mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
b543cf1ce2
svn:r18434
339 lines
16 KiB
Plaintext
339 lines
16 KiB
Plaintext
$Id$
|
|
Legend:
|
|
SPEC!! - Not specified
|
|
SPEC - Spec not finalized
|
|
N - nick claims
|
|
R - arma claims
|
|
P - phobos claims
|
|
S - Steven claims
|
|
E - Matt claims
|
|
M - Mike claims
|
|
J - Jeff claims
|
|
I - ioerror claims
|
|
W - weasel claims
|
|
K - Karsten claims
|
|
- Not done
|
|
* Top priority
|
|
. Partially done
|
|
o Done
|
|
d Deferrable
|
|
D Deferred
|
|
X Abandoned
|
|
|
|
=======================================================================
|
|
|
|
Later, unless people want to implement them now:
|
|
- tor as a socks proxy should accept (and ignore) password auth
|
|
- Actually use SSL_shutdown to close our TLS connections.
|
|
- Include "v" line in networkstatus getinfo values.
|
|
[Nick: bridge authorities output a networkstatus that is missing
|
|
version numbers. This is inconvenient if we want to make sure
|
|
bridgedb gives out bridges with certain characteristics. -RD]
|
|
[Okay. Is this a separate item, or is it the same issue as the lack of
|
|
a "v" line in response to the controller GETINFO command? -NM]
|
|
- Let tor dir mirrors proxy connections to the tor download site, so
|
|
if you know a bridge you can fetch the tor software.
|
|
- when somebody uses the controlport as an http proxy, give them
|
|
a "tor isn't an http proxy" error too like we do for the socks port.
|
|
- MAYBE kill stalled circuits rather than stalled connections. This is
|
|
possible thanks to cell queues, but we need to consider the anonymity
|
|
implications.
|
|
- Make resolves no longer use edge_connection_t unless they are actually
|
|
_on_ a socks connection: have edge_connection_t and (say)
|
|
dns_request_t both extend an edge_stream_t, and have p_streams and
|
|
n_streams both be linked lists of edge_stream_t.
|
|
- Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
|
|
online config documentation from a single source.
|
|
- It would be potentially helpful to respond to https requests on
|
|
the OR port by acting like an HTTPS server.
|
|
- Make the timestamp granularity on logs configurable, with default
|
|
of "1 second". This might make some kinds of after-the-fact attack harder.
|
|
|
|
- We should get smarter about handling address resolve failures, or
|
|
addresses that resolve to local IPs. It would be neat to retry
|
|
them, since right now we just close the stream. But we need to
|
|
make sure we don't retry them on the same exit as before. But if
|
|
we mark the circuit, then any user who types "localhost" will
|
|
cycle through circuits till they run out of retries. See bug 872.
|
|
|
|
Can anybody remember why we wanted to do this and/or what it means?
|
|
- config option __ControllerLimit that hangs up if there are a limit
|
|
of controller connections already.
|
|
[This was mwenge's idea. The idea is that a Tor controller can
|
|
"fill" Tor's controller slot quota, so jerks can't do cross-protocol
|
|
attacks like the http form attack. -RD]
|
|
- Bridge issues
|
|
. Ask all directory questions to bridge via BEGIN_DIR.
|
|
- use the bridges for dir fetches even when our dirport is open.
|
|
- drop 'authority' queries if they're to our own identity key; accept
|
|
them otherwise.
|
|
- give extend_info_t a router_purpose again
|
|
|
|
|
|
|
|
If somebody wants to do this in some version, they should:
|
|
- Create packages for Maemo/Nokia 800/810, requested by Chris Soghoian
|
|
- debian already makes ARM-arch debs, can maemo use these asks
|
|
phobos?
|
|
- More work on AvoidDiskWrites
|
|
- Make DNSPort support TCP DNS.
|
|
|
|
|
|
* * * * Roger, please sort these: * * * *
|
|
|
|
- bridge communities with local bridge authorities:
|
|
- clients who have a password configured decide to ask their bridge
|
|
authority for a networkstatus
|
|
- be able to have bridges that aren't in your torrc. save them in
|
|
state file, etc.
|
|
- Consider if we can solve: the Tor client doesn't know what flags
|
|
its bridge has (since it only gets the descriptor), so it can't
|
|
make decisions based on Fast or Stable.
|
|
- Some mechanism for specifying that we want to stop using a cached
|
|
bridge.
|
|
|
|
=======================================================================
|
|
|
|
Future versions:
|
|
|
|
- Protocol
|
|
- Our current approach to block attempts to use Tor as a single-hop proxy
|
|
is pretty lame; we should get a better one.
|
|
- Allow small cells and large cells on the same network?
|
|
- Cell buffering and resending. This will allow us to handle broken
|
|
circuits as long as the endpoints don't break, plus will allow
|
|
connection (tls session key) rotation.
|
|
- Implement Morphmix, so we can compare its behavior, complexity,
|
|
etc. But see paper breaking morphmix.
|
|
- Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
|
|
link crypto, unless we can bully DTLS into it.
|
|
- Need a relay teardown cell, separate from one-way ends.
|
|
(Pending a user who needs this)
|
|
- Handle half-open connections: right now we don't support all TCP
|
|
streams, at least according to the protocol. But we handle all that
|
|
we've seen in the wild.
|
|
(Pending a user who needs this)
|
|
|
|
- Directory system
|
|
- BEGIN_DIR items
|
|
- handle connect-dir streams that don't have a chosen_exit_name set.
|
|
- Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
|
|
- Add an option (related to AvoidDiskWrites) to disable directory
|
|
caching. (Is this actually a good idea??)
|
|
X Add d64 and fp64 along-side d and fp so people can paste status
|
|
entries into a url. since + is a valid base64 char, only allow one
|
|
at a time. Consider adding to controller as well.
|
|
[abandoned for lack of demand]
|
|
- Some back-out mechanism for auto-approval on authorities
|
|
- a way of rolling back approvals to before a timestamp
|
|
- Consider minion-like fingerprint file/log combination.
|
|
X Have new people be in limbo and need to demonstrate usefulness
|
|
before we approve them.
|
|
|
|
- Hidden services:
|
|
d Standby/hotswap/redundant hidden services: needs a proposal.
|
|
- you can insert a hidserv descriptor via the controller.
|
|
- auth mechanisms to let hidden service midpoint and responder filter
|
|
connection requests: proposal 121.
|
|
- Let each hidden service (or other thing) specify its own
|
|
OutboundBindAddress?
|
|
|
|
- Server operation
|
|
- If the server is spewing complaints about raising your ulimit -n,
|
|
we should add a note about this to the server descriptor so other
|
|
people can notice too.
|
|
- When we hit a funny error from a dir request (eg 403 forbidden),
|
|
but tor is working and happy otherwise, and we haven't seen many
|
|
such errors recently, then don't warn about it.
|
|
|
|
- Controller
|
|
- Implement missing status events and accompanying getinfos
|
|
- DIR_REACHABLE
|
|
- BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
|
|
a firewall.)
|
|
- BAD_PROXY (Bad http or https proxy)
|
|
- UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
|
|
- Status events related to hibernation
|
|
- something about failing to parse our address?
|
|
from resolve_my_address() in config.c
|
|
- sketchy OS, sketchy threading
|
|
- too many onions queued: threading problems or slow CPU?
|
|
- Implement missing status event fields:
|
|
- TIMEOUT on CHECKING_REACHABILITY
|
|
- GETINFO status/client, status/server, status/general: There should be
|
|
some way to learn which status events are currently "in effect."
|
|
We should specify which these are, what format they appear in, and so
|
|
on.
|
|
- More information in events:
|
|
- Include bandwidth breakdown by conn->type in BW events.
|
|
- Change circuit status events to give more details, like purpose,
|
|
whether they're internal, when they become dirty, when they become
|
|
too dirty for further circuits, etc.
|
|
- Change stream status events analogously.
|
|
- Expose more information via getinfo:
|
|
- import and export rendezvous descriptors
|
|
- Review all static fields for additional candidates
|
|
- Allow EXTENDCIRCUIT to unknown server.
|
|
- We need some way to adjust server status, and to tell tor not to
|
|
download directories/network-status, and a way to force a download.
|
|
- Make everything work with hidden services
|
|
|
|
- Performance/resources
|
|
- per-conn write buckets
|
|
- separate config options for read vs write limiting
|
|
(It's hard to support read > write, since we need better
|
|
congestion control to avoid overfull buffers there. So,
|
|
defer the whole thing.)
|
|
- Rate limit exit connections to a given destination -- this helps
|
|
us play nice with websites when Tor users want to crawl them; it
|
|
also introduces DoS opportunities.
|
|
- Consider truncating rather than destroying failed circuits,
|
|
in order to save the effort of restarting. There are security
|
|
issues here that need thinking, though.
|
|
- Handle full buffers without totally borking
|
|
- Rate-limit OR and directory connections overall and per-IP and
|
|
maybe per subnet.
|
|
|
|
- Misc
|
|
- Hold-open-until-flushed now works by accident; it should work by
|
|
design.
|
|
- Display the reasons in 'destroy' and 'truncated' cells under
|
|
some circumstances?
|
|
- Make router_is_general_exit() a bit smarter once we're sure what
|
|
it's for.
|
|
- Automatically determine what ports are reachable and start using
|
|
those, if circuits aren't working and it's a pattern we
|
|
recognize ("port 443 worked once and port 9001 keeps not
|
|
working").
|
|
|
|
- Security
|
|
- some better fix for bug #516?
|
|
- Directory guards
|
|
- Mini-SoaT:
|
|
- Servers might check certs for known-good ssl websites, and if
|
|
they come back self-signed, declare themselves to be
|
|
non-exits. Similar to how we test for broken/evil dns now.
|
|
- Authorities should try using exits for http to connect to some
|
|
URLS (specified in a configuration file, so as not to make the
|
|
List Of Things Not To Censor completely obvious) and ask them
|
|
for results. Exits that don't give good answers should have
|
|
the BadExit flag set.
|
|
- Alternatively, authorities should be able to import opinions
|
|
from Snakes on a Tor.
|
|
- Bind to random port when making outgoing connections to Tor servers,
|
|
to reduce remote sniping attacks.
|
|
- Audit everything to make sure rend and intro points are just as
|
|
likely to be us as not.
|
|
- Do something to prevent spurious EXTEND cells from making
|
|
middleman nodes connect all over. Rate-limit failed
|
|
connections, perhaps?
|
|
- DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
|
|
|
|
- Needs thinking
|
|
- Now that we're avoiding exits when picking non-exit positions,
|
|
we need to consider how to pick nodes for internal circuits. If
|
|
we avoid exits for all positions, we skew the load balancing. If
|
|
we accept exits for all positions, we leak whether it's an
|
|
internal circuit at every step. If we accept exits only at the
|
|
last hop, we reintroduce Lasse's attacks from the Oakland paper.
|
|
|
|
- Windows server usability
|
|
- Solve the ENOBUFS problem.
|
|
- make tor's use of openssl operate on buffers rather than sockets,
|
|
so we can make use of libevent's buffer paradigm once it has one.
|
|
- make tor's use of libevent tolerate either the socket or the
|
|
buffer paradigm; includes unifying the functions in connect.c.
|
|
- We need a getrlimit equivalent on Windows so we can reserve some
|
|
file descriptors for saving files, etc. Otherwise we'll trigger
|
|
asserts when we're out of file descriptors and crash.
|
|
|
|
- Documentation
|
|
- a way to generate the website diagrams from source, so we can
|
|
translate them as utf-8 text rather than with gimp. (svg? or
|
|
imagemagick?)
|
|
. Flesh out options_description array in src/or/config.c
|
|
. multiple sample torrc files
|
|
- Refactor tor man page to divide generally useful options from
|
|
less useful ones?
|
|
- Add a doxygen style checker to make check-spaces so nick doesn't drift
|
|
too far from arma's undocumented styleguide. Also, document that
|
|
styleguide in HACKING. (See r9634 for example.)
|
|
- exactly one space at beginning and at end of comments, except i
|
|
guess when there's line-length pressure.
|
|
- if we refer to a function name, put a () after it.
|
|
- only write <b>foo</b> when foo is an argument to this function.
|
|
- doxygen comments must always end in some form of punctuation.
|
|
- capitalize the first sentence in the doxygen comment, except
|
|
when you shouldn't.
|
|
- avoid spelling errors and incorrect comments. ;)
|
|
|
|
- Packaging
|
|
- The Debian package now uses --verify-config when (re)starting,
|
|
to distinguish configuration errors from other errors. Perhaps
|
|
the RPM and other startup scripts should too?
|
|
- add a "default.action" file to the tor/vidalia bundle so we can
|
|
fix the https thing in the default configuration:
|
|
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
|
|
|
|
|
|
=======================================================================
|
|
|
|
Documentation, non-version-specific.
|
|
- Specs
|
|
- Mark up spec; note unclear points about servers
|
|
NR - write a spec appendix for 'being nice with tor'
|
|
- Specify the keys and key rotation schedules and stuff
|
|
. Finish path-spec.txt
|
|
- Mention controller libs someplace.
|
|
- Remove need for HACKING file.
|
|
- document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
|
|
P - figure out rpm spec files for bundles of vidalia-tor-polipo
|
|
P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
|
|
- figure out selinux policy for tor
|
|
P - change packaging system to more automated and specific for each
|
|
platform, suggested by Paul Wouter
|
|
P - Setup repos for redhat and suse rpms & start signing the rpms the
|
|
way package management apps prefer
|
|
|
|
Website:
|
|
J . tor-in-the-media page
|
|
P - Figure out licenses for website material.
|
|
(Phobos reccomends the Open Publication License with Option A at
|
|
http://opencontent.org/openpub/)
|
|
P - put the logo on the website, in source form, so people can put it on
|
|
stickers directly, etc.
|
|
P - put the source image for the stickers on the website, so people can
|
|
print their own
|
|
P - figure out a license for the logos and docs we publish (trademark
|
|
figures into this)
|
|
(Phobos reccomends the Open Publication License with Option A at
|
|
http://opencontent.org/openpub/)
|
|
I - add a page for localizing all tor's components.
|
|
- It would be neat if we had a single place that described _all_ the
|
|
tor-related tools you can use, and what they give you, and how well they
|
|
work. Right now, we don't give a lot of guidance wrt
|
|
torbutton/foxproxy/privoxy/polipo in any consistent place.
|
|
P - create a 'blog badge' for tor fans to link to and feature on their
|
|
blogs. A sample is at http://interloper.org/tmp/tor/tor-button.png
|
|
- More prominently, we should have a recommended apps list.
|
|
- recommend pidgin (gaim is renamed)
|
|
- unrecommend IE because of ftp:// bug.
|
|
- Addenda to tor-design
|
|
- we should add a preamble to tor-design saying it's out of date.
|
|
- we should add an appendix or errata on what's changed.
|
|
|
|
- Tor mirrors
|
|
- make a mailing list with the mirror operators
|
|
o make an automated tool to check /project/trace/ at mirrors to
|
|
learn which ones are lagging behind.
|
|
- auto (or manually) cull the mirrors that are broken; and
|
|
contact their operator?
|
|
- a set of instructions for mirror operators to make their apaches
|
|
serve our charsets correctly, and bonus points for language
|
|
negotiation.
|
|
- figure out how to load-balance the downloads across mirrors?
|
|
- ponder how to get users to learn that they should google for
|
|
"tor mirrors" if the main site is blocked.
|
|
- find a mirror volunteer to coordinate all of this
|
|
|