tor-webwml.git

1) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
2) 
3) <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
4) <head>

5)   <title>Tor: Volunteer</title>

6)   <meta name="Author" content="Roger Dingledine" />
7)   <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
8)   <link rel="stylesheet" type="text/css" href="stylesheet.css" />
9)   <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
10) </head>
11) <body>
12) 
13) <!-- TITLE BAR & NAVIGATION -->
14) 

15) <div class="center">
16) 

17) <table class="banner" border="0" cellpadding="0" cellspacing="0">
18)     <tr>
19)         <td class="banner-left"></td>
20)         <td class="banner-middle">
21)             <a href="index.html">Home</a>

22)           | <a href="overview.html">Overview</a>

23)           | <a href="download.html">Download</a>
24)           | <a href="documentation.html">Docs</a>

25)           | <a href="support.html">Support</a>

26)           | <a href="faq.html">FAQs</a>

27)           | <a class="current">Volunteer</a>

28)           | <a href="developers.html">Developers</a>
29)           | <a href="research.html">Research</a>
30)           | <a href="people.html">People</a>
31)         </td>

32) 	<td class="banner-right">

33) 		<a href="/"><img src="/images/en.png" alt="English" /></a>
34) 		<a href="/index.it.html"><img src="/images/it.png" alt="Italiano" /></a>
35) 		<a href="/index.de.html"><img src="/images/de.png" alt="Deutsch" /></a> 

36) 	</td>

37)     </tr>
38) </table>
39) 
40) <!-- END TITLE BAR & NAVIGATION -->
41) 
42) <div class="main-column">
43) 
44) <!-- PUT CONTENT AFTER THIS TAG -->

45) <h2>Seven things everyone can do now:</h2>
46) <ol>
47) <li> We need users like you to try Tor out, and let the Tor developers know about bugs you find or features you don't find.</li>
48) <li> Please consider <a href="/cvs/tor/doc/tor-doc-server.html">running a server</a> to help the Tor network grow.</li>
49) <li> We especially need people with Windows programming skills to run an exit server on Windows, to help us debug.</li>
50) <li> Run a <a href="/cvs/tor/doc/tor-hidden-service.html">Tor hidden service</a> and put interesting content on it.</li>
51) <li> Take a look at the <a href="/gui/">Tor GUI Competition</a>, and come up with ideas or designs to contribute to making the Tor interface better. Free T-shirt for each submission!</li>
52) <li> Tell your friends! Get them to run servers. Get them to run hidden services. Get them to tell their friends.</li>
53) <li> Consider joining the <a href="http://secure.eff.org/tor">Electronic Frontier Foundation</a>. More EFF donations means more freedom in the world, including more Tor development.</li>
54) </ol>
55) 
56) <h2>Usability and Installers</h2>
57) <ol>
58) <li>Make an entry to the <a href="/gui/">GUI competition</a>. This
59) requires looking at how Tor interacts with the operating system and
60) other applications, deciding where the critical usability issues are,
61) and trying to make an application (or applet or plugin) that helps the
62) user experience.</li>
63) <li>Extend our NSIS-based windows installer to include FreeCap and/or
64) Privoxy. When we ship Privoxy, include a config file that's preconfigured
65) to work well with Tor.</li>
66) <li>Develop a way to handle OS X installation and uninstallation.</li>
67) <li>Choosing exit node by meta-data, e.g. country.</li>
68) <li>Tor provides anonymous connections, but if you want to keep multiple
69) pseudonyms in practice (say, in case you frequently go to two websites
70) and if anybody knew about both of them they would conclude it's you), we
71) don't support that well yet. We should find a good approach and
72) interface for handling pseudonymous profiles in Tor. See <a
73) href="http://archives.seul.org/or/talk/Dec-2004/msg00086.html">this
74) post</a> and <a href="http://archives.seul.org/or/talk/Jan-2005/msg00007.html">followup</a> for details.</li>
75) </ol>
76) 
77) <h2>Coding, Design, and Software Development</h2>
78) <ol>
79) <li>We need a better option for a scrubbing web proxy than
80) just Privoxy, since it's unmaintained and still has bugs, especially
81) on Windows. While we're at it, what sensitive information is not
82) kept safe by Privoxy? Are there other scrubbing web proxies that are
83) more secure?</li>
84) <li>We need better applications for dynamically intercepting
85) connections and sending them through Tor. tsocks (Linux) and freecap
86) (Windows) seem to be good candidates, and there are a variety of other
87) possibilities listed at the bottom of <a href="/support.html">our support
88) page</a>.</li>
89) <li>Speaking of tsocks, it appears to be unmaintained: we have submitted
90) several patches with no response. Can somebody volunteer to start
91) maintaining a new tsocks branch? We'll help.</li>
92) <li>We need a way to intercept DNS requests so they don't "leak" while
93) we're trying to be anonymous. One option is to use Tor's built-in
94) support for doing DNS resolves; but you need to ask via our new socks
95) extension for that, and so no applications do this yet. Another option
96) is to use Tor's controller interface: the application connects to Tor,
97) hands it the DNS query, and Tor replies with a dummy IP address. Then
98) the application makes a connection through Tor to that dummy IP address,
99) and Tor automatically maps it back to the original query.</li>
100) <li>Right now the hidden service descriptors are being stored on just a few
101) directory servers. This is bad for privacy and bad for robustness. To get
102) more robustness, we're going to need to make hidden service descriptors
103) even less private because we're going to have to mirror them onto many
104) places. Ideally we'd like to separate the storage/lookup system from the
105) Tor directory servers entirely. Any reliable distributed storage system
106) will do, as long as it allows authenticated updates. As far as we know,
107) no implemented DHT code supports authenticated updates. What's the right
108) next step?</li>
109) <li>Tor exit servers need to do many DNS resolves in parallel. But
110) gethostbyname() is poorly designed --- it blocks until it has finished
111) resolving a query --- so it requires its own thread or process. So
112) Tor is forced to spawn many separate DNS "worker" threads. There are
113) some asynchronous DNS libraries out there, but traditionally they are
114) buggy and abandoned. There are rumors that some of them are becoming
115) better. Are any of them stable, fast, clean, and free software? If
116) so (or if we can make that so), we should integrate them into Tor
117) so we don't need to spawn dozens of dns resolver threads. See <a
118) href="http://archives.seul.org/or/talk/Sep-2005/msg00001.html">Agl's
119) post</a> for a potential start.</li>

120) <li>Currently Tor ships with its own AES, since when we started OpenSSL
121) had missing/broken AES support. But now that it's gotten more mainstream,
122) we should change things so we only use our bundled AES if OpenSSL doesn't
123) support it natively.</li>
124) <li>Because Tor servers need to store-and-forward each cell they handle,
125) high-bandwidth Tor servers end up using dozens of megabytes of memory
126) just for buffers. We need better heuristics for when to shrink/expand
127) buffers. Maybe this should be modelled after the Linux kernel buffer
128) design, where you have many smaller buffers that link to each other,
129) rather than monolithic buffers?</li>
130) <li>How do ulimits work on Win32, anyway? We're having problems
131) especially on older Windowses with people running out of file
132) descriptors, connection buffer space, etc. (We should handle
133) WSAENOBUFS as needed, look at the MaxConnections registry entry,
134) look at the MaxUserPort entry, and look at the TcpTimedWaitDelay
135) entry. We may also want to provide a way to set them as needed. See <a

136) href="http://bugs.noreply.org/flyspray/index.php?do=details&id=98">bug

137) 98</a>.)</li>
138) <li>Encrypt identity keys on disk, and implement passphrase protection
139) for them. Right now they're just stored in plaintext.</li>

140) <li>Periodically people running servers tell us they want to have one
141) BandwidthRate during some part of the day, and a different BandwidthRate
142) at other parts of the day. Rather than coding this inside Tor, we
143) should have a little script that speaks via the <a href="/gui/">Tor
144) Controller Interface</a>, and does a setconf to change the bandwidth
145) rate. Perhaps it would run out of cron, or perhaps it would sleep
146) until appropriate times and then do its tweak (that's probably more
147) portable). Can somebody write one for us and we'll put it into <a
148) href="/cvs/tor/contrib/">tor/contrib/</a>?</li>
149) <li>Patches to Tor's autoconf scripts. First, we'd like our configure.in
150) to handle cross-compilation, e.g. so we can build Tor for obscure
151) platforms like the Linksys WRTG54. Second, we'd like to make with-ssl-dir
152) disable the search for ssl's libraries.</li>
153) <li>Implement reverse DNS requests inside Tor (already specified in
154) Section 5.4 of <a href="/cvs/tor/doc/tor-spec.txt">tor-spec.txt</a>).</li>
155) <li>Perform a security analysis of Tor with <a
156) href="http://en.wikipedia.org/wiki/Fuzz_testing">"fuzz"</a>. Determine
157) if there good fuzzing libraries out there for what we want. Win fame by
158) getting credit when we put out a new release because of you!</li>
159) <li>How hard is it to patch bind or a DNS proxy to redirect requests to
160) Tor via our tor-resolve socks extension? What about to convert UDP DNS
161) requests to TCP requests and send them through Tor?</li>
162) </ol>
163) 
164) <h2>Documentation</h2>
165) <ol>
166) <li>Volunteer to help maintain this website: code, content, css,
167) layout.</li>
168) <li>We have too much documentation --- it's spread out too much and
169) duplicates itself in places.</li>
170) <li>Help translate the web page and documentation into other
171) languages.  See the <a href="translation.html">translation
172) guidelines</a> if you want to help out.</li>
173) <li>Investigate privoxy vs. freecap vs. sockscap for win32 clients. Are
174) there usability or stability issues that we can track down and
175) resolve?</li>
176) <li>Evaluate, create, and <a
177) href="http://wiki.noreply.org/wiki/TheOnionRouter/TorifyHOWTO">document
178) a list of programs</a> that can be routed through Tor.</li>
179) <li>We have a huge list of <a href="/support.html"> potentially useful
180) programs to interface to Tor</a>. Which ones are useful in which
181) situations? Please help us test them out and document your results.</li>
182) </ol>
183) 
184) <h2>Research</h2>
185) <ol>
186) <li>To let dissidents in remote countries use Tor without being blocked
187) at their country's firewall, we need a way to get tens of thousands of
188) relays, not just a few hundred. We can imagine a Tor client GUI that
189) has a "help China" button at the top that opens a port and relays a
190) few KB/s of traffic into the Tor network. (A few KB/s shouldn't be too
191) much hassle, and there are few abuse issues since they're not being exit
192) nodes.) But how do we distribute a list of these volunteer clients to the
193) good dissidents in an automated way that doesn't let the country-level
194) firewalls intercept and enumerate them? Probably needs to work on a
195) human-trust level.</li>
196) <li>Tor doesn't work very well when servers have asymmetric bandwidth
197) (e.g. cable or DSL). Because Tor has separate TCP connections between
198) each hop, if the incoming bytes are arriving just fine and the outgoing
199) bytes are all getting dropped on the floor, the TCP push-back mechanisms
200) don't really transmit this information back to the incoming streams.
201) Perhaps Tor should detect when it's dropping a lot of outgoing packets,
202) and rate-limit incoming streams to regulate this itself? I can imagine
203) a build-up and drop-off scheme where we pick a conservative rate-limit,
204) slowly increase it until we get lost packets, back off, repeat. We
205) need somebody who's good with networks to simulate this and help design
206) solutions; and/or we need to understand the extent of the performance
207) degradation, and use this as motivation to reconsider UDP transport.</li>
208) <li>A related topic is congestion control. Is our
209) current design sufficient once we have heavy use? Maybe
210) we should experiment with variable-sized windows rather
211) than fixed-size windows? That seemed to go well in an <a
212) href="http://www.psc.edu/networking/projects/hpn-ssh/theory.php">ssh
213) throughput experiment</a>. We'll need to measure and tweak, and maybe
214) overhaul if the results are good.</li>
215) <li>The "website fingerprinting attack": make a list of a few
216) hundred popular websites, download their pages, and make a set of
217) "signatures" for each site. Then observe a Tor client's traffic. As
218) you watch him receive data, you quickly approach a guess about
219) which (if any) of those sites he is visiting. Do this attack on the
220) deployed Tor network, and find out how effective it is. Then start
221) exploring defenses: for example, we could change Tor's cell size from
222) 512 bytes to 1024 bytes, we could employ padding techniques like <a
223) href="http://freehaven.net/anonbib/#timing-fc2004">defensive dropping</a>,
224) or we could add traffic delays. How much of an impact do these have,
225) and how much usability impact (using some suitable metric) is there from
226) a successful defense in each case?</li>
227) <li>The "end-to-end traffic confirmation attack": by watching traffic at
228) Alice and at Bob, we can compare traffic signatures and become convinced
229) that we're watching the same stream. So far Tor accepts this as a fact
230) of life and assumes this attack is trivial in all cases. First of all,
231) is that actually true? How much traffic of what sort of distribution is
232) needed before the adversary is confident he has won? Are there scenarios
233) (e.g. not transmitting much) that slow down the attack? Do some traffic
234) padding or traffic shaping schemes work better than others?
235) </li>
236) 
237) <li>Come up with practical approximations to picking entry and exit in
238)     different routing zones.</li>
239) <li>Find ideal churn rate for helper nodes; how safe is it?</li>
240) <li>Is exiting from the middle of the circuit always a bad idea?</li>
241) <li>IPv6 support (For exit addresses)
242) <li>It's not that hard to DoS Tor servers or dirservers. Are puzzles the
243) right answer? What other practical approaches are there?</li>
244) </ol>
245) 
246) Drop by the #tor IRC channel at irc.oftc.net or email tor-volunteer@freehaven.net if you want to help out!
247) 
248) </div><!-- #main -->
249) </div>
250)   <div class="bottom" id="bottom">
251)      <i><a href="mailto:tor-webmaster@freehaven.net" class="smalllink">Webmaster</a></i> -
252)      $Id$
253)   </div>
254) </body>
255) </html>
256) 

257) <li>Have NULL_REP_IS_ZERO_BYTES default to 1.</li>

258) <li>Implement preservation of reputation through reboots for clients
259) and dirservers.</li>

260) <li>Add in support egd or other non-OS-integrated strong entropy sources.</li>
261) <li>Implement a way to get autoconf to install things into ~/.tor.</li>
262) <li>Change server descriptors to declare log level.</li>
263) <li>Add in support for clients to avoid servers that are too loggy based upon user configuration of acceptable log level.</li>

264) <li>Separate node discovery from routing to allow neat extensions.  [Goodell?]
265) 

266) <ul>

267) <li>Add SetServerStatus control event to adjust verified/running status of nodes.</li>
268) <li>Add NoDownload config option to prevent regular directory downloads from happening.</li>

269) </ul>

270) </li>
271) 

272) <li>Use cpuworker for more heavy lifting.</li>

273) <ul>

274) <li>Signing (and verifying) hidserv descriptors</li>
275) <li>Signing (and verifying) intro/rend requests</li>
276) <li>Signing (and verifying) router descriptors</li>
277) <li>Signing (and verifying) directories</li>
278) <li>Doing TLS handshake (this is very hard to separate out, though)</li>

279) </ul>

280) 

281) <li>Buffer size pool: allocate a maximum size for all buffers, not a maximum size for each buffer. So we don't have to give up as quickly (and kill the thickpipe!) when there's congestion.</li>
282) <li>Add alternative versions of crypto.c and tortls.c to use libnss or libgcrypt+gnutls.</li>

283) 

284) Translation Examples: <a
285) href="http://membres.lycos.fr/geolemalin/anonymat_garantit.htm">French</a>,
286) <a href="http://tor.freesuperhost.com/">Persian</a>, and <a
287) href="http://www.gamevn.com/forum/showthread.php?t=103346">Vietnamese</a>.)</li>

288) <li>If you know a question that should go on <a
289) href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ">the FAQ Wiki</a>, please
290) add it and answer it.</li>

291) <li>Document how to do exit node caching: tie into squid or other caching
292) web proxy.</li>

293) <li>Take a look at <a
294) href="http://wiki.noreply.org/wiki/TheOnionRouter/SquidProxy">Martin's
295) Squid and Tor page</a>, and update it to reflect Tor's <a
296) href="http://tor.eff.org/tor-manual.html">RedirectExit</a> config option. </li>

297) <li>Improve and clarify the wiki entry on <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients">port forwarding</a>.</li>

298) </ul>
299) 
300) <h2>Testing Challenges</h2>
301) <ul>
302) <li>Test out why some of our tor servers have dns resolvers that resolve

303) unknown addresses to 127.0.0.1.
304) 

305) <ul>

306) <li>Identify the servers that experience this issue. </li>
307) <li>Identify how to cause and repair the issue in BIND, DJBDNS, or
308) whatever daemon the misconfigured servers use.</li>

309) </ul></li>
310) 

311) <li>Figure out how to setup web proxy gateways to let normal people
312) browse hidden services.  (This has been done a few times, but nobody has
313) sent us code.)</li>

314) 
315) <h2>Misc</h2>
316) <ul>
317) <li>  </li>

318) </ul>
319) 

320) 
321) 

322) <h2>Research Challenges</h2>
323) <ul>

324) <li>Arranging membership management for independence.
325) 

326) <ul>

327) <li>Sybil defenses without having a human bottleneck.</li>
328) <li>How to gather random sample of nodes.</li>
329) <li>How to handle nodelist recommendations.</li>
330) <li>Consider incremental switches: a p2p tor with only 50 users has
331) different anonymity properties than one with 10k users, and should be
332) treated differently.</li>

333) </ul></li>
334) 

335) <li>Incentives to relay; incentives to exit.</li>
336) <li>Allowing dissidents to relay through Tor clients.</li>
337) <li>Experiment with mid-latency systems. How do they impact usability,
338)     how do they impact safety?</li>
339) <li>Understand how powerful fingerprinting attacks are, and experiment
340)     with ways to foil them (long-range padding?).</li>
341) <li>Attacking freenet-gnunet/timing-delay-randomness-arguments.</li>

342) 

343) <ul>

344) <li>Spec issue: if a resolve returns an IP4 and an IP6 address,
345)       which to use?</li>
346) <li>Add to exit policy code</li>
347) <li>Make tor_gethostbyname into tor_getaddrinfo</li>
348) <li>Make everything that uses uint32_t as an IP address change to use
349)       a generalize address struct.</li>
350) <li>Change relay cell types to accept new addresses.</li>
351) <li>Add flag to serverdescs to tell whether IPv6 is supported.</li>

352) </ul></li>
353) 

354) <li>make freecap (or whichever) do what we want.</li>
355) <li>scrubbing proxies for protocols other than http.</li>
356) <li>We need better default privoxy configs to ship.</li>
357) <li>We need a good scrubbing HTTP proxy; privoxy is unmaintained and
358) sucky.</li>
359) <li>A DNS proxy would let unmodified socks4/socks5 apps to work
360) well.</li>
361) <li>Add SOCKS support to more applications</li>
362) <li>store hidden service information to disk: dirservers forget service
363) descriptors when they restart; nodes offering hidden services forget
364) their chosen intro points when they restart.</li>
365) <li>Server CPU load is high because clients keep asking to make new
366) circuits, which uses public key crypto. Possible defenses include: using
367) helper nodes (fixed entry nodes); rate limiting the number of create
368) cells handled per second; having clients retry failed extensions a few
369) times; implementing ssl sessions; and using hardware crypto when
370) available.</li>
371) <li>We fear we might not work very well when servers have asymmetric
372) bandwidth. Because Tor has separate TCP connections between each hop, if
373) the incoming bytes are arriving just fine and the outgoing bytes are all
374) getting dropped on the floor, the TCP push-back mechanisms don't really
375) transmit this information back to the incoming streams. Perhaps Tor
376) should detect when it's dropping a lot of outgoing packets, and
377) rate-limit incoming streams to regulate this itself? We need somebody
378) who's good with networks to simulate this and help design
379) solutions.</li>
380) <li>Right now the hidden service descriptors are being stored on the
381) dirservers, but any reliable distributed storage system would do (for
382) example, a DHT that allows authenticated updates). Can somebody figure
383) out our best options and decide if they're good enough?</li>

384)