diff options
Diffstat (limited to 'doc/TODO.future')
| -rw-r--r-- | doc/TODO.future | 330 |
1 files changed, 0 insertions, 330 deletions
diff --git a/doc/TODO.future b/doc/TODO.future deleted file mode 100644 index 85e07aa92..000000000 --- a/doc/TODO.future +++ /dev/null @@ -1,330 +0,0 @@ -Legend: -SPEC!! - Not specified -SPEC - Spec not finalized -N - nick claims -R - arma claims -P - phobos claims -S - Steven claims -E - Matt claims -M - Mike claims -J - Jeff claims -I - ioerror claims -W - weasel claims -K - Karsten claims - - Not done - * Top priority - . Partially done - o Done - d Deferrable - D Deferred - X Abandoned - -======================================================================= - -Later, unless people want to implement them now: - - Actually use SSL_shutdown to close our TLS connections. - - Include "v" line in networkstatus getinfo values. - [Nick: bridge authorities output a networkstatus that is missing - version numbers. This is inconvenient if we want to make sure - bridgedb gives out bridges with certain characteristics. -RD] - [Okay. Is this a separate item, or is it the same issue as the lack of - a "v" line in response to the controller GETINFO command? -NM] - - MAYBE kill stalled circuits rather than stalled connections. This is - possible thanks to cell queues, but we need to consider the anonymity - implications. - - Make resolves no longer use edge_connection_t unless they are actually - _on_ a socks connection: have edge_connection_t and (say) - dns_request_t both extend an edge_stream_t, and have p_streams and - n_streams both be linked lists of edge_stream_t. - - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the - online config documentation from a single source. - - It would be potentially helpful to respond to https requests on - the OR port by acting like an HTTPS server. - - - We should get smarter about handling address resolve failures, or - addresses that resolve to local IPs. It would be neat to retry - them, since right now we just close the stream. But we need to - make sure we don't retry them on the same exit as before. But if - we mark the circuit, then any user who types "localhost" will - cycle through circuits till they run out of retries. See bug 872. - -Can anybody remember why we wanted to do this and/or what it means? - - config option __ControllerLimit that hangs up if there are a limit - of controller connections already. - [This was mwenge's idea. The idea is that a Tor controller can - "fill" Tor's controller slot quota, so jerks can't do cross-protocol - attacks like the http form attack. -RD] - - Bridge issues - . Ask all directory questions to bridge via BEGIN_DIR. - - use the bridges for dir fetches even when our dirport is open. - - drop 'authority' queries if they're to our own identity key; accept - them otherwise. - - give extend_info_t a router_purpose again - - - -If somebody wants to do this in some version, they should: - - Create packages for Maemo/Nokia 800/810, requested by Chris Soghoian - - debian already makes ARM-arch debs, can maemo use these asks - phobos? - - More work on AvoidDiskWrites - - Make DNSPort support TCP DNS. - - -* * * * Roger, please sort these: * * * * - - - bridge communities with local bridge authorities: - - clients who have a password configured decide to ask their bridge - authority for a networkstatus - - be able to have bridges that aren't in your torrc. save them in - state file, etc. - - Consider if we can solve: the Tor client doesn't know what flags - its bridge has (since it only gets the descriptor), so it can't - make decisions based on Fast or Stable. - - Some mechanism for specifying that we want to stop using a cached - bridge. - -======================================================================= - -Future versions: - - - Protocol - - Our current approach to block attempts to use Tor as a single-hop proxy - is pretty lame; we should get a better one. - - Allow small cells and large cells on the same network? - - Cell buffering and resending. This will allow us to handle broken - circuits as long as the endpoints don't break, plus will allow - connection (tls session key) rotation. - - Implement Morphmix, so we can compare its behavior, complexity, - etc. But see paper breaking morphmix. - - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own - link crypto, unless we can bully DTLS into it. - - Need a relay teardown cell, separate from one-way ends. - (Pending a user who needs this) - - Handle half-open connections: right now we don't support all TCP - streams, at least according to the protocol. But we handle all that - we've seen in the wild. - (Pending a user who needs this) - - - Directory system - - BEGIN_DIR items - - handle connect-dir streams that don't have a chosen_exit_name set. - - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? - - Add an option (related to AvoidDiskWrites) to disable directory - caching. (Is this actually a good idea??) - X Add d64 and fp64 along-side d and fp so people can paste status - entries into a url. since + is a valid base64 char, only allow one - at a time. Consider adding to controller as well. - [abandoned for lack of demand] - - Some back-out mechanism for auto-approval on authorities - - a way of rolling back approvals to before a timestamp - - Consider minion-like fingerprint file/log combination. - X Have new people be in limbo and need to demonstrate usefulness - before we approve them. - - - Hidden services: - d Standby/hotswap/redundant hidden services: needs a proposal. - - you can insert a hidserv descriptor via the controller. - - auth mechanisms to let hidden service midpoint and responder filter - connection requests: proposal 121. - - Let each hidden service (or other thing) specify its own - OutboundBindAddress? - - - Server operation - - If the server is spewing complaints about raising your ulimit -n, - we should add a note about this to the server descriptor so other - people can notice too. - - When we hit a funny error from a dir request (eg 403 forbidden), - but tor is working and happy otherwise, and we haven't seen many - such errors recently, then don't warn about it. - - - Controller - - Implement missing status events and accompanying getinfos - - DIR_REACHABLE - - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind - a firewall.) - - BAD_PROXY (Bad http or https proxy) - - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable) - - Status events related to hibernation - - something about failing to parse our address? - from resolve_my_address() in config.c - - sketchy OS, sketchy threading - - too many onions queued: threading problems or slow CPU? - - Implement missing status event fields: - - TIMEOUT on CHECKING_REACHABILITY - - GETINFO status/client, status/server, status/general: There should be - some way to learn which status events are currently "in effect." - We should specify which these are, what format they appear in, and so - on. - - More information in events: - - Include bandwidth breakdown by conn->type in BW events. - - Change circuit status events to give more details, like purpose, - whether they're internal, when they become dirty, when they become - too dirty for further circuits, etc. - - Change stream status events analogously. - - Expose more information via getinfo: - - import and export rendezvous descriptors - - Review all static fields for additional candidates - - Allow EXTENDCIRCUIT to unknown server. - - We need some way to adjust server status, and to tell tor not to - download directories/network-status, and a way to force a download. - - Make everything work with hidden services - - - Performance/resources - - per-conn write buckets - - separate config options for read vs write limiting - (It's hard to support read > write, since we need better - congestion control to avoid overfull buffers there. So, - defer the whole thing.) - - Rate limit exit connections to a given destination -- this helps - us play nice with websites when Tor users want to crawl them; it - also introduces DoS opportunities. - - Consider truncating rather than destroying failed circuits, - in order to save the effort of restarting. There are security - issues here that need thinking, though. - - Handle full buffers without totally borking - - Rate-limit OR and directory connections overall and per-IP and - maybe per subnet. - - - Misc - - Hold-open-until-flushed now works by accident; it should work by - design. - - Display the reasons in 'destroy' and 'truncated' cells under - some circumstances? - - Make router_is_general_exit() a bit smarter once we're sure what - it's for. - - Automatically determine what ports are reachable and start using - those, if circuits aren't working and it's a pattern we - recognize ("port 443 worked once and port 9001 keeps not - working"). - - - Security - - some better fix for bug #516? - - Directory guards - - Mini-SoaT: - - Servers might check certs for known-good ssl websites, and if - they come back self-signed, declare themselves to be - non-exits. Similar to how we test for broken/evil dns now. - - Authorities should try using exits for http to connect to some - URLS (specified in a configuration file, so as not to make the - List Of Things Not To Censor completely obvious) and ask them - for results. Exits that don't give good answers should have - the BadExit flag set. - - Alternatively, authorities should be able to import opinions - from Snakes on a Tor. - - Bind to random port when making outgoing connections to Tor servers, - to reduce remote sniping attacks. - - Audit everything to make sure rend and intro points are just as - likely to be us as not. - - Do something to prevent spurious EXTEND cells from making - middleman nodes connect all over. Rate-limit failed - connections, perhaps? - - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. - - - Needs thinking - - Now that we're avoiding exits when picking non-exit positions, - we need to consider how to pick nodes for internal circuits. If - we avoid exits for all positions, we skew the load balancing. If - we accept exits for all positions, we leak whether it's an - internal circuit at every step. If we accept exits only at the - last hop, we reintroduce Lasse's attacks from the Oakland paper. - - - Windows server usability - - Solve the ENOBUFS problem. - - make tor's use of openssl operate on buffers rather than sockets, - so we can make use of libevent's buffer paradigm once it has one. - - make tor's use of libevent tolerate either the socket or the - buffer paradigm; includes unifying the functions in connect.c. - - We need a getrlimit equivalent on Windows so we can reserve some - file descriptors for saving files, etc. Otherwise we'll trigger - asserts when we're out of file descriptors and crash. - - - Documentation - - a way to generate the website diagrams from source, so we can - translate them as utf-8 text rather than with gimp. (svg? or - imagemagick?) - . Flesh out options_description array in src/or/config.c - . multiple sample torrc files - - Refactor tor man page to divide generally useful options from - less useful ones? - - Add a doxygen style checker to make check-spaces so nick doesn't drift - too far from arma's undocumented styleguide. Also, document that - styleguide in HACKING. (See r9634 for example.) - - exactly one space at beginning and at end of comments, except i - guess when there's line-length pressure. - - if we refer to a function name, put a () after it. - - only write <b>foo</b> when foo is an argument to this function. - - doxygen comments must always end in some form of punctuation. - - capitalize the first sentence in the doxygen comment, except - when you shouldn't. - - avoid spelling errors and incorrect comments. ;) - - - Packaging - - The Debian package now uses --verify-config when (re)starting, - to distinguish configuration errors from other errors. Perhaps - the RPM and other startup scripts should too? - - add a "default.action" file to the tor/vidalia bundle so we can - fix the https thing in the default configuration: - https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort - - -======================================================================= - -Documentation, non-version-specific. - - Specs - - Mark up spec; note unclear points about servers -NR - write a spec appendix for 'being nice with tor' - - Specify the keys and key rotation schedules and stuff - . Finish path-spec.txt - - Mention controller libs someplace. - - Remove need for HACKING file. - - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx -P - figure out rpm spec files for bundles of vidalia-tor-polipo -P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32 - - figure out selinux policy for tor -P - change packaging system to more automated and specific for each - platform, suggested by Paul Wouter -P - Setup repos for redhat and suse rpms & start signing the rpms the - way package management apps prefer - -Website: -J . tor-in-the-media page -P - Figure out licenses for website material. - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -P - put the logo on the website, in source form, so people can put it on - stickers directly, etc. -P - put the source image for the stickers on the website, so people can - print their own -P - figure out a license for the logos and docs we publish (trademark -figures into this) - (Phobos reccomends the Open Publication License with Option A at - http://opencontent.org/openpub/) -I - add a page for localizing all tor's components. - - It would be neat if we had a single place that described _all_ the - tor-related tools you can use, and what they give you, and how well they - work. Right now, we don't give a lot of guidance wrt - torbutton/foxproxy/privoxy/polipo in any consistent place. -P - create a 'blog badge' for tor fans to link to and feature on their - blogs. A sample is at http://interloper.org/tmp/tor/tor-button.png - - More prominently, we should have a recommended apps list. - - recommend pidgin (gaim is renamed) - - unrecommend IE because of ftp:// bug. - - Addenda to tor-design - - we should add a preamble to tor-design saying it's out of date. - - we should add an appendix or errata on what's changed. - - - Tor mirrors - - make a mailing list with the mirror operators - o make an automated tool to check /project/trace/ at mirrors to - learn which ones are lagging behind. - - auto (or manually) cull the mirrors that are broken; and - contact their operator? - - a set of instructions for mirror operators to make their apaches - serve our charsets correctly, and bonus points for language - negotiation. - - figure out how to load-balance the downloads across mirrors? - - ponder how to get users to learn that they should google for - "tor mirrors" if the main site is blocked. - - find a mirror volunteer to coordinate all of this - |