From 79a3fed30e953285be083c67f0a871b09153fbd2 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 27 Aug 2007 23:42:46 +0000 Subject: r14819@catbus: nickm | 2007-08-27 19:40:11 -0400 Sort all of the items in the TODO. That took longer than I had hoped, but I think it was useful. svn:r11292 --- doc/TODO | 668 ++++++++++++++++++++++++++++++--------------------------------- 1 file changed, 321 insertions(+), 347 deletions(-) (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index 43032585c..7095fb0f9 100644 --- a/doc/TODO +++ b/doc/TODO @@ -13,37 +13,12 @@ P - phobos claims D Deferred X Abandoned -Temporary notations for moving items around: -++ - Make this a task for the current version -d - Move this into "nice to have for the current version" -D - Move this into "deferred from current version." -X2 - This is a duplicate; remove it. - -Documentation and testing on 0.1.2.x-final series - - o Test guard unreachable logic; make sure that we actually attempt to - connect to guards that we think are unreachable from time to time. - Make sure that we don't freak out when the network is down. - -++. Forward compatibility fixes -N - Hack up a client that gives out weird/no certificates, so we can - test to make sure that this doesn't cause servers to crash. - -++. Finish path-spec.txt - -++- Docs - - Tell people about OSX Uninstaller - - Quietly document NT Service options - - More prominently, we should have a recommended apps list. - - recommend gaim. - - unrecommend IE because of ftp:// bug. - - we should add a preamble to tor-design saying it's out of date. - . Document transport and natdport - o In man page - - In a good HOWTO. - Things we'd like to do in 0.2.0.x: - - Bug reports Roger has heard along that way that don't have enough + - See also Flyspray tasks. + - See also all items marked XXXX020 and DOCDOC in the code + + - Bugs. + - Bug reports Roger has heard along that way that don't have enough details/attention to solve them yet. - tup said that when he set FetchUselessDescriptors, after 24 or 48 hours he wasn't fetching any descriptors at all @@ -97,66 +72,36 @@ Things we'd like to do in 0.2.0.x: . 104: Long and Short Router Descriptors - Drop bandwidth history from router-descriptors - 105: Version negotiation for the Tor protocol -d - 113: Simplifying directory authority administration -d - 110: prevent infinite-length circuits (phase one) - - servers should recognize relay_extend cells and pass them - on just like relay cells + . 111: Prioritize local traffic over relayed. + o Implement + - Merge into tor-spec.txt. - Refactoring: -D - Make resolves no longer use edge_connection_t unless they are actually - _on_ a socks connection: have edge_connection_t and (say) - dns_request_t both extend an edge_stream_t, and have p_streams and - n_streams both be linked lists of edge_stream_t. . Make cells get buffered on circuit, not on the or_conn. . Switch to pool-allocation for cells? - Benchmark pool-allocation vs straightforward malloc. - Adjust memory allocation logic in pools to favor a little less slack memory. -d - MAYBE kill stalled circuits rather than stalled connections; consider - anonymity implications. -d - Move all status info out of routerinfo into local_routerstatus. Make - "who can change what" in local_routerstatus explicit. Make - local_routerstatus (or equivalent) subsume all places to go for "what - router is this?" . Remove socketpair-based bridges conns, and the word "bridge". (Use shared (or connected) buffers for communication, rather than sockets.) . Implement - Handle rate-limiting on directory writes to linked directory connections in a more sensible manner. - Find more ways to test this. - D Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the - online config documentation from a single source. - Have clients do TLS connection rotation less often than "every 10 minutes" in the thrashy case, and more often than "once a week" in the extra-stable case. - Streamline how we pick entry nodes: Make choose_random_entry() have less magic and less control logic. -d - Implement TLS shutdown properly when possible. - Maybe move NT services into their own module. - . Autoconf cleanups and improvements: - o Tell the user what -dev package to install based on OS. -d - Detect correct version of libraries. - Refactor networkstatus generation: - Include "v" line in getinfo values. - - Features: - - Traffic priorities - . Ability to prioritize own traffic over relayed traffic. - (Proposal 111.) - . Implement - - Merge proposal into the spec. - . DNS Proxy - - Document it -d - A better UI for authority ops. - - Follow weasel's proposal, crossed with mixminion dir config format - - Write a proposal + - Bridges: . Bridges users (rudimentary version) o Ability to specify bridges manually o Config option 'UseBridges' that bridge users can turn on. o uses bridges as first hop rather than entry guards. - D Do we want to maintain our own set of entryguards that we use as - next hop after the bridge? Open research question; let's say no - for 0.2.0 unless we learn otherwise. o if you don't have any routerinfos for your bridges, or you don't like the ones you have, ask a new bridge for its server/authority. . Ask all directory questions to bridge via BEGIN_DIR. @@ -168,8 +113,6 @@ N - Design/implement the "local-status" or something like it, from the http://archives.seul.org/or/dev/May-2007/msg00008.html - cache of bridges that we've learned about and use but aren't manually listed in the torrc. - D and some mechanism for specifying that we want to stop using - a given bridge in this cache. o timeout and retry schedules for fetching bridge descriptors - give extend_info_t a router_purpose again o react faster to download networkstatuses after the first bridge @@ -187,43 +130,57 @@ N - Design/implement the "local-status" or something like it, from the o Rudimentary "do not publish networkstatus" option for bridge authorities. - Clients can ask bridge authorities for more bridges. - D Should do reachability testing but only on the purpose==bridge - descriptors we have. - Bridges o Clients can ask bridge authorities for updates on known bridges. - More TLS normalization work: make Tor less easily fingerprinted. - Directory system improvements -d - config option to publish what ports you listen on, beyond - ORPort/DirPort. It should support ranges and bit prefixes (?) too. - (This is very similar to proposal 118.) -d - Let controller set router flags for authority to transmit, and for - client to use. -d - Support relaying streams to ipv6. - - Internal code support for ipv6: - o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist. - - Most address variables need to become sockaddrs. - - Teach resolving code how to handle ipv6. - - Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!) - - ... -x2 - Let servers decide to support BEGIN_DIR but not DirPort. - (duplicate of "Ability to act as a dir cache without a dir port.") + + - Features (other than bridges): - Blocking-resistance. - Write a proposal; make this part of 105. -D - It would be potentially helpful to https requests on the OR port by - acting like an HTTPS server. -d - add an 'exit-address' line in the descriptor for servers that exit - from something that isn't their published address. - Audit how much RAM we're using for buffers and cell pools; try to trim down a lot. - Accept \n as end of lines in the control protocol in addition to \r\n. - Base relative control socket paths on datadir. - o Deprecations: + - We should ship with a list of stable dir mirrors -- they're not + trusted like the authorities, but they'll provide more robustness + and diversity for bootstrapping clients. + - Better estimates in the directory of whether servers have good uptime + (high expected time to failure) or good guard qualities (high + fractional uptime). + - AKA Track uptime as %-of-time-up, as well as time-since-last-down + - Should TrackHostExits expire TrackHostExitsExpire seconds after their + *last* use, not their *first* use? + - Limit to 2 dir, 2 OR, N SOCKS connections per IP. + - Or maybe close connections from same IP when we get a lot from one. + - Or maybe block IPs that connect too many times at once. + - add an AuthDirBadexit torrc option if we decide we want one. + + - Testing +N - Hack up a client that gives out weird/no certificates, so we can + test to make sure that this doesn't cause servers to crash. + + - Deprecations: - can we deprecate 'getinfo network-status'? - can we deprecate the FastFirstHopPK config option? + - Documentation + - HOWTO for DNSPort. + - Tell people about OSX Uninstaller + - Quietly document NT Service options + - More prominently, we should have a recommended apps list. + - recommend gaim. + - unrecommend IE because of ftp:// bug. + - we should add a preamble to tor-design saying it's out of date. + . Document transport and natdport in a good HOWTO. + - Publicize torel. (What else? + . Finish path-spec.txt + P - Packaging: -P - Can we switch to polipo? +P - Can we switch to polipo? Please? + - Make documentation realize that location of system configuration file + will depend on location of system defaults, and isn't always /etc/torrc. P - If we haven't replaced privoxy, lock down its configuration in all packages, as documented in tor-doc-unix.html P - Figure out why dll's compiled in mingw don't work right in WinXP. @@ -233,79 +190,157 @@ P - Figure out if including RSA and IDEA are bad for Tor from a legal P - Create packages for Nokia 800, requested by Chris Soghoian P - Consider creating special Tor-Polipo-Vidalia test packages, requested by Dmitri Vitalev - - add an AuthDirBadexit torrc option if we decide we want one. - -Deferred from 0.1.2.x: (Unmarked items will become "Future version") - - BEGIN_DIR items - - turn the received socks addr:port into a digest for setting .exit - - handle connect-dir streams that don't have a chosen_exit_name set. - X 'networkstatus arrived' event - (Abandoned for simpler version in v3 protocol) -d - More work on AvoidDiskWrites? - - per-conn write buckets - - separate config options for read vs write limiting - (It's hard to support read > write, since we need better - congestion control to avoid overfull buffers there. So, - defer the whole thing.) - - don't do dns hijacking tests if we're reject *:* exit policy? - (deferred until 0.1.1.x is less common) - - Directory guards - - RAM use in directory authorities. - - Memory use improvements: - - Look into pulling serverdescs off buffers as they arrive. - X Save and mmap v1 directories, and networkstatus docs; store them - zipped, not uncompressed. - (Abandoned in favor of dropping v1 directory support.) - X Switch cached_router_t to use mmap. - X What to do about reference counts on windows? (On Unix, this is - easy: unlink works fine. (Right?) On Windows, I have doubts. Do we - need to keep multiple files?) - X What do we do about the fact that people can't read zlib- - compressed files manually? - -d - If the client's clock is too far in the past, it will drop (or - just not try to get) descriptors, so it'll never build circuits. - - Tolerate clock skew on bridge relays. - - - Now that we're avoiding exits when picking non-exit positions, - we need to consider how to pick nodes for internal circuits. If - we avoid exits for all positions, we skew the load balancing. If - we accept exits for all positions, we leak whether it's an internal - circuit at every step. If we accept exits only at the last hop, we - reintroduce Lasse's attacks from the Oakland paper. - -++- We should ship with a list of stable dir mirrors -- they're not - trusted like the authorities, but they'll provide more robustness - and diversity for bootstrapping clients. - - - A way to adjust router flags from the controller. - (How do we prevent the authority from clobbering them soon after?) - -++- Better estimates in the directory of whether servers have good uptime - (high expected time to failure) or good guard qualities (high - fractional uptime). - - AKA Track uptime as %-of-time-up, as well as time-since-last-down - - - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? - - spec - - implement - - Windows server usability - - Solve the ENOBUFS problem. - - make tor's use of openssl operate on buffers rather than sockets, - so we can make use of libevent's buffer paradigm once it has one. - - make tor's use of libevent tolerate either the socket or the - buffer paradigm; includes unifying the functions in connect.c. - - We need a getrlimit equivalent on Windows so we can reserve some - file descriptors for saving files, etc. Otherwise we'll trigger - asserts when we're out of file descriptors and crash. - - rewrite how libevent does select() on win32 so it's not so very slow. - - Add overlapped IO - - Add an option (related to AvoidDiskWrites) to disable directory caching. +Nice-to-have items for 0.2.0.x, time permitting: + - Proposals + - 113: Simplifying directory authority administration + - 110: prevent infinite-length circuits (phase one) + . Robust decentralized storage for hidden service descriptors. + (Karsten is working on this; proposal 114.) + - 118: Listen on and advertise multiple ports: + - Tor should be able to have a pool of outgoing IP addresses that it is + able to rotate through. (maybe. Possible overlap with proposal 118.) + - config option to publish what ports you listen on, beyond + ORPort/DirPort. It should support ranges and bit prefixes (?) too. + (This is very similar to proposal 118.) + - 117: IPv6 Exits + - Internal code support for ipv6: + o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist. + - Most address variables need to become tor_addr_t + - Teach resolving code how to handle ipv6. + - Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!) + + - Features + - Let controller set router flags for authority to transmit, and for + client to use. + - add an 'exit-address' line in the descriptor for servers that exit + from something that isn't their published address. + - Clients should estimate their skew as median of skew from servers + over last N seconds. + - More work on AvoidDiskWrites? + + - Protocol work + - MAYBE kill stalled circuits rather than stalled connections. This is + possible thanks to cell queues, but we need to consider the anonymity + implications. + - Implement TLS shutdown properly when possible. - - Finish status event implementation and accompanying getinfos - - Missing events: + - Low-priority bugs: + - we try to build 4 test circuits to break them over different + servers. but sometimes our entry node is the same for multiple + test circuits. this defeats the point. + - If the client's clock is too far in the past, it will drop (or just not + try to get) descriptors, so it'll never build circuits. + + - Refactoring: + - Move all status info out of routerinfo into local_routerstatus. Make + "who can change what" in local_routerstatus explicit. Make + local_routerstatus (or equivalent) subsume all places to go for "what + router is this?" + + - Build: + - Detect correct version of libraries from autoconf script. + + - Documentation: + - Review torrc.sample to make it more discursive. + +Deferred from 0.2.0.x: + - Features + - Make a TCP DNSPort + - Refactoring + - Make resolves no longer use edge_connection_t unless they are actually + _on_ a socks connection: have edge_connection_t and (say) + dns_request_t both extend an edge_stream_t, and have p_streams and + n_streams both be linked lists of edge_stream_t. + - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the + online config documentation from a single source. + - Blocking/scanning-resistance + - It would be potentially helpful to https requests on the OR port by + acting like an HTTPS server. + - Do we want to maintain our own set of entryguards that we use as + next hop after the bridge? Open research question; let's say no + for 0.2.0 unless we learn otherwise. + - Should do reachability testing but only on the purpose==bridge + descriptors we have. + - Some mechanism for specifying that we want to stop using a cached + bridge. + + +Future versions: + - See also Flyspray tasks. + - See also all OPEN/ACCEPTED proposals. + - See also all items marked XXXX and FFFF in the code. + + - Protocol: + - Our current approach to block attempts to use Tor as a single-hop proxy + is pretty lame; we should get a better one. + - Allow small cells and large cells on the same network? + - Cell buffering and resending. This will allow us to handle broken + circuits as long as the endpoints don't break, plus will allow + connection (tls session key) rotation. + - Implement Morphmix, so we can compare its behavior, complexity, + etc. But see paper breaking morphmix. + - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own + link crypto, unless we can bully DTLS into it. + - Need a relay teardown cell, separate from one-way ends. + (Pending a user who needs this) + - Handle half-open connections: right now we don't support all TCP + streams, at least according to the protocol. But we handle all that + we've seen in the wild. + (Pending a user who needs this) + + - Directory system + - BEGIN_DIR items + - turn the received socks addr:port into a digest for setting .exit + - handle connect-dir streams that don't have a chosen_exit_name set. + - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8? + - Add an option (related to AvoidDiskWrites) to disable directory + caching. (Is this actually a good idea??) + - Add d64 and fp64 along-side d and fp so people can paste status + entries into a url. since + is a valid base64 char, only allow one + at a time. Consider adding to controller as well. + - Some back-out mechanism for auto-approval on authorities + - a way of rolling back approvals to before a timestamp + - Consider minion-like fingerprint file/log combination. + - Have new people be in limbo and need to demonstrate usefulness + before we approve them. + + - Hidden services: + - Standby/hotswap/redundant hidden services. + . Update the hidden service stuff for the new dir approach. (Much + of this will be superseded by 114.) + - switch to an ascii format, maybe sexpr? + - authdirservers publish blobs of them. + - other authdirservers fetch these blobs. + - hidserv people have the option of not uploading their blobs. + - you can insert a blob via the controller. + - and there's some amount of backwards compatibility. + - teach clients, intro points, and hidservs about auth mechanisms. + - come up with a few more auth mechanisms. + - auth mechanisms to let hidden service midpoint and responder filter + connection requests. + - Let each hidden service (or other thing) specify its own + OutboundBindAddress? + - Hidserv offerers shouldn't need to define a SocksPort + + - Server operation + - When we notice a 'Rejected: There is already a named server with + this nickname' message... or maybe instead when we see in the + networkstatuses that somebody else is Named with the name we + want: warn the user, send a STATUS_SERVER message, and fall back + to unnamed. + - If the server is spewing complaints about raising your ulimit -n, + we should add a note about this to the server descriptor so other + people can notice too. + - When we hit a funny error from a dir request (eg 403 forbidden), + but tor is working and happy otherwise, and we haven't seen many + such errors recently, then don't warn about it. + + - Controller + - A way to adjust router flags from the controller. (How do we + prevent the authority from clobbering them soon afterward?) + - Implement missing status events and accompanying getinfos - DIR_REACHABLE - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind a firewall.) @@ -316,209 +351,145 @@ d - If the client's clock is too far in the past, it will drop (or from resolve_my_address() in config.c - sketchy OS, sketchy threading - too many onions queued: threading problems or slow CPU? - - Missing fields: + - Implement missing status event fields: - TIMEOUT on CHECKING_REACHABILITY - GETINFO status/client, status/server, status/general: There should be some way to learn which status events are currently "in effect." We should specify which these are, what format they appear in, and so on. - - -Minor items for 0.1.2.x as time permits: - - include bandwidth breakdown by conn->type in BW events. -++- Recommend polipo? Please? -++- Make documentation realize that location of system configuration file - will depend on location of system defaults, and isn't always /etc/torrc. -d - Review torrc.sample to make it more discursive. - - a way to generate the website diagrams from source, so we can - translate them as utf-8 text rather than with gimp. - - add d64 and fp64 along-side d and fp so people can paste status - entries into a url. since + is a valid base64 char, only allow one - at a time. spec and then do. - - The Debian package now uses --verify-config when (re)starting, - to distinguish configuration errors from other errors. Perhaps - the RPM and other startup scripts should too? - - add a "default.action" file to the tor/vidalia bundle so we can fix the - https thing in the default configuration: - http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort - . Flesh out options_description array in src/or/config.c - X If we try to publish as a nickname that's already claimed, should - we append a number (or increment the number) and try again? This - way people who read their logs can fix it as before, but people - who don't read their logs will still offer Tor servers. - - Fall back to unnamed; warn user; send controller event. ("When we - notice a 'Rejected: There is already a named server with this nickname' - message... or maybe instead when we see in the networkstatuses that - somebody else is Named with the name we want: warn the user, send a - STATUS_SERVER message, and fall back to unnamed.") - - Rate limit exit connections to a given destination -- this helps - us play nice with websites when Tor users want to crawl them; it - also introduces DoS opportunities. -x2- Christian Grothoff's attack of infinite-length circuit. - the solution is to have a separate 'extend-data' cell type - which is used for the first N data cells, and only - extend-data cells can be extend requests. - . Specify, including thought about anonymity implications. [proposal 110] - - Display the reasons in 'destroy' and 'truncated' cells under some - circumstances? - - If the server is spewing complaints about raising your ulimit -n, - we should add a note about this to the server descriptor so other - people can notice too. - - cpu fixes: - - see if we should make use of truncate to retry - . Directory changes - . Some back-out mechanism for auto-approval - - a way of rolling back approvals to before a timestamp - - Consider minion-like fingerprint file/log combination. - - packaging and ui stuff: - . multiple sample torrc files - . figure out how to make nt service stuff work? - . Document it. - - Vet all pending installer patches - - Win32 installer plus privoxy, sockscap/freecap, etc. - - Vet win32 systray helper code - (2007-04-15 phobos, do we still need these installer patches?) - - - Improve controller - - a NEWSTATUS event similar to NEWDESC. - - change circuit status events to give more details, like purpose, + - More information in events: + - Include bandwidth breakdown by conn->type in BW events. + - Change circuit status events to give more details, like purpose, whether they're internal, when they become dirty, when they become too dirty for further circuits, etc. - - What do we want here, exactly? - - Specify and implement it. - - Change stream status events analogously. - - What do we want here, exactly? - - Specify and implement it. - - Make other events "better". - Change stream status events analogously. - - What do we want here, exactly? - - Specify and implement it. - - Make other events "better" analogously - - What do we want here, exactly? - - Specify and implement it. - . Expose more information via getinfo: - - import and export rendezvous descriptors - - Review all static fields for additional candidates - - Allow EXTENDCIRCUIT to unknown server. + - Expose more information via getinfo: + - import and export rendezvous descriptors + - Review all static fields for additional candidates + - Allow EXTENDCIRCUIT to unknown server. - We need some way to adjust server status, and to tell tor not to download directories/network-status, and a way to force a download. - Make everything work with hidden services -Deferred from 0.2.0: - - Make a TCP DNSPort - -Future version: - - servers might check certs for known-good ssl websites, and if they - come back self-signed, declare themselves to be non-exits. similar - to how we test for broken/evil dns now. -d - we try to build 4 test circuits to break them over different - servers. but sometimes our entry node is the same for multiple - test circuits. this defeats the point. - - when we hit a funny error from a dir request (eg 403 forbidden), - but tor is working and happy otherwise, and we haven't seen many - such errors recently, then don't warn about it. - - More consistent error checking in router_parse_entry_from_string(). - I can say "banana" as my bandwidthcapacity, and it won't even squeak. - - Add a doxygen style checker to make check-spaces so nick doesn't drift - too far from arma's undocumented styleguide. Also, document that - styleguide in HACKING. (See r9634 for example.) - - exactly one space at beginning and at end of comments, except i - guess when there's line-length pressure. - - if we refer to a function name, put a () after it. - - only write foo when foo is an argument to this function. - - doxygen comments must always end in some form of punctuation. - - capitalize the first sentence in the doxygen comment, except - when you shouldn't. - - avoid spelling errors and incorrect comments. ;) -++- Should TrackHostExits expire TrackHostExitsExpire seconds after their - *last* use, not their *first* use? - X Configuration format really wants sections. -++. Good RBL substitute. - o Play with the implementations; link them from somewhere; add a - round-robin link from torel.torproject.org; describe how to - use them in the FAQ. - o Torel is now implemented. - - Publicize torel. (What else? - - Authorities should try using exits for http to connect to some URLS - (specified in a configuration file, so as not to make the List Of Things - Not To Censor completely obvious) and ask them for results. Exits that - don't give good answers should have the BadExit flag set. - - Our current approach to block attempts to use Tor as a single-hop proxy - is pretty lame; we should get a better one. - . Update the hidden service stuff for the new dir approach. - - switch to an ascii format, maybe sexpr? - - authdirservers publish blobs of them. - - other authdirservers fetch these blobs. - - hidserv people have the option of not uploading their blobs. - - you can insert a blob via the controller. - - and there's some amount of backwards compatibility. - - teach clients, intro points, and hidservs about auth mechanisms. - - come up with a few more auth mechanisms. - - auth mechanisms to let hidden service midpoint and responder filter - connection requests. - - Bind to random port when making outgoing connections to Tor servers, - to reduce remote sniping attacks. - - Have new people be in limbo and need to demonstrate usefulness - before we approve them. -d - Clients should estimate their skew as median of skew from servers - over last N seconds. - - Make router_is_general_exit() a bit smarter once we're sure what it's for. - - Audit everything to make sure rend and intro points are just as likely to - be us as not. - - Do something to prevent spurious EXTEND cells from making middleman - nodes connect all over. Rate-limit failed connections, perhaps? - - Automatically determine what ports are reachable and start using - those, if circuits aren't working and it's a pattern we recognize - ("port 443 worked once and port 9001 keeps not working"). -++- Limit to 2 dir, 2 OR, N SOCKS connections per IP. - - Or maybe close connections from same IP when we get a lot from one. - - Or maybe block IPs that connect too many times at once. - - Handle full buffers without totally borking - - Rate-limit OR and directory connections overall and per-IP and - maybe per subnet. - - Hold-open-until-flushed now works by accident; it should work by - design. - - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. - - Specify? - - hidserv offerers shouldn't need to define a SocksPort - * figure out what breaks for this, and do it. -d - tor should be able to have a pool of outgoing IP addresses - that it is able to rotate through. (maybe) - - Specify; implement. - - Probably this is part of proposal 118's stuff. - - let each hidden service (or other thing) specify its own - OutboundBindAddress? - -Blue-sky: - - Patch privoxy and socks protocol to pass strings to the browser. - - Standby/hotswap/redundant hidden services. -d . Robust decentralized storage for hidden service descriptors. - (Karsten is working on this.) -x2. The "China problem" - (This is bridges.) - - Allow small cells and large cells on the same network? - - Cell buffering and resending. This will allow us to handle broken - circuits as long as the endpoints don't break, plus will allow - connection (tls session key) rotation. - - Implement Morphmix, so we can compare its behavior, complexity, etc. - - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own - link crypto, unless we can bully openssl into it. - - Need a relay teardown cell, separate from one-way ends. - (Pending a user who needs this) - - Handle half-open connections: right now we don't support all TCP - streams, at least according to the protocol. But we handle all that - we've seen in the wild. - (Pending a user who needs this) - -Non-Coding: - - Mark up spec; note unclear points about servers + - Performance/resources + - per-conn write buckets + - separate config options for read vs write limiting + (It's hard to support read > write, since we need better + congestion control to avoid overfull buffers there. So, + defer the whole thing.) + - Investigate RAM use in directory authorities. + - Look into pulling serverdescs off buffers as they arrive. + - Rate limit exit connections to a given destination -- this helps + us play nice with websites when Tor users want to crawl them; it + also introduces DoS opportunities. + - Consider truncating rather than destroying failed circuits, + in order to save the effort of restarting. There are security + issues here that need thinking, though. + - Handle full buffers without totally borking + - Rate-limit OR and directory connections overall and per-IP and + maybe per subnet. + + - Misc + - Hold-open-until-flushed now works by accident; it should work by + design. + - Display the reasons in 'destroy' and 'truncated' cells under + some circumstances? + - Make router_is_general_exit() a bit smarter once we're sure what + it's for. + - Automatically determine what ports are reachable and start using + those, if circuits aren't working and it's a pattern we + recognize ("port 443 worked once and port 9001 keeps not + working"). + + - Security + - don't do dns hijacking tests if we're reject *:* exit policy? + (deferred until 0.1.1.x is less common) + - Directory guards + - Mini-SoaT: + - Servers might check certs for known-good ssl websites, and if + they come back self-signed, declare themselves to be + non-exits. Similar to how we test for broken/evil dns now. + - Authorities should try using exits for http to connect to some + URLS (specified in a configuration file, so as not to make the + List Of Things Not To Censor completely obvious) and ask them + for results. Exits that don't give good answers should have + the BadExit flag set. + - Alternatively, authorities should be able to import opinions + from Snakes on a Tor. + - More consistent error checking in router_parse_entry_from_string(). + I can say "banana" as my bandwidthcapacity, and it won't even squeak. + - Bind to random port when making outgoing connections to Tor servers, + to reduce remote sniping attacks. + - Audit everything to make sure rend and intro points are just as + likely to be us as not. + - Do something to prevent spurious EXTEND cells from making + middleman nodes connect all over. Rate-limit failed + connections, perhaps? + - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion. + + - Bridges + - Tolerate clock skew on bridge relays. + + - Needs thinking + - Now that we're avoiding exits when picking non-exit positions, + we need to consider how to pick nodes for internal circuits. If + we avoid exits for all positions, we skew the load balancing. If + we accept exits for all positions, we leak whether it's an + internal circuit at every step. If we accept exits only at the + last hop, we reintroduce Lasse's attacks from the Oakland paper. + + - Windows server usability + - Solve the ENOBUFS problem. + - make tor's use of openssl operate on buffers rather than sockets, + so we can make use of libevent's buffer paradigm once it has one. + - make tor's use of libevent tolerate either the socket or the + buffer paradigm; includes unifying the functions in connect.c. + - We need a getrlimit equivalent on Windows so we can reserve some + file descriptors for saving files, etc. Otherwise we'll trigger + asserts when we're out of file descriptors and crash. + - Merge code from Urz into libevent + - Make Tor use evbuffers. + + - Documentation + - a way to generate the website diagrams from source, so we can + translate them as utf-8 text rather than with gimp. + . Flesh out options_description array in src/or/config.c + . multiple sample torrc files + . figure out how to make nt service stuff work? + . Document it. + - Refactor tor man page to divide generally useful options from + less useful ones? + - Add a doxygen style checker to make check-spaces so nick doesn't drift + too far from arma's undocumented styleguide. Also, document that + styleguide in HACKING. (See r9634 for example.) + - exactly one space at beginning and at end of comments, except i + guess when there's line-length pressure. + - if we refer to a function name, put a () after it. + - only write foo when foo is an argument to this function. + - doxygen comments must always end in some form of punctuation. + - capitalize the first sentence in the doxygen comment, except + when you shouldn't. + - avoid spelling errors and incorrect comments. ;) + + - Packaging + - The Debian package now uses --verify-config when (re)starting, + to distinguish configuration errors from other errors. Perhaps + the RPM and other startup scripts should too? + - add a "default.action" file to the tor/vidalia bundle so we can + fix the https thing in the default configuration: + http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort + + - Related tools + - Patch privoxy and socks protocol to pass strings to the browser. + + +Documentation, non-version-specific. + - Specs + - Mark up spec; note unclear points about servers +NR - write a spec appendix for 'being nice with tor' + - Specify the keys and key rotation schedules and stuff - Mention controller libs someplace. - . more pictures from ren. he wants to describe the tor handshake -NR- write a spec appendix for 'being nice with tor' - - tor-in-the-media page - Remove need for HACKING file. - - Figure out licenses for website material. - - Specify the keys and key rotation schedules and stuff P - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx P - figure out why x86_64 won't build rpms from tor.spec P - figure out spec files for bundles of vidalia-tor-polipo @@ -530,6 +501,9 @@ P - change packaging system to more automated and specific for each platform, suggested by Paul Wouter Website: + - tor-in-the-media page + . more pictures from ren. he wants to describe the tor handshake + - Figure out licenses for website material. - and remove home and make the "Tor" picture be the link to home. - put the logo on the website, in source form, so people can put it on stickers directly, etc. -- cgit v1.2.3