From 42ca0d4270a11ccc62022e87e6ba2145b12200f8 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Tue, 5 Aug 2008 18:10:26 +0000 Subject: [PATCH] break the todo file into three todo files. svn:r16427 --- doc/TODO | 690 +--------------------------------------------- doc/TODO.021 | 337 ++++++++++++++++++++++ doc/TODO.external | 69 +++++ doc/TODO.future | 330 ++++++++++++++++++++++ 4 files changed, 742 insertions(+), 684 deletions(-) create mode 100644 doc/TODO.021 create mode 100644 doc/TODO.external create mode 100644 doc/TODO.future diff --git a/doc/TODO b/doc/TODO index 4c6c723acb..fd023c8bf5 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,689 +1,11 @@ -$Id$ -Legend: -SPEC!! - Not specified -SPEC - Spec not finalized -N - nick claims -R - arma claims -P - phobos claims -S - Steven claims -E - Matt claims -M - Mike claims -J - Jeff claims -I - ioerror claims -W - weasel claims -K - Karsten claims - - Not done - * Top priority - . Partially done - o Done - d Deferrable - D Deferred - X Abandoned -======================================================================= +We've split out our TODO into three files: -External constraints: +TODO.02x is the list of items we're planning to get done in the next +stable release. - - mid July -W - Take the results from instrumenting directory downloads on Tor - clients, and analyze/simulate some alternate approaches. Finish - proposal for how to improve things, iterate based on feedback, - convince us that the anonymity tradeoffs and/or scalability - tradeoffs are acceptable. +TODO.external is the list of external constraints and deliverables that +we all need to keep in mind. - - mid August -KS - Design hidden service improvements, evaluate them and consider - security properties: write some proposals, get feedback, revise - them, etc. -? - nlnet 'user safety contest'. submit torbrowser, others? +TODO.future is the list of other items we plan to get to in later releases. - - end of August -I - Auto update - o Vidalia learns when Tor thinks it should be updated -R - Tor status events should suggest a new version to switch to -I - Figure out a good PKI, document the design, assess security issues: - "write a proposal" - - Vidalia fetches the new one via Tor when possible, but fetches - it without Tor "when necessary", whatever that means. - - Give an interface for notifying the user, and letting her - decide to fetch and decide to swap out the old Tor for the new. - - Do the same for Polipo - - and for Vidalia itself - - - end of September -NSE - Write first draft of research study for Paul's research problem. - This should be at least vaguely related to what was discussed in - the end-of-May deliverable. - - - mid October -KS - Finish implementation of hidden service improvements: have a set - of patches that you think work. -W - Finish implementation of directory overhead changes: have a set - of patches that you think work. - - - mid January -KS - Finish testing, debugging, unit testing, etc the hidden service - changes. Have it in the development version and in use. -W - Finish testing, debugging, unit testing, etc the directory overhead - changes. Have it in the development version and in use. - -======================================================================= - -Other things Roger would be excited to see: - -Nick - - Finish buffer stuff in libevent; start using it in Tor. - - Tors start believing the contents of NETINFO cells. - . Work with Steven and Roger to decide which parts of Paul's project - he wants to work on. - - respond to Steven's red-team TLS testing (a.k.a, look at a packet - dump and compare) - -Matt - - Fit Vidalia in 640x480 again. - - When user changes the language in Vidalia, have it change right then. - - Vidalia should display/edit PlaintextPorts events/config. - . Vidalia's GUI should let you specify an http proxy that it launches - for you. Maybe in the general config window next to which Tor it - launches for you. - - Vidalia should avoid stomping on your custom exit policy lines - just because you click on 'save' for a totally different config thing. - - How much space do we save in TBB by stripping symbols from Vidalia - first? Good idea or crazy idea? - -ioerror - - gmail auto responder so you send us an email and we send you a Tor - binary. Probably needs a proposal first. - - weather.torproject.org should go live. - o Learn from Steven how to build/maintain the Tor Browser Bundle. - - Keep advocating new Tor servers and working with orgs like Mozilla - to let them like Tor. - - Start converting critical wiki pages into real Tor wml pages. E.g., - https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures - - Find out what happened to the buildbot and get it back up: - http://tor-buildbot.freehaven.net:8010/ - - Learn about locking memory pages that have sensitive content. Get - that started in Tor. - - Translation portal - - Vidalia html help files - - should we i18nize polipo's error messages too? - - Some of our translated wml files are very old -- so old that they - are harmful to leave in place. We need some sort of way to notice - this and disable them. - -Steven - - Figure out (or give up on) how to run Tor Browser and ordinary - Firefox side-by-side. - - Enumerate and analyze traces left when running from USB - - Write a list of research items Tor would like to see done, for the - volunteer page. Pick a few you'd like to work on yourself. - - Move proposal 131 or equivalent forward. - - Keep bugging us about exploits on the .exit notation. - - If relays have 100KB/s but set relaybandwidthrate to 10KB/s, do your - interference attacks still work? - - Mike's question #3 on https://www.torproject.org/volunteer#Research - - Worthwhile shipping TBB with some local html help files that come - as bookmarks? - - Decide whether TBB should use Torbutton's "lock" feature. - http://archives.seul.org/or/cvs/Jun-2008/msg00186.html - -Andrew - - Which bundles include Torbutton? Change the docs/tor-doc-foo pages - so they admit that Torbutton is in them too. Change the download - page too. - - The OS X bundle screenshots are from forever ago -- they don't - include Torbutton, they still say it's tor.eff.org, etc. - - Should we still be telling you how to use Safari on OS X for Tor, - given all the holes that Torbutton-dev solves on Firefox? - -Karsten - o Make a hidden services explanation page with the hidden service - diagrams. See img/THS-[1-6].png. These need some text to go along - with them though, so people can follow what's going on. - - We should consider a single config option TorPrivateNetwork that - turns on all the config options for running a private test tor - network. having to keep updating all the tools, and the docs, - just isn't working. - -Weasel - - Figure out how to make Vidalia and Tor play nicely on Debian, make - the necessary modifications, and make some Vidalia debs that pass - muster. - - Fix bug 393. - - Get oftc to switch to Tor dns bulk exitlist. Or tell us why it's - not suitable yet. - - Take non-Running entries out of the networkstatus consensus. - - Move proposal 134 forward. - - putting port predictions in state file - - if tor hasn't been used in a while it stops fetching consensus - documents. Retain that state over restarts. - -Roger - - Finish tor-doc-bridge.wml - . Fix FAQ entry on setting up private Tor network - - Review Karsten's hidden service diagrams - - Roger should visit Internews DC sometime. - - Did we actually apply Steven's dkimproxy patch? - - Brainstorm about safe but effective ways for vidalia to - auto-update its user's bridges via Tor in the background. - -Mike: - - Roger wants to get an email every time there's a blog change, - e.g. a comment. That way spam doesn't go undetected for weeks. - - Or, maybe just disable linking from blog comments entirely? - -======================================================================= - -Bugs/issues for Tor 0.2.0.x: - . we should have an off-by-default way for relays to dump geoip data to - a file in their data directory, for measurement purposes. - o Basic implementation -N - Include probability-of-selection -R d let bridges set relaybandwidthrate as low as 5kb -R - bridge communities - . spec - . deploy - - man page entries for Alternate*Authority config options - -Documentation for Tor 0.2.0.x: - - Proposals: - . 111: Prioritize local traffic over relayed. -R - Merge into tor-spec.txt. - - 113: mark as closed close. - o document the "3/4 and 7/8" business in the clients fetching consensus - documents timeline. -R - then document the bridge user download timeline. - - HOWTO for DNSPort. See tup's wiki page. - . Document transport and natdport in a good HOWTO. - - Quietly document NT Service options: revise (or create) FAQ entry - -======================================================================= - -For 0.2.1.2-alpha: -R d bug: if we launch using bridges, and then stop using bridges, we - still have our bridges in our entryguards section, and may use them. -R d add an event to report geoip summaries to vidalia for bridge relays, - so vidalia can say "recent activity (1-8 users) from sa". -R - investigate: it looks like if the bridge authority is unreachable, - we're not falling back on querying bridges directly? -R - if "no running bridges known", an application request should make - us retry all our bridges. -R - get matt to make vidalia do a getinfo status/bootstrap-phase to - get caught up after it connects. -R d Setting DirPort when acting as bridge will give false Warnings - -For 0.2.1.x: - - Proposals to do: - o 110: avoid infinite-length circuits -R d 128: families of private bridges - - 134: handle authority fragmentation. - - - Proposals to write: -R d Do we want to maintain our own set of entryguards that we use as - next hop after the bridge? - X Add an 'exit-address' line in the descriptor for servers that exit - from something that isn't their published address. - [I think tordnsel solved this. -RD] - - Proposal to supersede 117 by adding IPv6 support for exits and entries. - - Internal code support for ipv6: - o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist. - - Many address variables need to become tor_addr_t - - addr in connection_t - - n_addr in extend_info_t - - Teach resolving code how to handle ipv6. - . Teach exit policies about ipv6 (consider ipv4/ipv6 - interaction!) - - Generate END_REASON_EXITPOLICY cells and parse them right - - Generate new BEGIN cell types and parse them right - - 118: Listen on and advertise multiple ports: - - Tor should be able to have a pool of outgoing IP addresses that it is - able to rotate through. (maybe. Possible overlap with proposal 118.) - - config option to publish what ports you listen on, beyond - ORPort/DirPort. It should support ranges and bit prefixes (?) too. - - Need to figure out the right format for routerinfo_t on this. - - Fix voting to handle bug 608 case when multiple servers get - Named. - d Possibly: revise link protocol to allow big circuit IDs, - variable-length cells, proposal-110 stuff, and versioned CREATES? - o Eliminate use of v2 networkstatus documents in v3 authority - decision-making. -N . Draft proposal for GeoIP aggregation (see external constraints *) - o Separate Guard flags for "pick this as a new guard" and "keep this - as an existing guard". First investigate if we want this. - . Figure out how to make good use of the fallback consensus file. Right - now many of the addresses in the fallback consensus will be stale, - so it will take dozens of minutes to bootstrap from it. This is a - bad first Tor experience. But if we check the fallback consensus - file *after* we fail to connect to any authorities, then it may - still be valuable as a blocking-resistance step. - o Write the proposal. - - Patch our tor.spec rpm package so it knows where to put the fallback - consensus file. - d Something for bug 469, to limit connections per IP. - . Put bandwidth weights in the networkstatus? So clients get weight - their choices even before they have the descriptors; and so - authorities can put in more accurate numbers in the future. - d Fetch an updated geoip file from the directory authorities. - - - Tiny designs to write: - . Better estimate of clock skew; has anonymity implications. Clients - should estimate their skew as median of skew from servers over last - N seconds, but for servers this is not so easy, since a server does - not choose who it connects to. - - Do TLS connection rotation more often than "once a week" in the - extra-stable case. - (One reason not to do it more often is because the old TLS conn - probably has a circuit on it, and we don't really want to build up - dozens of TCP connections to all the other extra-stable relays.) - - If a relay publishes a new descriptor with a significantly lower - uptime or with a new IP address, then we should consider its current - "running" interval to have ended even if it hadn't yet failed its - third reachability test. the interval ended when the new descriptor - appeared, and a new interval began then too. - - - Use less RAM * - - Optimize cell pool allocation. - d Support (or just always use) jemalloc (if it helps) - - mmap more files. - - Look into pulling serverdescs off buffers as they arrive. - - Use less bandwidth - - Use if-modified-since to download consensuses - - Handle multi-core cpus better - - Use information from NETINFO cells - - Don't extend a circuit over a noncanonical connection with - mismatched address. - - Learn our outgoing IP address from netinfo cells? - - Learn skew from netinfo cells? - - Testing - - Better unit test coverage - - Refactor unit tests into multiple files - - Verify that write limits to linked connections work. - - Use more mid-level and high-level libevent APIs - - For dns? - - For http? - - For buffers? - - Tool improvements: - - Get IOCP patch into libevent * - - - Security improvements - - make is-consensus-fresh-enough check way tighter. - - If we haven't tried downloading a consensus for ages since we're tired, - try getting a new one before we use old descriptors for a circuit. - Related to bug 401. - - - Feature removals and deprecations: - - Get rid of the v1 directory stuff (making, serving, and caching) - - First verify that the caches won't flip out? - - If they will, just stop the caches from caching for now - - perhaps replace it with a "this is a tor server" stock webpage. - - The v2dir flag isn't used for anything anymore, right? If so, dump it. - - Even clients run rep_hist_load_mtbf_data(). Does this waste memory? - Dump it? - - Unless we start using ftime functions, dump them. - - can we deprecate 'getinfo network-status'? - - can we deprecate the FastFirstHopPK config option? - - Can we deprecate controllers that don't use both features? - -Nice to have for 0.2.1.x: - - Proposals to write - - steven's plan for replacing check.torproject.org with a built-in - answer by tor itself. - - - Documentation -P - Make documentation realize that location of system configuration file - will depend on location of system defaults, and isn't always /etc/torrc. - - - Small controller features - - A status event for when tor decides to stop fetching directory info - if the client hasn't clicked recently: then make the onion change too. - - Add a status event when new consensus arrives - - - Windows build -P - Figure out why dll's compiled in mingw don't work right in WinXP. -P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle - - - Refactor bad code: - - Refactor the HTTP logic so the functions aren't so large. - - Refactor buf_read and buf_write to have sensible ways to return - error codes after partial writes - - Router_choose_random_node() has a big pile of args. make it "flags". - - Streamline how we pick entry nodes: Make choose_random_entry() have - less magic and less control logic. - - Don't call time(NULL) so much; instead have a static time_t field - that gets updated only a handful of times per second. - - Move all status info out of routerinfo into local_routerstatus. Make - "who can change what" in local_routerstatus explicit. Make - local_routerstatus (or equivalent) subsume all places to go for "what - router is this?" - - deprecate router_digest_is_trusted_dir() in favor of - router_get_trusteddirserver_by_digest() - - - Make Tor able to chroot itself - o allow it to load an entire config file from control interface - - document LOADCONF - - log rotation (and FD passing) via control interface - - chroot yourself, including inhibit trying to read config file - and reopen logs, unless they are under datadir. - - - Should be trivial: - - Base relative control socket paths (and other stuff in torrc) on datadir. - - Tor logs the libevent version on startup, for debugging purposes. - This is great. But it does this before configuring the logs, so - it only goes to stdout and is then lost. - - Make TrackHostExits expire TrackHostExitsExpire seconds after their - *last* use, not their *first* use. - - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout. - - Make 'safelogging' extend to info-level logs too. - - don't do dns hijacking tests if we're reject *:* exit policy? - (deferred until 0.1.1.x is less common) - - More consistent error checking in router_parse_entry_from_string(). - I can say "banana" as my bandwidthcapacity, and it won't even squeak. - - - Interface for letting SOAT modify flags that authorities assign. - (How to keep the authority from clobbering them afterwards? - -Later, unless people want to implement them now: - - Actually use SSL_shutdown to close our TLS connections. - - Include "v" line in networkstatus getinfo values. - [Nick: bridge authorities output a networkstatus that is missing - version numbers. This is inconvenient if we want to make sure - bridgedb gives out bridges with certain characteristics. -RD] - [Okay. Is this a separate item, or is it the same issue as the lack of - a "v" line in response to the controller GETINFO command? -NM] - - Let tor dir mirrors proxy connections to the tor download site, so - if you know a bridge you can fetch the tor software. - - when somebody uses the controlport as an http proxy, give them - a "tor isn't an http proxy" error too like we do for the socks port. - - MAYBE kill stalled circuits rather than stalled connections. This is - possible thanks to cell queues, but we need to consider the anonymity - implications. - - Make resolves no longer use edge_connection_t unless they are actually - _on_ a socks connection: have edge_connection_t and (say) - dns_request_t both extend an edge_stream_t, and have p_streams and - n_streams both be linked lists of edge_stream_t. - - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the - online config documentation from a single source. - - It would be potentially helpful to respond to https requests on - the OR port by acting like an HTTPS server. - - Make the timestamp granularity on logs configurable, with default - of "1 second". This might make some kinds of after-the-fact attack harder. - -Can anybody remember why we wanted to do this and/or what it means? - - config option __ControllerLimit that hangs up if there are a limit - of controller connections already. - [This was mwenge's idea. The idea is that a Tor controller can - "fill" Tor's controller slot quota, so jerks can't do cross-protocol - attacks like the http form attack. -RD] - - Bridge issues - . Ask all directory questions to bridge via BEGIN_DIR. - - use the bridges for dir fetches even when our dirport is open. - - drop 'authority' queries if they're to our own identity key; accept - them otherwise. - - give extend_info_t a router_purpose again - - - -If somebody wants to do this in some version, they should: - - Create packages for Nokia 800, requested by Chris Soghoian - - More work on AvoidDiskWrites - - Make DNSPort support TCP DNS. - - -* * * * Roger, please sort these: * * * * - - - bridge communities with local bridge authorities: - - clients who have a password configured decide to ask their bridge - authority for a networkstatus - - be able to have bridges that aren't in your torrc. save them in - state file, etc. - - Consider if we can solve: the Tor client doesn't know what flags - its bridge has (since it only gets the descriptor), so it can't - make decisions based on Fast or Stable. - - Some mechanism for specifying that we want to stop using a cached - bridge. - -======================================================================= - -Future versions: - - - Protocol - - Our current approach to block attempts to use Tor as a single-hop proxy - is pretty lame; we should get a better one. - - Allow small cells and large cells on the same network? - - Cell buffering and resending. This will allow us to handle broken - circuits as long as the endpoints don't break, plus will allow - connection (tls session key) rotation. - - Implement Morphmix, so we can compare its behavior, complexity, - etc. But see paper breaking morphmix. - - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own - link crypto, unless we can bully DTLS into it. - - Need a relay teardown cell, separate from one-way ends. - (Pending a user who needs this) - - Handle half-open connections: right now we don't support all TCP - streams, at least according to the protocol. But we handle all that - we've seen in the wild. - (Pending a user who needs this) - - - Directory system - - BEGIN_DIR items - - handle connect-dir streams that don't have a chosen_exit_name set. - - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? - - Add an option (related to AvoidDiskWrites) to disable directory - caching. (Is this actually a good idea??) - X Add d64 and fp64 along-side d and fp so people can paste status - entries into a url. since + is a valid base64 char, only allow one - at a time. Consider adding to controller as well. - [abandoned for lack of demand] - - Some back-out mechanism for auto-approval on authorities - - a way of rolling back approvals to before a timestamp - - Consider minion-like fingerprint file/log combination. - X Have new people be in limbo and need to demonstrate usefulness - before we approve them. - - - Hidden services: - d Standby/hotswap/redundant hidden services: needs a proposal. - - you can insert a hidserv descriptor via the controller. - - auth mechanisms to let hidden service midpoint and responder filter - connection requests: proposal 121. - - Let each hidden service (or other thing) specify its own - OutboundBindAddress? - - - Server operation - - If the server is spewing complaints about raising your ulimit -n, - we should add a note about this to the server descriptor so other - people can notice too. - - When we hit a funny error from a dir request (eg 403 forbidden), - but tor is working and happy otherwise, and we haven't seen many - such errors recently, then don't warn about it. - - - Controller - - Implement missing status events and accompanying getinfos - - DIR_REACHABLE - - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind - a firewall.) - - BAD_PROXY (Bad http or https proxy) - - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable) - - Status events related to hibernation - - something about failing to parse our address? - from resolve_my_address() in config.c - - sketchy OS, sketchy threading - - too many onions queued: threading problems or slow CPU? - - Implement missing status event fields: - - TIMEOUT on CHECKING_REACHABILITY - - GETINFO status/client, status/server, status/general: There should be - some way to learn which status events are currently "in effect." - We should specify which these are, what format they appear in, and so - on. - - More information in events: - - Include bandwidth breakdown by conn->type in BW events. - - Change circuit status events to give more details, like purpose, - whether they're internal, when they become dirty, when they become - too dirty for further circuits, etc. - - Change stream status events analogously. - - Expose more information via getinfo: - - import and export rendezvous descriptors - - Review all static fields for additional candidates - - Allow EXTENDCIRCUIT to unknown server. - - We need some way to adjust server status, and to tell tor not to - download directories/network-status, and a way to force a download. - - Make everything work with hidden services - - - Performance/resources - - per-conn write buckets - - separate config options for read vs write limiting - (It's hard to support read > write, since we need better - congestion control to avoid overfull buffers there. So, - defer the whole thing.) - - Rate limit exit connections to a given destination -- this helps - us play nice with websites when Tor users want to crawl them; it - also introduces DoS opportunities. - - Consider truncating rather than destroying failed circuits, - in order to save the effort of restarting. There are security - issues here that need thinking, though. - - Handle full buffers without totally borking - - Rate-limit OR and directory connections overall and per-IP and - maybe per subnet. - - - Misc - - Hold-open-until-flushed now works by accident; it should work by - design. - - Display the reasons in 'destroy' and 'truncated' cells under - some circumstances? - - Make router_is_general_exit() a bit smarter once we're sure what - it's for. - - Automatically determine what ports are reachable and start using - those, if circuits aren't working and it's a pattern we - recognize ("port 443 worked once and port 9001 keeps not - working"). - - - Security - - some better fix for bug #516? - - Directory guards - - Mini-SoaT: - - Servers might check certs for known-good ssl websites, and if - they come back self-signed, declare themselves to be - non-exits. Similar to how we test for broken/evil dns now. - - Authorities should try using exits for http to connect to some - URLS (specified in a configuration file, so as not to make the - List Of Things Not To Censor completely obvious) and ask them - for results. Exits that don't give good answers should have - the BadExit flag set. - - Alternatively, authorities should be able to import opinions - from Snakes on a Tor. - - Bind to random port when making outgoing connections to Tor servers, - to reduce remote sniping attacks. - - Audit everything to make sure rend and intro points are just as - likely to be us as not. - - Do something to prevent spurious EXTEND cells from making - middleman nodes connect all over. Rate-limit failed - connections, perhaps? - - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. - - - Needs thinking - - Now that we're avoiding exits when picking non-exit positions, - we need to consider how to pick nodes for internal circuits. If - we avoid exits for all positions, we skew the load balancing. If - we accept exits for all positions, we leak whether it's an - internal circuit at every step. If we accept exits only at the - last hop, we reintroduce Lasse's attacks from the Oakland paper. - - - Windows server usability - - Solve the ENOBUFS problem. - - make tor's use of openssl operate on buffers rather than sockets, - so we can make use of libevent's buffer paradigm once it has one. - - make tor's use of libevent tolerate either the socket or the - buffer paradigm; includes unifying the functions in connect.c. - - We need a getrlimit equivalent on Windows so we can reserve some - file descriptors for saving files, etc. Otherwise we'll trigger - asserts when we're out of file descriptors and crash. - - - Documentation - - a way to generate the website diagrams from source, so we can - translate them as utf-8 text rather than with gimp. (svg? or - imagemagick?) - . Flesh out options_description array in src/or/config.c - . multiple sample torrc files - - Refactor tor man page to divide generally useful options from - less useful ones? - - Add a doxygen style checker to make check-spaces so nick doesn't drift - too far from arma's undocumented styleguide. Also, document that - styleguide in HACKING. (See r9634 for example.) - - exactly one space at beginning and at end of comments, except i - guess when there's line-length pressure. - - if we refer to a function name, put a () after it. - - only write foo when foo is an argument to this function. - - doxygen comments must always end in some form of punctuation. - - capitalize the first sentence in the doxygen comment, except - when you shouldn't. - - avoid spelling errors and incorrect comments. ;) - - - Packaging - - The Debian package now uses --verify-config when (re)starting, - to distinguish configuration errors from other errors. Perhaps - the RPM and other startup scripts should too? - - add a "default.action" file to the tor/vidalia bundle so we can - fix the https thing in the default configuration: - http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort - - -======================================================================= - -Documentation, non-version-specific. - - Specs - - Mark up spec; note unclear points about servers -NR - write a spec appendix for 'being nice with tor' - - Specify the keys and key rotation schedules and stuff - . Finish path-spec.txt - - Mention controller libs someplace. - - Remove need for HACKING file. - - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx -P - figure out why x86_64 won't build rpms from tor.spec -P - figure out rpm spec files for bundles of vidalia-tor-polipo -P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32 - - figure out selinux policy for tor -P - change packaging system to more automated and specific for each - platform, suggested by Paul Wouter -P - Setup repos for redhat and suse rpms & start signing the rpms the - way package management apps prefer - -Website: -J . tor-in-the-media page -P - Figure out licenses for website material. - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -P - put the logo on the website, in source form, so people can put it on - stickers directly, etc. -P - put the source image for the stickers on the website, so people can - print their own -P - figure out a license for the logos and docs we publish (trademark -figures into this) - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -P - ask Jan/Jens to be the translation coordinator? add to volunteer page. -I - add a page for localizing all tor's components. - - It would be neat if we had a single place that described _all_ the - tor-related tools you can use, and what they give you, and how well they - work. Right now, we don't give a lot of guidance wrt - torbutton/foxproxy/privoxy/polipo in any consistent place. -P - create a 'blog badge' for tor fans to link to and feature on their - blogs. A sample is at http://interloper.org/tmp/tor/tor-button.png - - More prominently, we should have a recommended apps list. - - recommend pidgin (gaim is renamed) - - unrecommend IE because of ftp:// bug. - - Addenda to tor-design - - we should add a preamble to tor-design saying it's out of date. - - we should add an appendix or errata on what's changed. - - - Tor mirrors - - make a mailing list with the mirror operators - o make an automated tool to check /project/trace/ at mirrors to - learn which ones are lagging behind. - - auto (or manually) cull the mirrors that are broken; and - contact their operator? - - a set of instructions for mirror operators to make their apaches - serve our charsets correctly, and bonus points for language - negotiation. - - figure out how to load-balance the downloads across mirrors? - - ponder how to get users to learn that they should google for - "tor mirrors" if the main site is blocked. - - find a mirror volunteer to coordinate all of this diff --git a/doc/TODO.021 b/doc/TODO.021 new file mode 100644 index 0000000000..08a94f26ac --- /dev/null +++ b/doc/TODO.021 @@ -0,0 +1,337 @@ +$Id: TODO 16258 2008-07-30 13:04:38Z nickm $ +Legend: +SPEC!! - Not specified +SPEC - Spec not finalized +N - nick claims +R - arma claims +P - phobos claims +S - Steven claims +E - Matt claims +M - Mike claims +J - Jeff claims +I - ioerror claims +W - weasel claims +K - Karsten claims + - Not done + * Top priority + . Partially done + o Done + d Deferrable + D Deferred + X Abandoned + +======================================================================= + +Things Roger would be excited to see: + +Nick + - Finish buffer stuff in libevent; start using it in Tor. + - Tors start believing the contents of NETINFO cells. + . Work with Steven and Roger to decide which parts of Paul's project + he wants to work on. + - respond to Steven's red-team TLS testing (a.k.a, look at a packet + dump and compare) + +Matt + - Fit Vidalia in 640x480 again. + - When user changes the language in Vidalia, have it change right then. + - Vidalia should display/edit PlaintextPorts events/config. + . Vidalia's GUI should let you specify an http proxy that it launches + for you. Maybe in the general config window next to which Tor it + launches for you. + - Vidalia should avoid stomping on your custom exit policy lines + just because you click on 'save' for a totally different config thing. + - How much space do we save in TBB by stripping symbols from Vidalia + first? Good idea or crazy idea? + +ioerror + - gmail auto responder so you send us an email and we send you a Tor + binary. Probably needs a proposal first. + - weather.torproject.org should go live. + o Learn from Steven how to build/maintain the Tor Browser Bundle. + - Keep advocating new Tor servers and working with orgs like Mozilla + to let them like Tor. + - Start converting critical wiki pages into real Tor wml pages. E.g., + https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures + - Find out what happened to the buildbot and get it back up: + http://tor-buildbot.freehaven.net:8010/ + - Learn about locking memory pages that have sensitive content. Get + that started in Tor. + - Translation portal + - Vidalia html help files + - should we i18nize polipo's error messages too? + - Some of our translated wml files are very old -- so old that they + are harmful to leave in place. We need some sort of way to notice + this and disable them. + +Steven + - Figure out (or give up on) how to run Tor Browser and ordinary + Firefox side-by-side. + - Enumerate and analyze traces left when running from USB + - Write a list of research items Tor would like to see done, for the + volunteer page. Pick a few you'd like to work on yourself. + - Move proposal 131 or equivalent forward. + - Keep bugging us about exploits on the .exit notation. + - If relays have 100KB/s but set relaybandwidthrate to 10KB/s, do your + interference attacks still work? + - Mike's question #3 on https://www.torproject.org/volunteer#Research + - Worthwhile shipping TBB with some local html help files that come + as bookmarks? + - Decide whether TBB should use Torbutton's "lock" feature. + http://archives.seul.org/or/cvs/Jun-2008/msg00186.html + +Andrew + - Which bundles include Torbutton? Change the docs/tor-doc-foo pages + so they admit that Torbutton is in them too. Change the download + page too. + - The OS X bundle screenshots are from forever ago -- they don't + include Torbutton, they still say it's tor.eff.org, etc. + - Should we still be telling you how to use Safari on OS X for Tor, + given all the holes that Torbutton-dev solves on Firefox? + +Karsten + o Make a hidden services explanation page with the hidden service + diagrams. See img/THS-[1-6].png. These need some text to go along + with them though, so people can follow what's going on. + - We should consider a single config option TorPrivateNetwork that + turns on all the config options for running a private test tor + network. having to keep updating all the tools, and the docs, + just isn't working. + +Weasel + - Figure out how to make Vidalia and Tor play nicely on Debian, make + the necessary modifications, and make some Vidalia debs that pass + muster. + - Fix bug 393. + - Get oftc to switch to Tor dns bulk exitlist. Or tell us why it's + not suitable yet. + - Take non-Running entries out of the networkstatus consensus. + - Move proposal 134 forward. + - putting port predictions in state file + - if tor hasn't been used in a while it stops fetching consensus + documents. Retain that state over restarts. + +Roger + - Finish tor-doc-bridge.wml + . Fix FAQ entry on setting up private Tor network + - Review Karsten's hidden service diagrams + - Roger should visit Internews DC sometime. + - Did we actually apply Steven's dkimproxy patch? + - Brainstorm about safe but effective ways for vidalia to + auto-update its user's bridges via Tor in the background. + +Mike: + - Roger wants to get an email every time there's a blog change, + e.g. a comment. That way spam doesn't go undetected for weeks. + - Or, maybe just disable linking from blog comments entirely? + +======================================================================= + +Bugs/issues for Tor 0.2.0.x: + . we should have an off-by-default way for relays to dump geoip data to + a file in their data directory, for measurement purposes. + o Basic implementation +N - Include probability-of-selection +R d let bridges set relaybandwidthrate as low as 5kb +R - bridge communities + . spec + . deploy + - man page entries for Alternate*Authority config options + +Documentation for Tor 0.2.0.x: + - Proposals: + . 111: Prioritize local traffic over relayed. +R - Merge into tor-spec.txt. + - 113: mark as closed close. + o document the "3/4 and 7/8" business in the clients fetching consensus + documents timeline. +R - then document the bridge user download timeline. + - HOWTO for DNSPort. See tup's wiki page. + . Document transport and natdport in a good HOWTO. + - Quietly document NT Service options: revise (or create) FAQ entry + +======================================================================= + +For 0.2.1.2-alpha: +R d bug: if we launch using bridges, and then stop using bridges, we + still have our bridges in our entryguards section, and may use them. +R d add an event to report geoip summaries to vidalia for bridge relays, + so vidalia can say "recent activity (1-8 users) from sa". +R - investigate: it looks like if the bridge authority is unreachable, + we're not falling back on querying bridges directly? +R - if "no running bridges known", an application request should make + us retry all our bridges. +R - get matt to make vidalia do a getinfo status/bootstrap-phase to + get caught up after it connects. +R d Setting DirPort when acting as bridge will give false Warnings + +For 0.2.1.x: + - Proposals to do: + o 110: avoid infinite-length circuits +R d 128: families of private bridges + - 134: handle authority fragmentation. + + - Proposals to write: +R d Do we want to maintain our own set of entryguards that we use as + next hop after the bridge? + X Add an 'exit-address' line in the descriptor for servers that exit + from something that isn't their published address. + [I think tordnsel solved this. -RD] + - Proposal to supersede 117 by adding IPv6 support for exits and entries. + - Internal code support for ipv6: + o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist. + - Many address variables need to become tor_addr_t + - addr in connection_t + - n_addr in extend_info_t + - Teach resolving code how to handle ipv6. + . Teach exit policies about ipv6 (consider ipv4/ipv6 + interaction!) + - Generate END_REASON_EXITPOLICY cells and parse them right + - Generate new BEGIN cell types and parse them right + - 118: Listen on and advertise multiple ports: + - Tor should be able to have a pool of outgoing IP addresses that it is + able to rotate through. (maybe. Possible overlap with proposal 118.) + - config option to publish what ports you listen on, beyond + ORPort/DirPort. It should support ranges and bit prefixes (?) too. + - Need to figure out the right format for routerinfo_t on this. + - Fix voting to handle bug 608 case when multiple servers get + Named. + d Possibly: revise link protocol to allow big circuit IDs, + variable-length cells, proposal-110 stuff, and versioned CREATES? + o Eliminate use of v2 networkstatus documents in v3 authority + decision-making. +N . Draft proposal for GeoIP aggregation (see external constraints *) + o Separate Guard flags for "pick this as a new guard" and "keep this + as an existing guard". First investigate if we want this. + . Figure out how to make good use of the fallback consensus file. Right + now many of the addresses in the fallback consensus will be stale, + so it will take dozens of minutes to bootstrap from it. This is a + bad first Tor experience. But if we check the fallback consensus + file *after* we fail to connect to any authorities, then it may + still be valuable as a blocking-resistance step. + o Write the proposal. + - Patch our tor.spec rpm package so it knows where to put the fallback + consensus file. + d Something for bug 469, to limit connections per IP. + . Put bandwidth weights in the networkstatus? So clients get weight + their choices even before they have the descriptors; and so + authorities can put in more accurate numbers in the future. + d Fetch an updated geoip file from the directory authorities. + + - Tiny designs to write: + . Better estimate of clock skew; has anonymity implications. Clients + should estimate their skew as median of skew from servers over last + N seconds, but for servers this is not so easy, since a server does + not choose who it connects to. + - Do TLS connection rotation more often than "once a week" in the + extra-stable case. + (One reason not to do it more often is because the old TLS conn + probably has a circuit on it, and we don't really want to build up + dozens of TCP connections to all the other extra-stable relays.) + - If a relay publishes a new descriptor with a significantly lower + uptime or with a new IP address, then we should consider its current + "running" interval to have ended even if it hadn't yet failed its + third reachability test. the interval ended when the new descriptor + appeared, and a new interval began then too. + + - Use less RAM * + - Optimize cell pool allocation. + d Support (or just always use) jemalloc (if it helps) + - mmap more files. + - Look into pulling serverdescs off buffers as they arrive. + - Use less bandwidth + - Use if-modified-since to download consensuses + - Handle multi-core cpus better + - Use information from NETINFO cells + - Don't extend a circuit over a noncanonical connection with + mismatched address. + - Learn our outgoing IP address from netinfo cells? + - Learn skew from netinfo cells? + - Testing + - Better unit test coverage + - Refactor unit tests into multiple files + - Verify that write limits to linked connections work. + - Use more mid-level and high-level libevent APIs + - For dns? + - For http? + - For buffers? + - Tool improvements: + - Get IOCP patch into libevent * + + - Security improvements + - make is-consensus-fresh-enough check way tighter. + - If we haven't tried downloading a consensus for ages since we're tired, + try getting a new one before we use old descriptors for a circuit. + Related to bug 401. + + - Feature removals and deprecations: + - Get rid of the v1 directory stuff (making, serving, and caching) + - First verify that the caches won't flip out? + - If they will, just stop the caches from caching for now + - perhaps replace it with a "this is a tor server" stock webpage. + - The v2dir flag isn't used for anything anymore, right? If so, dump it. + - Even clients run rep_hist_load_mtbf_data(). Does this waste memory? + Dump it? + - Unless we start using ftime functions, dump them. + - can we deprecate 'getinfo network-status'? + - can we deprecate the FastFirstHopPK config option? + - Can we deprecate controllers that don't use both features? + +Nice to have for 0.2.1.x: + - Proposals to write + - steven's plan for replacing check.torproject.org with a built-in + answer by tor itself. + + - Documentation +P - Make documentation realize that location of system configuration file + will depend on location of system defaults, and isn't always /etc/torrc. + + - Small controller features + - A status event for when tor decides to stop fetching directory info + if the client hasn't clicked recently: then make the onion change too. + - Add a status event when new consensus arrives + + - Windows build +P - Figure out why dll's compiled in mingw don't work right in WinXP. +P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle + + - Refactor bad code: + - Refactor the HTTP logic so the functions aren't so large. + - Refactor buf_read and buf_write to have sensible ways to return + error codes after partial writes + - Router_choose_random_node() has a big pile of args. make it "flags". + - Streamline how we pick entry nodes: Make choose_random_entry() have + less magic and less control logic. + - Don't call time(NULL) so much; instead have a static time_t field + that gets updated only a handful of times per second. + - Move all status info out of routerinfo into local_routerstatus. Make + "who can change what" in local_routerstatus explicit. Make + local_routerstatus (or equivalent) subsume all places to go for "what + router is this?" + - deprecate router_digest_is_trusted_dir() in favor of + router_get_trusteddirserver_by_digest() + + - Make Tor able to chroot itself + o allow it to load an entire config file from control interface + - document LOADCONF + - log rotation (and FD passing) via control interface + - chroot yourself, including inhibit trying to read config file + and reopen logs, unless they are under datadir. + + - Should be trivial: + - Base relative control socket paths (and other stuff in torrc) on datadir. + - Tor logs the libevent version on startup, for debugging purposes. + This is great. But it does this before configuring the logs, so + it only goes to stdout and is then lost. + - Make TrackHostExits expire TrackHostExitsExpire seconds after their + *last* use, not their *first* use. + - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout. + - Make 'safelogging' extend to info-level logs too. + - don't do dns hijacking tests if we're reject *:* exit policy? + (deferred until 0.1.1.x is less common) + - More consistent error checking in router_parse_entry_from_string(). + I can say "banana" as my bandwidthcapacity, and it won't even squeak. + + - Interface for letting SOAT modify flags that authorities assign. + (How to keep the authority from clobbering them afterwards? + diff --git a/doc/TODO.external b/doc/TODO.external new file mode 100644 index 0000000000..c7ff08a1bb --- /dev/null +++ b/doc/TODO.external @@ -0,0 +1,69 @@ +$Id: TODO 16258 2008-07-30 13:04:38Z nickm $ +Legend: +SPEC!! - Not specified +SPEC - Spec not finalized +N - nick claims +R - arma claims +P - phobos claims +S - Steven claims +E - Matt claims +M - Mike claims +J - Jeff claims +I - ioerror claims +W - weasel claims +K - Karsten claims + - Not done + * Top priority + . Partially done + o Done + d Deferrable + D Deferred + X Abandoned + +======================================================================= + +External constraints: + + - mid July +W - Take the results from instrumenting directory downloads on Tor + clients, and analyze/simulate some alternate approaches. Finish + proposal for how to improve things, iterate based on feedback, + convince us that the anonymity tradeoffs and/or scalability + tradeoffs are acceptable. + + - mid August +KS - Design hidden service improvements, evaluate them and consider + security properties: write some proposals, get feedback, revise + them, etc. +? - nlnet 'user safety contest'. submit torbrowser, others? + + - end of August +I - Auto update + o Vidalia learns when Tor thinks it should be updated +R - Tor status events should suggest a new version to switch to +I - Figure out a good PKI, document the design, assess security issues: + "write a proposal" + - Vidalia fetches the new one via Tor when possible, but fetches + it without Tor "when necessary", whatever that means. + - Give an interface for notifying the user, and letting her + decide to fetch and decide to swap out the old Tor for the new. + - Do the same for Polipo + - and for Vidalia itself + + - end of September +NSE - Write first draft of research study for Paul's research problem. + This should be at least vaguely related to what was discussed in + the end-of-May deliverable. + + - mid October +KS - Finish implementation of hidden service improvements: have a set + of patches that you think work. +W - Finish implementation of directory overhead changes: have a set + of patches that you think work. + + - mid January +KS - Finish testing, debugging, unit testing, etc the hidden service + changes. Have it in the development version and in use. +W - Finish testing, debugging, unit testing, etc the directory overhead + changes. Have it in the development version and in use. + diff --git a/doc/TODO.future b/doc/TODO.future new file mode 100644 index 0000000000..3155330d5a --- /dev/null +++ b/doc/TODO.future @@ -0,0 +1,330 @@ +$Id: TODO 16258 2008-07-30 13:04:38Z nickm $ +Legend: +SPEC!! - Not specified +SPEC - Spec not finalized +N - nick claims +R - arma claims +P - phobos claims +S - Steven claims +E - Matt claims +M - Mike claims +J - Jeff claims +I - ioerror claims +W - weasel claims +K - Karsten claims + - Not done + * Top priority + . Partially done + o Done + d Deferrable + D Deferred + X Abandoned + +======================================================================= + +Later, unless people want to implement them now: + - Actually use SSL_shutdown to close our TLS connections. + - Include "v" line in networkstatus getinfo values. + [Nick: bridge authorities output a networkstatus that is missing + version numbers. This is inconvenient if we want to make sure + bridgedb gives out bridges with certain characteristics. -RD] + [Okay. Is this a separate item, or is it the same issue as the lack of + a "v" line in response to the controller GETINFO command? -NM] + - Let tor dir mirrors proxy connections to the tor download site, so + if you know a bridge you can fetch the tor software. + - when somebody uses the controlport as an http proxy, give them + a "tor isn't an http proxy" error too like we do for the socks port. + - MAYBE kill stalled circuits rather than stalled connections. This is + possible thanks to cell queues, but we need to consider the anonymity + implications. + - Make resolves no longer use edge_connection_t unless they are actually + _on_ a socks connection: have edge_connection_t and (say) + dns_request_t both extend an edge_stream_t, and have p_streams and + n_streams both be linked lists of edge_stream_t. + - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the + online config documentation from a single source. + - It would be potentially helpful to respond to https requests on + the OR port by acting like an HTTPS server. + - Make the timestamp granularity on logs configurable, with default + of "1 second". This might make some kinds of after-the-fact attack harder. + +Can anybody remember why we wanted to do this and/or what it means? + - config option __ControllerLimit that hangs up if there are a limit + of controller connections already. + [This was mwenge's idea. The idea is that a Tor controller can + "fill" Tor's controller slot quota, so jerks can't do cross-protocol + attacks like the http form attack. -RD] + - Bridge issues + . Ask all directory questions to bridge via BEGIN_DIR. + - use the bridges for dir fetches even when our dirport is open. + - drop 'authority' queries if they're to our own identity key; accept + them otherwise. + - give extend_info_t a router_purpose again + + + +If somebody wants to do this in some version, they should: + - Create packages for Nokia 800, requested by Chris Soghoian + - More work on AvoidDiskWrites + - Make DNSPort support TCP DNS. + + +* * * * Roger, please sort these: * * * * + + - bridge communities with local bridge authorities: + - clients who have a password configured decide to ask their bridge + authority for a networkstatus + - be able to have bridges that aren't in your torrc. save them in + state file, etc. + - Consider if we can solve: the Tor client doesn't know what flags + its bridge has (since it only gets the descriptor), so it can't + make decisions based on Fast or Stable. + - Some mechanism for specifying that we want to stop using a cached + bridge. + +======================================================================= + +Future versions: + + - Protocol + - Our current approach to block attempts to use Tor as a single-hop proxy + is pretty lame; we should get a better one. + - Allow small cells and large cells on the same network? + - Cell buffering and resending. This will allow us to handle broken + circuits as long as the endpoints don't break, plus will allow + connection (tls session key) rotation. + - Implement Morphmix, so we can compare its behavior, complexity, + etc. But see paper breaking morphmix. + - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own + link crypto, unless we can bully DTLS into it. + - Need a relay teardown cell, separate from one-way ends. + (Pending a user who needs this) + - Handle half-open connections: right now we don't support all TCP + streams, at least according to the protocol. But we handle all that + we've seen in the wild. + (Pending a user who needs this) + + - Directory system + - BEGIN_DIR items + - handle connect-dir streams that don't have a chosen_exit_name set. + - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? + - Add an option (related to AvoidDiskWrites) to disable directory + caching. (Is this actually a good idea??) + X Add d64 and fp64 along-side d and fp so people can paste status + entries into a url. since + is a valid base64 char, only allow one + at a time. Consider adding to controller as well. + [abandoned for lack of demand] + - Some back-out mechanism for auto-approval on authorities + - a way of rolling back approvals to before a timestamp + - Consider minion-like fingerprint file/log combination. + X Have new people be in limbo and need to demonstrate usefulness + before we approve them. + + - Hidden services: + d Standby/hotswap/redundant hidden services: needs a proposal. + - you can insert a hidserv descriptor via the controller. + - auth mechanisms to let hidden service midpoint and responder filter + connection requests: proposal 121. + - Let each hidden service (or other thing) specify its own + OutboundBindAddress? + + - Server operation + - If the server is spewing complaints about raising your ulimit -n, + we should add a note about this to the server descriptor so other + people can notice too. + - When we hit a funny error from a dir request (eg 403 forbidden), + but tor is working and happy otherwise, and we haven't seen many + such errors recently, then don't warn about it. + + - Controller + - Implement missing status events and accompanying getinfos + - DIR_REACHABLE + - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind + a firewall.) + - BAD_PROXY (Bad http or https proxy) + - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable) + - Status events related to hibernation + - something about failing to parse our address? + from resolve_my_address() in config.c + - sketchy OS, sketchy threading + - too many onions queued: threading problems or slow CPU? + - Implement missing status event fields: + - TIMEOUT on CHECKING_REACHABILITY + - GETINFO status/client, status/server, status/general: There should be + some way to learn which status events are currently "in effect." + We should specify which these are, what format they appear in, and so + on. + - More information in events: + - Include bandwidth breakdown by conn->type in BW events. + - Change circuit status events to give more details, like purpose, + whether they're internal, when they become dirty, when they become + too dirty for further circuits, etc. + - Change stream status events analogously. + - Expose more information via getinfo: + - import and export rendezvous descriptors + - Review all static fields for additional candidates + - Allow EXTENDCIRCUIT to unknown server. + - We need some way to adjust server status, and to tell tor not to + download directories/network-status, and a way to force a download. + - Make everything work with hidden services + + - Performance/resources + - per-conn write buckets + - separate config options for read vs write limiting + (It's hard to support read > write, since we need better + congestion control to avoid overfull buffers there. So, + defer the whole thing.) + - Rate limit exit connections to a given destination -- this helps + us play nice with websites when Tor users want to crawl them; it + also introduces DoS opportunities. + - Consider truncating rather than destroying failed circuits, + in order to save the effort of restarting. There are security + issues here that need thinking, though. + - Handle full buffers without totally borking + - Rate-limit OR and directory connections overall and per-IP and + maybe per subnet. + + - Misc + - Hold-open-until-flushed now works by accident; it should work by + design. + - Display the reasons in 'destroy' and 'truncated' cells under + some circumstances? + - Make router_is_general_exit() a bit smarter once we're sure what + it's for. + - Automatically determine what ports are reachable and start using + those, if circuits aren't working and it's a pattern we + recognize ("port 443 worked once and port 9001 keeps not + working"). + + - Security + - some better fix for bug #516? + - Directory guards + - Mini-SoaT: + - Servers might check certs for known-good ssl websites, and if + they come back self-signed, declare themselves to be + non-exits. Similar to how we test for broken/evil dns now. + - Authorities should try using exits for http to connect to some + URLS (specified in a configuration file, so as not to make the + List Of Things Not To Censor completely obvious) and ask them + for results. Exits that don't give good answers should have + the BadExit flag set. + - Alternatively, authorities should be able to import opinions + from Snakes on a Tor. + - Bind to random port when making outgoing connections to Tor servers, + to reduce remote sniping attacks. + - Audit everything to make sure rend and intro points are just as + likely to be us as not. + - Do something to prevent spurious EXTEND cells from making + middleman nodes connect all over. Rate-limit failed + connections, perhaps? + - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. + + - Needs thinking + - Now that we're avoiding exits when picking non-exit positions, + we need to consider how to pick nodes for internal circuits. If + we avoid exits for all positions, we skew the load balancing. If + we accept exits for all positions, we leak whether it's an + internal circuit at every step. If we accept exits only at the + last hop, we reintroduce Lasse's attacks from the Oakland paper. + + - Windows server usability + - Solve the ENOBUFS problem. + - make tor's use of openssl operate on buffers rather than sockets, + so we can make use of libevent's buffer paradigm once it has one. + - make tor's use of libevent tolerate either the socket or the + buffer paradigm; includes unifying the functions in connect.c. + - We need a getrlimit equivalent on Windows so we can reserve some + file descriptors for saving files, etc. Otherwise we'll trigger + asserts when we're out of file descriptors and crash. + + - Documentation + - a way to generate the website diagrams from source, so we can + translate them as utf-8 text rather than with gimp. (svg? or + imagemagick?) + . Flesh out options_description array in src/or/config.c + . multiple sample torrc files + - Refactor tor man page to divide generally useful options from + less useful ones? + - Add a doxygen style checker to make check-spaces so nick doesn't drift + too far from arma's undocumented styleguide. Also, document that + styleguide in HACKING. (See r9634 for example.) + - exactly one space at beginning and at end of comments, except i + guess when there's line-length pressure. + - if we refer to a function name, put a () after it. + - only write foo when foo is an argument to this function. + - doxygen comments must always end in some form of punctuation. + - capitalize the first sentence in the doxygen comment, except + when you shouldn't. + - avoid spelling errors and incorrect comments. ;) + + - Packaging + - The Debian package now uses --verify-config when (re)starting, + to distinguish configuration errors from other errors. Perhaps + the RPM and other startup scripts should too? + - add a "default.action" file to the tor/vidalia bundle so we can + fix the https thing in the default configuration: + http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort + + +======================================================================= + +Documentation, non-version-specific. + - Specs + - Mark up spec; note unclear points about servers +NR - write a spec appendix for 'being nice with tor' + - Specify the keys and key rotation schedules and stuff + . Finish path-spec.txt + - Mention controller libs someplace. + - Remove need for HACKING file. + - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx +P - figure out why x86_64 won't build rpms from tor.spec +P - figure out rpm spec files for bundles of vidalia-tor-polipo +P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32 + - figure out selinux policy for tor +P - change packaging system to more automated and specific for each + platform, suggested by Paul Wouter +P - Setup repos for redhat and suse rpms & start signing the rpms the + way package management apps prefer + +Website: +J . tor-in-the-media page +P - Figure out licenses for website material. + (Phobos reccomends the Open Publication License with Option A at + http://opencontent.org/openpub/) +P - put the logo on the website, in source form, so people can put it on + stickers directly, etc. +P - put the source image for the stickers on the website, so people can + print their own +P - figure out a license for the logos and docs we publish (trademark +figures into this) + (Phobos reccomends the Open Publication License with Option A at + http://opencontent.org/openpub/) +P - ask Jan/Jens to be the translation coordinator? add to volunteer page. +I - add a page for localizing all tor's components. + - It would be neat if we had a single place that described _all_ the + tor-related tools you can use, and what they give you, and how well they + work. Right now, we don't give a lot of guidance wrt + torbutton/foxproxy/privoxy/polipo in any consistent place. +P - create a 'blog badge' for tor fans to link to and feature on their + blogs. A sample is at http://interloper.org/tmp/tor/tor-button.png + - More prominently, we should have a recommended apps list. + - recommend pidgin (gaim is renamed) + - unrecommend IE because of ftp:// bug. + - Addenda to tor-design + - we should add a preamble to tor-design saying it's out of date. + - we should add an appendix or errata on what's changed. + + - Tor mirrors + - make a mailing list with the mirror operators + o make an automated tool to check /project/trace/ at mirrors to + learn which ones are lagging behind. + - auto (or manually) cull the mirrors that are broken; and + contact their operator? + - a set of instructions for mirror operators to make their apaches + serve our charsets correctly, and bonus points for language + negotiation. + - figure out how to load-balance the downloads across mirrors? + - ponder how to get users to learn that they should google for + "tor mirrors" if the main site is blocked. + - find a mirror volunteer to coordinate all of this +