4 SPEC - Spec not finalized
15 - Server instructions for OSX and Windows operators.
16 - Audit all changes to bandwidth buckets for integer over/underflow.
20 R o pick the whole path when you start the circuit.
21 o and then the controller can call that for extendcircuit
22 o finish messing with reachability stuff
23 o if we jump in time a lot, then mark our circs and note that we
24 haven't made a circ yet.
25 o actually give http reason phrases to dir clients, so they know why
27 o have a separate config option which caps bandwidth-to-advertise.
28 o Make list_server_status work right on non-directories, so that
29 getinfo("network-status") control message can work there.
33 Refactoring and infrastructure:
35 N . Switch to libevent
36 - Hold-open-until-flushed now works by accident; it should work by
38 - The logic for reading from TLS sockets is likely to overrun the
39 bandwidth buckets under heavy load. (Really, the logic was
40 never right in the first place.) Also, we should audit all users
41 of get_pending_bytes().
42 . Find a way to make sure we have libevent 1.0 or later.
43 o Implement patch to libevent
44 o Submit patch to niels making this possible.
45 - Implement Tor side once patch is accepted.
46 . Log which poll method we're using.
47 o Implement patch to libevent
48 o Submit patch to niels making this possible.
49 - Implement Tor side once patch is accepted.
50 . Intercept libevent's "log" messages.
51 o Ask Niels whether a patch would be accepted.
52 o Implement patch, if so.
53 - Implement Tor side once patch is accepted.
54 o Check return from event_set, event_add, event_del.
55 o Keep pushing to get a windows patch accepted.
56 - After about 26 March, check back with Niels; he should be back
60 - Make sure logged info is "safe"ish.
63 R o Reset uptime when IP changes.
66 o Implement pending controller features.
67 o Stubs for new functions.
71 o Individual descriptors
72 o Need to remember descriptors for all routers.
73 o Replace everything else that remembers serverdescs with
75 o List of address mappings
80 o Reuse mappings when asked to map DontCare->B for the same B.
81 o But only when the DontCare is of the same type. :/
82 o Way to handle overlong messages
83 o Specify fragmented format
84 o Implement fragmented format
85 o Event for "new descriptors"
87 o Stream status changed: "new" state.
89 o revised circ selection stuff.
90 o Implement controller interface.
92 o Make streams have an 'unattached and not-automatically-attachable'
93 state. ("Controller managed.")
94 o Add support to put new streams into this state rather than try to
95 attach them automatically. ("Hidden" config option.)
96 o Implement 'attach stream X to circuit Y' logic.
97 o Time out never-attached streams.
98 o If we never get a CONNECTED back, we should put the stream back in
99 CONTROLLER_WAIT, not in CIRCUIT_WAIT.
100 o Add a way for the controller to say, "Hey, nuke this stream."
103 o Add a way for the controller to say, "Hey, nuke this circuit."
106 - Tests for new controller features
107 R o HTTPS proxy for OR CONNECT stuff. (For outgoing SSL connections to
109 o Changes for forward compatibility
110 o If a version is later than the last in its series, but a version
111 in the next series is recommended, that doesn't mean it's bad.
112 o Do end reasons better
113 o Start using RESOURCELIMIT more.
114 o Try to use MISC a lot less.
115 o bug: if the exit node fails to create a socket (e.g. because it
116 has too many open), we will get a generic stream end response.
117 o Fix on platforms with set_max_file_descriptors.
118 o niels's "did it fail because conn refused or timeout or what"
120 o Realize that unrecognized end reasons are probably features rather than
121 bugs. (backport to 009x)
122 o Push the work of sending the end cell deeper into package_raw_inbuf.
123 (Turns out, if package_raw_inbuf fails, it *can't* send an end cell.)
124 o Check for any place where we can close an edge connection without
125 sending an end; see if we should send an end.
126 o Feed end reason back into SOCK5 as reasonable.
127 R o cache .foo.exit names better, or differently, or not.
128 o make !advertised_server_mode() ORs fetch dirs less often.
130 o Clean up NT service code even more.
131 o Enable it by default.
132 o Make sure it works.
136 o Document new version system.
137 r - Correct and clarify the wiki entry on port forwarding.
138 o Document where OSX logs and torrc go.
139 o Document where windows logs and torrc go.
140 - (Make sure they actually go there.)
143 N - Vet all pending installer patches
144 - Win32 installer plus privoxy, sockscap/freecap, etc.
145 - Vet win32 systray helper code
146 o Make OSX man pages go into man directory.
147 N . Make logs go into platform default locations.
152 - Mark bugs for 010 or post 010 in bugtracker.
154 R - when we haven't explicitly sent a socks reject, sending one in
155 connection_about_to_close_connection() fails because we never give it
156 a chance to flush. right answer is to do the socks reply manually in
157 each appropriate case, and then about-to-close-connection can simply
158 warn us if we forgot one. [Tag this 010 in flyspray.]
159 R - should retry exitpolicy end streams even if the end cell didn't
160 resolve the address for you
161 o Figure out when to reset addressmaps (on hup, on reconfig, etc)
162 - how do ulimits work on win32, anyway? (We should handle WSAENOBUFS as
163 needed, look at the MaxConnections registry entry, look at the
164 MaxUserPort entry, and look at the TcpTimedWaitDelay entry. We may also
165 want to provide a way to set them as needed. See bug 98.)
167 Improvements to self-measurement.
168 R X round detected bandwidth up to nearest 10KB?
169 R o client software not upload descriptor until:
170 . it decides it is reachable
173 - rule for now: "If you process a CREATE cell that did not come from
174 your own IP, you are reachable."
175 o start counting again if your IP ever changes.
176 o never regenerate identity keys, for now.
177 o you can set a bit for not-being-an-OR.
178 * no need to do this yet. few people define their ORPort.
181 N - Script to try pulling bytes through slow-seeming servers so they can
182 notice that they might be fast.
186 r - make min uptime a function of the available choices (say, choose 60th
187 percentile, not 1 day.)
188 r - kill dns workers more slowly
189 r - build testing circuits? going through non-verified nodes?
190 - config option to publish what ports you listen on, beyond ORPort/DirPort
191 N - It would be nice to have a FirewalledIPs thing that works like
193 - If we have a trusted directory on port 80, stop falling back to
194 forbidden ports when fascistfirewall blocks all good dirservers.
196 - Make configure.in handle cross-compilation
197 - Have NULL_REP_IS_ZERO_BYTES default to 1.
198 - Make with-ssl-dir disable search for ssl.
199 - Efficiency/speed improvements.
200 - Write limiting; configurable token buckets.
201 - Make it harder to circumvent bandwidth caps: look at number of bytes
202 sent across sockets, not number sent inside TLS stream.
203 - Hidden service improvements
204 - Investigate hidden service performance/reliability
205 - Add private:* alias in exit policies to make it easier to ban all the
206 fiddly little 192.168.foo addresses.
207 - controller should have an event to learn about new addressmappings?
211 - choose entry node to be one you're already connected to?
212 - Convert man pages to pod, or whatever's right.
213 - support hostnames as well as IPs for authdirservers.
214 - GPSLocation optional config string.
216 - Make millisecond accuracy work on win32
218 - teach connection_ap_handshake_socks_reply() about ipv6 and friends
219 so connection_ap_handshake_socks_resolved() doesn't also need
221 - Let more config options (e.g. ORPort) change dynamically.
222 - hidserv offerers shouldn't need to define a SocksPort
223 * figure out what breaks for this, and do it.
224 - Destroy and truncated cells should have reasons.
226 - Figure out how to make the rpm not strip the binaries it makes.
227 - Integrate an http proxy into Tor (maybe as a third class of worker
228 process), so we can stop shipping with the beast that is Privoxy.
229 - Implement If-Modified-Since for directories.
230 - Big, incompatible re-architecting and decentralization of directory
232 - Only the top of a directory needs to be signed.
234 - Get a controller to launch tor and keep it on the system tray.
242 - you've been running for an hour
243 - it's sufficiently satisfied with its bandwidth
244 - remove approval crap, add blacklisting by IP
245 - gather more permanent dirservers and put their keys into the code
246 - ship with a master key, and implement a way to query dirservers for
247 a blob which is a timestamped signed newest pile of dirservers. put
248 that on disk and use it on startup rather than the built-in default.
249 - threshold belief from clients about up-ness
250 - a way for clients to get fresh enough server descriptors
251 - a way for clients to partition the set of servers in a safe way:
252 so they don't have to learn all of them but so they're not easily
257 N - Handle rendezvousing with unverified nodes.
258 - Specify: Stick rendezvous point's key in INTRODUCE cell.
259 Bob should _always_ use key from INTRODUCE cell.
262 N - IPv6 support (For exit addresses)
263 - Spec issue: if a resolve returns an IP4 and an IP6 address,
265 - Add to exit policy code
266 - Make tor_gethostbyname into tor_getaddrinfo
267 - Make everything that uses uint32_t as an IP address change to use
268 a generalize address struct.
269 - Change relay cell types to accept new addresses.
270 - Add flag to serverdescs to tell whether IPv6 is supported.
273 - christian grothoff's attack of infinite-length circuit.
274 the solution is to have a separate 'extend-data' cell type
275 which is used for the first N data cells, and only
276 extend-data cells can be extend requests.
279 o fix router_get_by_* functions so they can get ourselves too ...
280 - and audit everything to make sure rend and intro points are
281 just as likely to be us as not.
283 - tor should be able to have a pool of outgoing IP addresses
284 that it is able to rotate through. (maybe)
286 Packaging, docs, etc:
287 - Exit node caching: tie into squid or other caching web proxy.
289 Deferred until needed:
290 - Do something to prevent spurious EXTEND cells from making middleman
291 nodes connect all over. Rate-limit failed connections, perhaps?
292 - Limit to 2 dir, 2 OR, N SOCKS connections per IP.
293 - Handle full buffers without totally borking
294 * do this eventually, no rush.
295 - Rate-limit OR and directory connections overall and per-IP and
297 - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
298 - Have clients and dirservers preserve reputation info over
300 - authdirserver lists you as running iff:
301 - he can connect to you
302 - he has successfully extended to you
303 - you have sufficient mean-time-between-failures
304 * keep doing nothing for now.
305 - Include HTTP status messages in logging (see parse_http_response).
307 Blue sky or deferred indefinitely:
308 - Support egd or other non-OS-integrated strong entropy sources
309 - password protection for on-disk identity key
310 - Possible to get autoconf to easily install things into ~/.tor?
311 - server descriptor declares min log level, clients avoid servers
313 - put expiry date on onion-key, so people don't keep trying
314 old ones that they could know are expired?
315 - Add a notion of nickname->Pubkey binding that's not 'verification'
317 - Need a relay teardown cell, separate from one-way ends.
319 Big tasks that would demonstrate progress:
321 - Facility to automatically choose long-term helper nodes; perhaps
322 on by default for hidden services.
323 - patch privoxy and socks protocol to pass strings to the browser.
324 - patch tsocks with our current patches + gethostbyname, getpeername, etc.
325 - make freecap (or whichever) do what we want.
326 - scrubbing proxies for protocols other than http.
327 - Find an smtp proxy?
328 . Get socks4a support into Mozilla
329 - figure out enclaves, e.g. so we know what to recommend that people
330 do, and so running a tor server on your website is helpful.
331 - Do enclaves for same IP only.
332 - Resolve first, then if IP is an OR, extend to him first.
333 - implement a trivial fun gui to demonstrate our control interface.
335 ************************ Roadmap for 2004-2005 **********************
337 Hard problems that need to be solved:
339 - Separating node discovery from routing.
340 - Arranging membership management for independence.
341 Sybil defenses without having a human bottleneck.
342 How to gather random sample of nodes.
343 How to handle nodelist recommendations.
344 Consider incremental switches: a p2p tor with only 50 users has
345 different anonymity properties than one with 10k users, and should
346 be treated differently.
347 - Measuring performance of other nodes. Measuring whether they're up.
348 - Choosing exit node by meta-data, e.g. country.
349 - Incentives to relay; incentives to exit.
350 - Allowing dissidents to relay through Tor clients.
351 - How to intercept, or not need to intercept, dns queries locally.
352 - Improved anonymity:
353 - Experiment with mid-latency systems. How do they impact usability,
354 how do they impact safety?
355 - Understand how powerful fingerprinting attacks are, and experiment
356 with ways to foil them (long-range padding?).
357 - Come up with practical approximations to picking entry and exit in
358 different routing zones.
359 - Find ideal churn rate for helper nodes; how safe is it?
360 - What info squeaks by Privoxy? Are other scrubbers better?
361 - Attacking freenet-gnunet/timing-delay-randomness-arguments.
362 - Is abandoning the circuit the only option when an extend fails, or
363 can we do something without impacting anonymity too much?
364 - Is exiting from the middle of the circuit always a bad idea?
366 Sample Publicity Landmarks:
368 - we have N servers / N users
369 - we have servers at epic and aclu and foo
370 - hidden services are robust and fast
371 - a more decentralized design
372 - tor win32 installer works
373 - win32 tray icon for end-users
374 - tor server works on win32
375 - win32 service for servers
376 - mac installer works
378 ***************************Future tasks:****************************
380 Rendezvous and hidden services:
382 o preemptively build and start rendezvous circs.
383 o preemptively build n-1 hops of intro circs?
384 o cannibalize general circs?
386 - standby/hotswap/redundant services.
387 - store stuff to disk? dirservers forget service descriptors when
388 they restart; nodes offering hidden services forget their chosen
389 intro points when they restart.
391 - auth mechanisms to let midpoint and bob selectively choose
394 - robust decentralized storage for hidden service descriptors.
396 - web proxy gateways to let normal people browse hidden services.
399 Relax clique assumptions.
400 Redesign how directories are handled.
401 - Resolve directory agreement somehow.
402 Find and remove bottlenecks
403 - Address linear searches on e.g. circuit and connection lists.
404 Reputation/memory system, so dirservers can measure people,
405 and so other people can verify their measurements.
406 - Need to measure via relay, so it's not distinguishable.
407 Let dissidents get to Tor servers via Tor users. ("Backbone model")
409 Make it more correct:
410 Handle half-open connections: right now we don't support all TCP
411 streams, at least according to the protocol. But we handle all that
412 we've seen in the wild.
415 Efficiency/speed/robustness:
416 Congestion control. Is our current design sufficient once we have heavy
417 use? Need to measure and tweak, or maybe overhaul.
418 Allow small cells and large cells on the same network?
419 Cell buffering and resending. This will allow us to handle broken
420 circuits as long as the endpoints don't break, plus will allow
421 connection (tls session key) rotation.
422 Implement Morphmix, so we can compare its behavior, complexity, etc.
423 Use cpuworker for more heavy lifting.
424 - Signing (and verifying) hidserv descriptors
425 - Signing (and verifying) intro/rend requests
426 - Signing (and verifying) router descriptors
427 - Signing (and verifying) directories
428 - Doing TLS handshake (this is very hard to separate out, though)
429 Buffer size pool: allocate a maximum size for all buffers, not
430 a maximum size for each buffer. So we don't have to give up as
431 quickly (and kill the thickpipe!) when there's congestion.
432 Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
433 link crypto, unless we can bully openssl into it.