an
|
|
|
|
internal circuit at every step. If we accept exits only at the
|
|
|
|
last hop, we reintroduce Lasse's attacks from the Oakland paper.
|
|
|
|
|
|
|
|
- Windows server usability
|
|
|
|
- Solve the ENOBUFS problem.
|
|
|
|
- make tor's use of openssl operate on buffers rather than sockets,
|
|
|
|
so we can make use of libevent's buffer paradigm once it has one.
|
|
|
|
- make tor's use of libevent tolerate either the socket or the
|
|
|
|
buffer paradigm; includes unifying the functions in connect.c.
|
|
|
|
- We need a getrlimit equivalent on Windows so we can reserve some
|
|
|
|
file descriptors for saving files, etc. Otherwise we'll trigger
|
|
|
|
asserts when we're out of file descriptors and crash.
|
|
|
|
- Merge code from Urz into libevent
|
|
|
|
- Make Tor use evbuffers.
|
|
|
|
|
|
|
|
- Documentation
|
|
|
|
- a way to generate the website diagrams from source, so we can
|
2007-09-25 03:43:18 +02:00
|
|
|
translate them as utf-8 text rather than with gimp. (svg? or
|
|
|
|
imagemagick?)
|
2007-08-28 01:42:46 +02:00
|
|
|
. Flesh out options_description array in src/or/config.c
|
|
|
|
. multiple sample torrc files
|
|
|
|
. figure out how to make nt service stuff work?
|
|
|
|
. Document it.
|
|
|
|
- Refactor tor man page to divide generally useful options from
|
|
|
|
less useful ones?
|
|
|
|
- Add a doxygen style checker to make check-spaces so nick doesn't drift
|
|
|
|
too far from arma's undocumented styleguide. Also, document that
|
|
|
|
styleguide in HACKING. (See r9634 for example.)
|
|
|
|
- exactly one space at beginning and at end of comments, except i
|
|
|
|
guess when there's line-length pressure.
|
|
|
|
- if we refer to a function name, put a () after it.
|
|
|
|
- only write <b>foo</b> when foo is an argument to this function.
|
|
|
|
- doxygen comments must always end in some form of punctuation.
|
|
|
|
- capitalize the first sentence in the doxygen comment, except
|
|
|
|
when you shouldn't.
|
|
|
|
- avoid spelling errors and incorrect comments. ;)
|
|
|
|
|
|
|
|
- Packaging
|
|
|
|
- The Debian package now uses --verify-config when (re)starting,
|
|
|
|
to distinguish configuration errors from other errors. Perhaps
|
|
|
|
the RPM and other startup scripts should too?
|
|
|
|
- add a "default.action" file to the tor/vidalia bundle so we can
|
|
|
|
fix the https thing in the default configuration:
|
|
|
|
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
|
|
|
|
|
|
|
|
- Related tools
|
|
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
|
|
|
|
|
|
|
|
|
|
Documentation, non-version-specific.
|
|
|
|
- Specs
|
|
|
|
- Mark up spec; note unclear points about servers
|
|
|
|
NR - write a spec appendix for 'being nice with tor'
|
|
|
|
- Specify the keys and key rotation schedules and stuff
|
2006-05-22 22:26:30 +02:00
|
|
|
- Mention controller libs someplace.
|
|
|
|
- Remove need for HACKING file.
|
2007-04-15 15:33:40 +02:00
|
|
|
P - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
|
|
|
|
P - figure out why x86_64 won't build rpms from tor.spec
|
|
|
|
P - figure out spec files for bundles of vidalia-tor-polipo
|
|
|
|
P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
|
|
|
|
P - figure out selinux policy for tor
|
2007-06-28 06:32:12 +02:00
|
|
|
P - change packaging system to more automated and specific for each
|
|
|
|
platform, suggested by Paul Wouter
|
2007-09-22 22:26:06 +02:00
|
|
|
P - Setup repos for redhat and suse rpms & start signing the rpms the
|
|
|
|
way package management apps prefer
|
2006-05-22 22:26:30 +02:00
|
|
|
|
|
|
|
Website:
|
2007-09-22 22:26:06 +02:00
|
|
|
P - tor-in-the-media page
|
2007-10-26 19:46:55 +02:00
|
|
|
X more pictures from ren. he wants to describe the tor handshake
|
2007-08-28 01:42:46 +02:00
|
|
|
- Figure out licenses for website material.
|
2007-09-22 22:26:06 +02:00
|
|
|
P - put the logo on the website, in source form, so people can put it on
|
2006-05-22 22:26:30 +02:00
|
|
|
stickers directly, etc.
|
2007-09-22 22:26:06 +02:00
|
|
|
P - put the source image for the stickers on the website, so people can
|
2007-04-15 15:33:40 +02:00
|
|
|
print their own
|
2007-10-08 04:24:07 +02:00
|
|
|
P - figure out a license for the logos and docs we publish
|
2006-05-22 22:26:30 +02:00
|
|
|
R - make a page with the hidden service diagrams.
|
2007-09-25 03:43:18 +02:00
|
|
|
P - ask Jan/Jens to be the translation coordinator? add to volunteer page.
|
2006-12-13 03:49:45 +01:00
|
|
|
- add a page for localizing all tor's components.
|
2007-01-15 23:11:21 +01:00
|
|
|
- It would be neat if we had a single place that described _all_ the
|
|
|
|
tor-related tools you can use, and what they give you, and how well they
|
|
|
|
work. Right now, we don't give a lot of guidance wrt
|
|
|
|
torbutton/foxproxy/privoxy/polipo in any consistent place.
|
2007-10-26 19:46:55 +02:00
|
|
|
- the tor mirror pages are probably still mirroring from tor.eff.org.
|
|
|
|
Get them to switch, and maybe remove the ones that haven't switched?
|