mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
691265df0c
svn:r4403
295 lines
14 KiB
Plaintext
295 lines
14 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
NICK - nick claims
|
|
ARMA - arma claims
|
|
PHOBOS - phobos claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
Non-Coding, Soon:
|
|
- FAQ entry: why gnutls is bad/not good for tor
|
|
P - flesh out the rest of the section 6 of the faq
|
|
P - gather pointers to livecd distros that include tor
|
|
- put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
- more pictures from ren. he wants to describe the tor handshake, i want to
|
|
talk about hidden services.
|
|
* clean up the places where our docs are redundant (or worse, obsolete in
|
|
one file and correct elsewhere). agl has a start on a global
|
|
list-of-tor-docs.
|
|
P - update window's docs to clarify which versions of windows, and why a
|
|
DOS window, how it's used, for the less technical users
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
- Hunt for open socks ports on tor servers, send mail
|
|
- tor-in-the-media page
|
|
- Ask schanzle@cas.homelinux.org about a patch for rpm spec fixes against
|
|
tor-0.1.0.7.rc
|
|
- Remove need for HACKING file.
|
|
|
|
|
|
For 0.1.0.x:
|
|
o Why do solaris cpuworks go dormant?
|
|
(Apparently, disabling threads fixes this.)
|
|
o Fix the remaining flyspray bugs marked for 0.1.0.9
|
|
X Free remaining unfreed memory (arma will run valgrind)
|
|
(Not for a stable release)
|
|
o Note libevent/method/platform combos that are unlikely to work.
|
|
X change torrc to point to abuse-faq (once abuse-faq is posted)
|
|
. Memory use on Linux: what's happening?
|
|
- Is it threading? (Maybe, maybe not)
|
|
- Is it the buf_shrink bug? (Quite possibly)
|
|
- Instrument the 0.1.1 code to figure out where our memory is going;
|
|
apply the results. (all platforms?)
|
|
- Why does kevent barf with EINVAL on some freebsd boxes?
|
|
- Submit libevent patch to Niels
|
|
- Warn on non-repeated EINVAL in Tor (don't die.)
|
|
- Investigate why freebsd kernel actually does this: it doesn't seem
|
|
simple to trigger.
|
|
|
|
for 0.1.1.x:
|
|
- switch accountingmax to count total in+out, not either in or
|
|
out. it's easy to move in this direction (not risky), but hard to
|
|
back, out if we decide we prefer it the way it already is. hm.
|
|
. Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
|
logic for reading from TLS sockets is likely to overrun the bandwidth
|
|
buckets under heavy load. (Really, the logic was never right in the
|
|
first place.) Also, we should audit all users of get_pending_bytes().)
|
|
- Make it harder to circumvent bandwidth caps: look at number of bytes
|
|
sent across sockets, not number sent inside TLS stream.
|
|
- Handle rendezvousing with unverified nodes.
|
|
- Specify: Stick rendezvous point's key in INTRODUCE cell.
|
|
Bob should _always_ use key from INTRODUCE cell.
|
|
- Implement.
|
|
- make sure err-level log events get flushed to the controller
|
|
immediately, since tor will exit right after.
|
|
- it looks like tor_assert writes to stderr. what happens if
|
|
stderr was closed and is now something else? uh.
|
|
- new controller protocol
|
|
- Specify
|
|
- Implement
|
|
- controller should have an event to learn about new addressmappings,
|
|
e.g. when we learn a hostname to IP mapping ?
|
|
- christian grothoff's attack of infinite-length circuit.
|
|
the solution is to have a separate 'extend-data' cell type
|
|
which is used for the first N data cells, and only
|
|
extend-data cells can be extend requests.
|
|
- Specify, including thought about
|
|
- Implement
|
|
- Destroy and truncated cells should have reasons.
|
|
- Add private:* alias in exit policies to make it easier to ban all the
|
|
fiddly little 192.168.foo addresses.
|
|
(AGL had a patch; consider applying it.)
|
|
- recommended-versions for client / server ?
|
|
- warn if listening for SOCKS on public IP.
|
|
- Forward-compatibility: add "needclientversion" option or "opt critical"
|
|
prefix.
|
|
- cpu fixes:
|
|
- see if we should make use of truncate to retry
|
|
- hardware accelerator support
|
|
r - kill dns workers more slowly
|
|
- continue decentralizing the directory
|
|
- Specify and design all of the below before implementing any.
|
|
- Figure out what to do about hidden service descriptors.
|
|
M have two router descriptor formats
|
|
- dirservers verify reachability claims
|
|
- find 10 dirservers. (what are criteria to be a dirserver?)
|
|
- some back-out mechanism?
|
|
- dirservers have blacklist of IPs they hate
|
|
- a way of rolling back approvals to before a timestamp
|
|
- have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them
|
|
- other?
|
|
- dirservers publish router-status with all these flags.
|
|
- Servers publish new descriptors when options change, when 12-24 hours
|
|
have passed, when uptime is reset, or when bandwidth changes a lot.
|
|
- alices fetch many router-statuses and update descriptors as needed.
|
|
- add if-newer-than fetch options
|
|
- dirservers allow people to lookup by N descriptors, or to fetch all.
|
|
- alices avoid duplicate class C nodes.
|
|
- everybody with a dirport will give you his descriptor.
|
|
- config option, on by default, to cache all descriptors.
|
|
- Compress router desc sets before transmitting them
|
|
M Analyze how bad the partitioning is or isn't.
|
|
- Naming:
|
|
- Specify and design all of the below before implementing any.
|
|
- some dirservers announce that they manage bindings (a flag in
|
|
router-status).
|
|
- other dirservers mention a binding if there is no conflict for
|
|
that binding among the dirservers that manage it.
|
|
no conflict == any of them bind it and no disagreement.
|
|
- alice can specify a nickname and it will record that name in her
|
|
datadir along with the key *if* it is bound. otherwise her specifying
|
|
will fail (loudly we hope).
|
|
- thus when a binding vanishes (e.g. conflict) alice will keep using
|
|
the one she meant.
|
|
- if the binding changes keys, the entry in her datadir will silently
|
|
get corrected.
|
|
- packaging and ui stuff:
|
|
- multiple sample torrc files (tyranix?)
|
|
- uninstallers
|
|
. for os x
|
|
- something, anything, for sys tray on Windows.
|
|
- figure out how to make nt service stuff work?
|
|
. Document it.
|
|
N - Vet all pending installer patches
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
- Vet win32 systray helper code
|
|
N . Make logs go into platform default locations.
|
|
o OSX
|
|
- Windows. (?)
|
|
|
|
Reach (deferrable) items for 0.1.1.x:
|
|
- Start using create-fast cells as clients
|
|
- Let more config options (e.g. ORPort) change dynamically.
|
|
- start handling server descriptors without a socksport?
|
|
|
|
For 0.1.1.x, if we can figure out how:
|
|
- rewrite how libevent does select() on win32 so it's not so very slow.
|
|
- helper nodes (at least preliminary)
|
|
- enclaves (at least preliminary)
|
|
- Write limiting; separate token bucket for write
|
|
- Audit everything to make sure rend and intro points are just as likely to
|
|
be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making middleman
|
|
nodes connect all over. Rate-limit failed connections, perhaps?
|
|
|
|
Future version:
|
|
- Limit to 2 dir, 2 OR, N SOCKS connections per IP.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
- Specify?
|
|
- tor-resolve script should use socks5 to get better error messages.
|
|
- make min uptime a function of the available choices (say, choose 60th
|
|
percentile, not 1 day.)
|
|
- config option to publish what ports you listen on, beyond ORPort/DirPort
|
|
- hidserv offerers shouldn't need to define a SocksPort
|
|
* figure out what breaks for this, and do it.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests.
|
|
- Relax clique assumptions.
|
|
- tor should be able to have a pool of outgoing IP addresses
|
|
that it is able to rotate through. (maybe)
|
|
|
|
Blue-sky:
|
|
- Patch privoxy and socks protocol to pass strings to the browser.
|
|
- Standby/hotswap/redundant hidden services.
|
|
- Robust decentralized storage for hidden service descriptors.
|
|
- The "China problem"
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity, etc.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully openssl into it.
|
|
- Conn key rotation.
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|
|
|
|
Volunteer projects: [Phobos moves these to contribute.html]
|
|
- use openssl aes when available
|
|
- do the kernel buffer style design
|
|
- Server instructions for OSX and Windows operators.
|
|
- Improve and clarify the wiki entry on port forwarding.
|
|
- how do ulimits work on win32, anyway? (We should handle WSAENOBUFS as
|
|
needed, look at the MaxConnections registry entry, look at the
|
|
MaxUserPort entry, and look at the TcpTimedWaitDelay entry. We may also
|
|
want to provide a way to set them as needed. See bug 98.)
|
|
- Implement reverse DNS (already specified)
|
|
- It would be nice to have a FirewalledIPs thing that works like
|
|
FirewallPorts.
|
|
- Make configure.in handle cross-compilation
|
|
- Have NULL_REP_IS_ZERO_BYTES default to 1.
|
|
- Make with-ssl-dir disable search for ssl.
|
|
- Packaging, docs, etc:
|
|
- Exit node caching: tie into squid or other caching web proxy.
|
|
- Have clients and dirservers preserve reputation info over
|
|
reboots.
|
|
- Support egd or other non-OS-integrated strong entropy sources
|
|
- password protection for on-disk identity key
|
|
- Possible to get autoconf to easily install things into ~/.tor?
|
|
- server descriptor declares min log level, clients avoid servers
|
|
that are too loggy.
|
|
- Separate node discovery from routing to allow neat extensions. [Goodell?]
|
|
- Add SetServerStatus control event to adjust verified/running status of
|
|
nodes.
|
|
- Add NoDownload config option to prevent regular directory downloads
|
|
from happening.
|
|
- Choosing exit node by meta-data, e.g. country.
|
|
- What info squeaks by Privoxy? Are other scrubbers better?
|
|
- web proxy gateways to let normal people browse hidden services.
|
|
(This has been done a few times, but nobody has sent us code.)
|
|
- Use cpuworker for more heavy lifting.
|
|
- Signing (and verifying) hidserv descriptors
|
|
- Signing (and verifying) intro/rend requests
|
|
- Signing (and verifying) router descriptors
|
|
- Signing (and verifying) directories
|
|
- Doing TLS handshake (this is very hard to separate out, though)
|
|
- Buffer size pool: allocate a maximum size for all buffers, not a maximum
|
|
size for each buffer. So we don't have to give up as quickly (and kill
|
|
the thickpipe!) when there's congestion.
|
|
- Congestion control. Is our current design sufficient once we have heavy
|
|
use? Need to measure and tweak, or maybe overhaul.
|
|
- Add alternative versions of crypto.c and tortls.c to use libnss or
|
|
libgcrypt+gnutls.
|
|
|
|
|
|
Research projects: [Phobos moves these to contribute.html]
|
|
- Arranging membership management for independence.
|
|
Sybil defenses without having a human bottleneck.
|
|
How to gather random sample of nodes.
|
|
How to handle nodelist recommendations.
|
|
Consider incremental switches: a p2p tor with only 50 users has
|
|
different anonymity properties than one with 10k users, and should
|
|
be treated differently.
|
|
- Incentives to relay; incentives to exit.
|
|
- Allowing dissidents to relay through Tor clients.
|
|
- Experiment with mid-latency systems. How do they impact usability,
|
|
how do they impact safety?
|
|
- Understand how powerful fingerprinting attacks are, and experiment
|
|
with ways to foil them (long-range padding?).
|
|
- Come up with practical approximations to picking entry and exit in
|
|
different routing zones.
|
|
- Find ideal churn rate for helper nodes; how safe is it?
|
|
- Attacking freenet-gnunet/timing-delay-randomness-arguments.
|
|
- Is exiting from the middle of the circuit always a bad idea?
|
|
- IPv6 support (For exit addresses)
|
|
- Spec issue: if a resolve returns an IP4 and an IP6 address,
|
|
which to use?
|
|
- Add to exit policy code
|
|
- Make tor_gethostbyname into tor_getaddrinfo
|
|
- Make everything that uses uint32_t as an IP address change to use
|
|
a generalize address struct.
|
|
- Change relay cell types to accept new addresses.
|
|
- Add flag to serverdescs to tell whether IPv6 is supported.
|
|
- patch tsocks with our current patches + gethostbyname, getpeername, etc.
|
|
- make freecap (or whichever) do what we want.
|
|
- scrubbing proxies for protocols other than http.
|
|
- We need better default privoxy configs to ship.
|
|
- We need a good scrubbing HTTP proxy; privoxy is unmaintained and sucky.
|
|
- A DNS proxy would let unmodified socks4/socks5 apps to work well.
|
|
- Add SOCKS support to more applications
|
|
- store hidden service information to disk: dirservers forget service
|
|
descriptors when they restart; nodes offering hidden services forget
|
|
their chosen intro points when they restart.
|
|
|
|
|
|
Did we do these ones already? XXXXX
|
|
- If we have a trusted directory on port 80, stop falling back to
|
|
forbidden ports when fascistfirewall blocks all good dirservers.
|
|
|