getinvolved/en/volunteer.wml (70767ed26) - tor-webwml.git

volunteer.wml

## translation metadata
# Revision: $Revision$
# Translation-Priority: 4-optional

#include "head.wmi" TITLE="Tor: Volunteer" CHARSET="UTF-8"
<div id="content" class="clearfix">
 <div id="breadcrumbs">
 <a href="<page index>">Home &raquo; </a>
 <a href="<page getinvolved/volunteer>">Volunteer</a>
 </div>
 <div id="maincol"> 
 
 <h1>A few things everyone can do now:</h1>
 <ol>
 <li>Please consider <a href="<page docs/tor-doc-relay>">running
 a relay</a> to help the Tor network grow.</li>
 <li>Do you have an Amazon account? Are you willing to spend up to $3 a
 month? Then spin up your own Tor <a href="<page
 docs/bridges>">bridge</a> in less than 10 minutes with <a
 href="https://cloud.torproject.org/">tor cloud</a>!</li>
 <li>Tell your friends! Get them to run relays. Get them to run hidden
 services. Get them to tell their friends.</li>
 <li>If you like Tor's goals, please <a href="<page donate/donate>">take a moment
 to donate to support further Tor development</a>. We're also looking
 for more sponsors &mdash; if you know any companies, NGOs, agencies,
 or other organizations that want anonymity / privacy / communications
 security, let them know about us.</li>
 <li>We're looking for more <a href="<page about/torusers>">good examples of Tor
 users and Tor use cases</a>. If you use Tor for a scenario or purpose not
 yet described on that page, and you're comfortable sharing it with us,
 we'd love to hear from you.</li>
 </ol>
 
 <a id="Documentation"></a>
 <h2><a class="anchor" href="#Documentation">Documentation</a></h2>
 <ol>
 <li>Help translate the web page and documentation into other
 languages. See the <a href="<page getinvolved/translation>">translation
 guidelines</a> if you want to help out. We especially need Arabic or
 Farsi translations, for the many Tor users in censored areas.</li>
 <li>Evaluate and document
 <a href="<wiki>doc/TorifyHOWTO">our
 list of programs</a> that can be configured to use Tor.</li>
 <li>We have a huge list of <a
 href="<wiki>doc/SupportPrograms">potentially useful
 programs that interface to Tor</a>. Which ones are useful in which
 situations? Please help us test them out and document your results.</li>
 </ol>
 
 <a id="Advocacy"></a>
 <h2><a class="anchor" href="#Advocacy">Advocacy</a></h2>
 <ol>
 <li>Create a presentation that can be used for various user group
meetings around the world.</li>
 <li>Create a video about the positive uses of Tor, what Tor is,
 or how to use it. Some have already started on <a
 href="https://media.torproject.org/video/">Tor's Media server</a>,
 <a
 href="http://www.howcast.com/videos/90601-How-To-Circumvent-an-Internet-Proxy">Howcast</a>,
 and <a href="http://www.youtube.com/thetorproject">YouTube</a>.</li> 
 <li>Create a poster, or a set of posters, around a theme,
 such as "Tor for Freedom!".</li>
 <li>Create a t-shirt design that incorporates "Congratulations!
 You are using Tor!" in any language.</li>
 </ol>
 
 <a id="opw"></a>
 <h2><a class="anchor" href="#opw">Outreach Program for Women</a></h2>
 
 
 Several organisations, including Tor, are taking part in the <a
 href="https://live.gnome.org/OutreachProgramForWomen">2013 Outreach Program
 for Women</a>. This is a mentoring program similar to <a
 href="https://www.google-melange.com/gsoc/homepage/google/gsoc2012">Google
 Summer of Code</a> targeted at getting more women involved in open source.
 
 
 
 The program runs from January 2 through April 2, 2013. The application
 deadline is December 3, 2012 and it is best to start as early as possible
 preparing your application. Like GSoC the program involves a stipend so, if
 you're a woman interested in fighting surveillance and censorship around
 the world then let us know!
 
 
 
 To apply...
 
 
 <ol>
 <li>Read up on the <a href="https://live.gnome.org/OutreachProgramForWomen">outreach program</a>.</li>
 <li>Look over our projects and task ideas below. If nothing there strikes your fancy then feel free to make one of your own.</li>
 <li>Join the <a href="https://www.torproject.org/about/contact.html.en#irc">#tor-dev irc channel</a> and introduce yourself!</li>
 <li>Contact the maintainer of the project that you're interested in contributing to, and talk with them about how to get started. Maintainers are listed in the table below. Note that you need to submit a patch or contribute in some way before you can apply to the program.</li>
 <li><a href="https://live.gnome.org/OutreachProgramForWomen#Send_in_an_Application">Send your application</a> to opw-list@gnome.org. Please be available and responsive throughout the application period so we can work with you on improving it.</li>
 </ol>
 
 <a id="Projects"></a>
 <h2><a class="anchor" href="#Projects">Projects</a></h2>
 
 
 Below are a list of Tor related projects we're developing and/or
 maintaining. Most discussions happen on IRC so if you're interested in any
 of these (or you have a project idea of your own), then please <a
 href="<page about/contact>#irc">join us in #tor-dev</a>. Don't be shy
 to ask questions, and don't hesitate to ask even if the main contributors
 aren't active at that moment.
 
 
 <table id="projects">
 <tr>
 <th>Name</th>
 <th>Category</th>
 <th>Language</th>
 <th>Activity</th>
 <th>Contributors</th>
 </tr>
 
 <tr>
 <td><a href="#project-tor">Tor</a></td>
 <td>Core</td>
 <td>C</td>
 <td>Heavy</td>
 <td>nickm, arma, Sebastian</td>
 </tr>
 
 <tr class="alt">
 <td>*<a href="#project-jtor">JTor</a></td>
 <td>Core</td>
 <td>Java</td>
 <td>None</td>
 <td>bleidl</td>
 </tr>
 
 <tr>
 <td><a href="#project-tbb">TBB</a></td>
 <td>Usability</td>
 <td>Sys Admin</td>
 <td>Moderate</td>
 <td>Erinn</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-tails">Tails</a></td>
 <td>Usability</td>
 <td>Sys Admin</td>
 <td>Heavy</td>
 <td><a href="https://tails.boum.org/">#tails</a></td>
 </tr>
 
 <tr>
 <td><a href="#project-torsocks">Torsocks</a></td>
 <td>Usability</td>
 <td>C</td>
 <td>Heavy</td>
 <td>ioerror, nickm</td>
 </tr>
 
 <tr class="alt">
 <td>*<a href="#project-torouter">Torouter</a></td>
 <td>Usability</td>
 <td>Sys Admin</td>
 <td>Light</td>
 <td>ioerror</td>
 </tr>
 
 <tr>
 <td><a href="#project-vidalia">Vidalia</a></td>
 <td>User Interface</td>
 <td>C++, Qt</td>
 <td>Light</td>
 <td>chiiph</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-arm">Arm</a></td>
 <td>User Interface</td>
 <td>Python, Curses</td>
 <td>Light</td>
 <td>atagar</td>
 </tr>
 
 <tr>
 <td><a href="#project-orbot">Orbot</a></td>
 <td>User Interface</td>
 <td>Java</td>
 <td>Moderate</td>
 <td>n8fr8, ioerror</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-torbutton">Torbutton</a></td>
 <td>Browser Add-on</td>
 <td>Javascript</td>
 <td>Moderate</td>
 <td>mikeperry</td>
 </tr>
 
 <tr>
 <td><a href="#project-torbirdy">TorBirdy</a></td>
 <td>Browser Add-on</td>
 <td>JavaScript</td>
 <td>Heavy</td>
 <td>Sukhbir (sukhe), ioerror</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-obfsproxy">Obfsproxy</a></td>
 <td>Client Add-on</td>
 <td>C</td>
 <td>Moderate</td>
 <td>nickm, asn</td>
 </tr>
 
 <tr>
 <td><a href="#project-flash-proxy">Flash Proxy</a></td>
 <td>Client Add-on</td>
 <td>Python, JavaScript, Go</td>
 <td>Moderate</td>
 <td>dcf, aallai, jct</td>
 </tr>
 
 <tr class="alt">
 <td>*<a href="#project-thandy">Thandy</a></td>
 <td>Updater</td>
 <td>Python</td>
 <td>Light</td>
 <td>chiiph, Erinn, nickm</td>
 </tr>
 
 <tr>
 <td>*<a href="#project-ooni-probe">Ooni Probe</a></td>
 <td>Scanner</td>
 <td>Python</td>
 <td>Moderate</td>
 <td>hellais, isis, ioerror</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-shadow">Shadow</a></td>
 <td>Experimentation</td>
 <td>C, Python</td>
 <td>Moderate</td>
 <td>robgjansen</td>
 </tr>
 
 <tr>
 <td><a href="#project-torctl">TorCtl</a></td>
 <td>Library</td>
 <td>Python</td>
 <td>None</td>
 <td>aagbsn</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-stem">Stem</a></td>
 <td>Library</td>
 <td>Python</td>
 <td>Heavy</td>
 <td>atagar, neena</td>
 </tr>
 
 <tr>
 <td><a href="#project-txtorcon">Txtorcon</a></td>
 <td>Library</td>
 <td>Python, Twisted</td>
 <td>Moderate</td>
 <td>meejah</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-tlsdate">Tlsdate</a></td>
 <td>Utility</td>
 <td>C</td>
 <td>Heavy</td>
 <td>ioerror</td>
 </tr>
 
 <tr>
 <td><a href="#project-metrics">Metrics</a></td>
 <td>Client Service</td>
 <td>Java</td>
 <td>Heavy</td>
 <td>karsten</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-atlas">Atlas</a></td>
 <td>Client Service</td>
 <td>JavaScript</td>
 <td>Moderate</td>
 <td>hellais</td>
 </tr>
 
 <tr>
 <td><a href="#project-torstatus">TorStatus</a></td>
 <td>Client Service</td>
 <td>Python, Django</td>
 <td>None</td>
 <td></td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-compass">Compass</a></td>
 <td>Client Service</td>
 <td>Python</td>
 <td>Heavy</td>
 <td>gsathya, karsten</td>
 </tr>
 
 <tr>
 <td><a href="#project-weather">Weather</a></td>
 <td>Client Service</td>
 <td>Python</td>
 <td>None</td>
 <td>kaner</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-gettor">GetTor</a></td>
 <td>Client Service</td>
 <td>Python</td>
 <td>None</td>
 <td>kaner</td>
 </tr>
 
 <tr>
 <td><a href="#project-torcheck">TorCheck</a></td>
 <td>Client Service</td>
 <td>Python, Perl</td>
 <td>None</td>
 <td>ioerror</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-onionoo">Onionoo</a></td>
 <td>Backend Service</td>
 <td>Java, Python</td>
 <td>Moderate</td>
 <td>karsten, gsathya</td>
 </tr>
 
 <tr>
 <td><a href="#project-bridgedb">BridgeDB</a></td>
 <td>Backend Service</td>
 <td>Python</td>
 <td>None</td>
 <td>kaner, nickm</td>
 </tr>
 
 <tr class="alt">
 <td><a href="#project-torflow">TorFlow</a></td>
 <td>Backend Service</td>
 <td>Python</td>
 <td>None</td>
 <td>aagbsn</td>
 </tr>
 
 <tr>
 <td>*<a href="#project-torbel">TorBEL</a></td>
 <td>Backend Service</td>
 <td>Python</td>
 <td>None</td>
 <td>Sebastian</td>
 </tr>
 </table>
 
 
 * Project is still in an alpha state.
 
 
 
 
 <a id="project-tor"></a>
 <h3>Tor (<a href="https://gitweb.torproject.org/tor.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Tor+Client&component=Tor+Relay&component=vidalia&order=priority">bug
 tracker</a>)</h3>
 
 
 Central project, providing the core software for using and participating in
 the Tor network. Numerous people contribute to the project to varying
 extents, but the chief architects are Nick Mathewson and Roger Dingledine.
 
 
 
 Project Ideas: 
 <a href="#limitCapabilities">Run With Limited Capabilities</a> 
 <a href="#torCleanup">Tor Codebase Cleanup</a> 
 <a href="#httpsImersonation">HTTPS Server Impersonation</a> 
 <a href="#chutneyExpansion">Make Chutney Do More, More Reliably</a>
 
 
 <a id="project-jtor"></a>
 <h3><a href="https://github.com/brl/JTor/wiki">JTor</a> (<a
 href="https://github.com/brl/JTor">code</a>, <a
 href="https://github.com/brl/JTor/issues">bug
 tracker</a>)</h3>
 
 
 Java implementation of Tor and successor to <a
 href="http://onioncoffee.sourceforge.net/">OnionCoffee</a>. This project
 isn't yet complete, and has been inactive since Fall 2010.
 
 
 <a id="project-tbb"></a>
 <h3><a href="<page projects/torbrowser>">Tor Browser Bundle</a> (<a
 href="https://gitweb.torproject.org/torbrowser.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Tor+bundles/installation&order=priority">bug
 tracker</a>)</h3>
 
 
 The Tor Browser Bundle is an easy-to-use portable package of Tor, Vidalia,
 and Firefox preconfigured to work together out of the box. This is actively
 being worked on by Erinn Clark.
 
 
 
 
 <a id="project-tails"></a>
 <h3><a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> (<a
 href="http://git.immerda.ch/?p=amnesia.git;a=summary">code</a>, <a
 href="https://tails.boum.org/bugs/">bug
 tracker</a>)</h3>
 
 
 The Amnesic Incognito Live System is a live CD/USB distribution
 preconfigured so that everything is safely routed through Tor and leaves no
 trace on the local system. This is a merger of the Amnesia and <a
 href="http://www.anonymityanywhere.com/incognito/">Incognito</a> projects,
 and still under very active development.
 
 
 
 
 <a id="project-torsocks"></a>
 <h3><a href="http://code.google.com/p/torsocks/">Torsocks</a> (<a
 href="https://gitweb.torproject.org/torsocks.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Torify&order=priority">bug
 tracker</a>)</h3>
 
 
 Utility for adapting other applications to work with Tor. Development has
 slowed and compatibility issues remain with some platforms, but it's
 otherwise feature complete.
 
 
 
 
 <a id="project-torouter"></a>
 <h3><a
 href="<wiki>doc/Torouter">Torouter</a> (<a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Torouter&order=priority">bug
 tracker</a>)</h3>
 
 
 Project to provide an easy-to-use, embedded Tor instance for routers. This
 had high activity in late 2010, but has since been rather quiet.
 
 
 <a id="project-vidalia"></a>
 <h3><a href="<page projects/vidalia>">Vidalia</a> (<a
 href="https://gitweb.torproject.org/vidalia.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Vidalia&order=priority">bug
 tracker</a>)</h3>
 
 
 The most commonly used user interface for Tor. Matt Edman started the
 project in 2006 and brought it to its current stable state. Development
 slowed for several years, though Tomás Touceda has since taken a lead with
 pushing the project forward.
 
 
 
 
 <a id="project-arm"></a>
 <h3><a href="http://www.atagar.com/arm/">Arm</a> (<a
 href="https://gitweb.torproject.org/arm.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=arm&order=priority">bug
 tracker</a>)</h3>
 
 
 Command-line monitor for Tor. This has been under very active development
 by its author, Damian Johnson, since early 2009 to make it a better
 general-purpose controller for *nix environments.
 
 
 
 
 <a id="project-orbot"></a>
 <h3><a href="https://guardianproject.info/apps/orbot/">Orbot</a> (<a
 href="https://gitweb.torproject.org/orbot.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Orbot&order=priority">bug
 tracker</a>)</h3>
 
 
 Provides Tor on the Android platform. This was under very active
 development up through Fall 2010, after which things have been quiet.
 
 
 
 
 <a id="project-torbutton"></a>
 <h3><a href="<page torbutton/index>">Torbutton</a> (<a
 href="https://gitweb.torproject.org/torbutton.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Torbutton&order=priority">bug
 tracker</a>)</h3>
 
 
 Firefox addon that addresses many of the client-side threats to browsing
 the Internet anonymously. Mike has since continued to adapt it to new
 threats, updated versions of Firefox, and possibly <a
 href="https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting">Chrome
 as well</a>.
 
 
 <a id="project-torbirdy"></a>
 <h3>TorBirdy (<a
 href="https://github.com/ioerror/torbirdy">code</a>, <a
 href="https://trac.torproject.org/projects/tor/wiki/torbirdy/dev">bug
 tracker</a>)</h3>
 
 
 TorBirdy is Torbutton for Thunderbird and related Mozilla mail clients.
 
 
 
 Project Ideas: 
 <a href="#improveTorbirdy">Improving TorBirdy</a> 
 
 
 <a id="project-obfsproxy"></a>
 <h3><a href="https://gitweb.torproject.org/obfsproxy.git/tree/HEAD:/doc">Obfsproxy</a> (<a
 href="https://gitweb.torproject.org/obfsproxy.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Pluggable+transport&order=priority">bug
 tracker</a>)</h3>
 
 
 A proxy that shapes Tor traffic, making it harder for censors to detect and
 block Tor.
 
 
 
 
 <a id="project-flash-proxy"></a>
 <h3><a href="https://crypto.stanford.edu/flashproxy/">Flash Proxy</a> (<a
 href="https://gitweb.torproject.org/flashproxy.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_information&status=needs_review&status=needs_revision&status=new&status=reopened&component=Flashproxy">bug
 tracker</a>)</h3>
 
 
 Pluggable transport using proxies running in web browsers to defeat
 address-based blocking.
 
 
 <a id="project-thandy"></a>
 <h3>Thandy (<a
 href="https://gitweb.torproject.org/thandy.git">code</a>)</h3>
 
 
 Updater for Tor. The project began in the Summer of 2008 but wasn't
 completed. Recently interest in it has been rekindled and many aspects of
 its design (including the language it'll be in) are currently in flux.
 
 
 <a id="project-ooni-probe"></a>
 <h3>Ooni Probe (<a
 href="https://gitweb.torproject.org/ooni-probe.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Ooni&order=priority">bug
 tracker</a>)</h3>
 
 
 Censorship scanner, checking your local connection for blocked or modified
 content.
 
 
 <a id="project-shadow"></a>
 <h3><a href="https://shadow.cs.umn.edu/">Shadow</a> (<a
 href="https://github.com/shadow">code</a>, <a
 href="https://github.com/shadow/shadow/issues">bug
 tracker</a>)</h3>
 
 
 Shadow is a discrete-event network simulator that runs the real
 Tor software as a plug-in. Shadow is open-source software that enables
 accurate, efficient, controlled, and repeatable Tor experimentation.
 
 
 <a id="project-torctl"></a>
 <h3>TorCtl (<a
 href="https://gitweb.torproject.org/pytorctl.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Torctl&order=priority">bug
 tracker</a>)</h3>
 
 
 Python bindings and utilities for using the Tor control port. It has been
 stable for several years, with only minor revisions.
 
 
 <a id="project-stem"></a>
 <h3><a href="https://stem.readthedocs.org/en/latest/index.html">Stem</a> (<a
 href="https://gitweb.torproject.org/stem.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/wiki/doc/stem/bugs">bug
 tracker</a>)</h3>
 
 
 Python controller library with a similar scope to TorCtl, but with better
 testing, documentation, and API. This project is not yet feature complete.
 
 
 
 Project Ideas: 
 <a href="#stemUsability">Stem Usability Improvements</a>
 
 
 <a id="project-txtorcon"></a>
 <h3>Txtorcon (<a
 href="https://github.com/meejah/txtorcon">code</a>, <a
 href="https://txtorcon.readthedocs.org">docs</a>)</h3>
 
 
 Twisted-based asynchronous Tor control protocol implementation. Includes
 unit-tests, examples, state-tracking code and configuration abstraction.
 Used by OONI and APAF.
 
 
 <a id="project-tlsdate"></a>
 <h3>Tlsdate (<a href="https://github.com/ioerror/tlsdate">code</a>)</h3>
 
 
 tlsdate: secure parasitic rdate replacement
 
 
 
 tlsdate sets the local clock by securely connecting with TLS to remote
 servers and extracting the remote time out of the secure handshake. Unlike
 ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
 enabled service, and provides some protection against adversaries that try
 to feed you malicious time information.
 
 
 <a id="project-metrics"></a>
 <h3><a href="https://metrics.torproject.org/">Metrics</a> (code: <a
 href="https://gitweb.torproject.org/metrics-db.git">db</a>, <a
 href="https://gitweb.torproject.org/metrics-utils.git">utils</a>, <a
 href="https://gitweb.torproject.org/metrics-web.git">web</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Metrics&order=priority">bug
 tracker</a>)</h3>
 
 
 Processing and analytics of consensus data, provided to users via the
 metrics portal. This has been under active development for several years by
 Karsten Loesing.
 
 
 
 Project Ideas: 
 <a href="#metricsSearch">Searchable Tor descriptor and Metrics data archive</a> (Python/Django?)
 
 
 <a id="project-atlas"></a>
 <h3><a href="https://atlas.torproject.org/">Atlas</a> (<a
 href="https://gitweb.torproject.org/atlas.git">code</a>)</h3>
 
 
 Atlas is a web application to discover Tor relays and bridges. It provides
 useful information on how relays are configured along with graphics about
 their past usage. This is the third evolution of the TorStatus application.
 
 
 <a id="project-torstatus"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorStatus">TorStatus</a> (<a
 href="https://gitweb.torproject.org/torstatus.git">code</a>)</h3>
 
 
 Portal providing an overview of the Tor network, and details on any of its
 current relays. Though very actively used, this project has been
 unmaintained for a long while. The <a
 href="https://svn.torproject.org/svn/torstatus/trunk/">original
 codebase</a> was written in PHP, and students from Wesleyan wrote the new
 Django counterpart.
 
 
 <a id="project-compass"></a>
 <h3><a href="https://compass.torproject.org/">Compass</a> (<a
 href="https://gitweb.torproject.org/compass.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Compass&order=priority">bug
 tracker</a>)</h3>
 
 
 Compass is a web and command line application that filters and
 aggregates the Tor relays based on various attributes.
 
 
 
 Project Ideas: 
 <a href="#compassRefactoring">Compass Refactoring</a>
 
 
 <a id="project-weather"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Weather">Weather</a> (<a
 href="https://gitweb.torproject.org/weather.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Tor+Weather&order=priority">bug
 tracker</a>)</h3>
 
 
 Provides automatic notification to subscribed relay operators when their
 relay's unreachable. This underwent a rewrite by the <a
 href="http://hfoss.wesleyan.edu/">Wesleyan HFOSS team</a>, which went live
 in early 2011.
 
 
 <a id="project-gettor"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/GetTor">GetTor</a> (<a
 href="https://gitweb.torproject.org/gettor.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=GetTor&order=priority">bug
 tracker</a>)</h3>
 
 
 E-mail autoresponder providing Tor's packages over SMTP. This has been
 relatively unchanged for quite a while.
 
 
 <a id="project-torcheck"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorCheck">TorCheck</a> (<a
 href="https://svn.torproject.org/svn/check/trunk/">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Tor+Check&order=priority">bug
 tracker</a>)</h3>
 
 
 Provides a simple site for determining if the visitor is using Tor or not.
 This has been relatively unchanged for quite a while.
 
 
 <a id="project-onionoo"></a>
 <h3><a href="<page projects/onionoo>">Onionoo</a> (<a
 href="https://gitweb.torproject.org/onionoo.git">java codebase</a>, <a
 href="https://gitweb.torproject.org/pyonionoo.git">python
 codebase</a>)</h3>
 
 
 Onionoo is a JSON based protocol to learn information about currently
 running Tor relays and bridges.
 
 
 <a id="project-bridgedb"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/BridgeDB">BridgeDB</a> (<a
 href="https://gitweb.torproject.org/bridgedb.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=BridgeDB&order=priority">bug
 tracker</a>)</h3>
 
 
 Backend bridge distributor, handling the various pools they're distributed
 in. This was actively developed until Fall of 2010.
 
 
 <a id="project-torflow"></a>
 <h3><a href="https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorFlow">TorFlow</a> (<a
 href="https://gitweb.torproject.org/torflow.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=Torflow&order=priority">bug
 tracker</a>)</h3>
 
 
 Library and collection of services for actively monitoring the Tor network.
 These include the Bandwidth Scanners (measuring throughput of relays) and
 SoaT (scans for malicious or misconfigured exit nodes). SoaT was last
 actively developed in the Summer of 2010, and the Bandwidth Scanners a few
 months later. Both have been under active use since then, but development
 has stopped.
 
 
 <a id="project-torbel"></a>
 <h3><a
 href="https://blog.torproject.org/blog/torbel-tor-bulk-exit-list-tools">TorBEL</a> (<a
 href="https://gitweb.torproject.org/torbel.git">code</a>, <a
 href="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_review&status=new&status=reopened&component=TorDNSEL/TorBEL&order=priority">bug
 tracker</a>)</h3>
 
 
 The Tor Bulk Exitlist provides a method of identifying if IPs belong to
 exit nodes or not. This is a replacement for TorDNSEL which is a stable
 (though unmaintained) Haskell application for this purpose. The initial
 version of TorBEL was started in GSOC 2010 but since then the project has
 been inactive.
 
 
 <a id="Coding"></a>
 <a id="Summer"></a>
 <h2><a class="anchor" href="#Coding">Project Ideas</a></h2>
 
 
 You may find some of these projects to be good ideas for <a href="<page
 about/gsoc>">Google Summer of Code</a> and the <a
 href="https://live.gnome.org/OutreachProgramForWomen">Outreach Program for
 Women</a>. We have labelled each idea with how useful it would be to the
 overall Tor project (priority), how much work we expect it would be (effort
 level), how much clue you should start with (skill level), and which of our
 <a href="<page about/corepeople>">core developers</a> would be good
 mentors. If one or more of these ideas looks promising to you, please <a
 href="<page about/contact>">contact us</a> to discuss your plans rather than
 sending blind applications. You may also want to propose your own project
 idea &mdash; which often results in the best applications.
 
 
 <ol>
 
 
 
 
 
 
 
 <a id="compassRefactoring"></a>
 <li>
 Compass Refactoring
 
 Effort Level: Medium
 
 Skill Level: Medium
 
 Likely Mentors: gsathya, karsten
 
 Compass was first designed to be a cli app and then hacked into a web app.
 The codebase needs to be refactored such that the main processing code is
 separated from the display functions(probably into separate files) and made
 modular so that adding more features (<a
 href="https://trac.torproject.org/6612">#6612</a>) is easy. For example, the
 main processing logic could be in compass.py, whereas print_groups() and other
 display related functions could be part of a separate cli.py; web.py would also
 have to modified to make use of this new modular code. Bonus points for adding
 features to compass(<a href="https://trac.torproject.org/6619">#6619</a>, <a
 href="https://trac.torproject.org/6612">#6612</a>, <a
 href="https://trac.torproject.org/6728">#6728</a>).
 
 </li>
 
 
 
 
 
 
 
 
 
 <a id="httpsImersonation"></a>
 <li>
 HTTPS Server Impersonation
 
 Effort Level: Medium to High
 
 Skill Level: Medium to High
 
 Likely Mentors: Nick (nickm)
 
 We have an open proposal for a way to make Tor bridges avoid censorship by
 impersonating an HTTPS server. Specifically, we need to hack some popular
 SSL "reverse proxy" (your choice) so that it relays regular web connections
 to an HTTP server, but certain connections to a local Tor process. <a
 href="https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/203-https-frontend.txt">Proposal
 203</a> has a general design sketch.
 
 </li>
 
 
 
 
 
 
 
 
 
 <a id="improveTorbirdy"></a>
 <li>
 Improving TorBirdy
 
 Effort Level: High
 
 Skill Level: Medium to High
 
 Likely Mentors: Sukhbir, Jacob
 
 TorBirdy is Torbutton for Thunderbird, Icedove and related Mozilla mail
 clients.
 
 
 TorBirdy is under active development and is available from <a
 href="https://trac.torproject.org/projects/tor/wiki/torbirdy">our wiki</a>
 and <a
 href="https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/">mozilla's
 addons site</a>.
 
 
 
 The goal of this project is to improve TorBirdy by:
 
 
 <ul>
 <li>
 Writing a Thunderbird patch to plug known leaks. We have already <a
 href="https://bugzilla.mozilla.org/show_bug.cgi?id=776397">submitted a
 patch to Thunderbird</a> but we anticipate there will be much more work
 required before it is accepted, possibly involving rewriting the entire
 patch; this appears trivial, but it is not, as we are proposing a
 completely new privacy-safe message-ID header generation algorithm for
 Thunderbird.
 </li>
 <li>
 Implementing a JavaScript HTTP proxy (see the <a
 href="https://trac.torproject.org/projects/tor/ticket/6958">ticket</a>)
 </li>
 <li>
 Auditing TorBirdy for leaks and for use with other add-ons (as an
 example see its <a
 href="https://trac.torproject.org/projects/tor/ticket/6319">ticket</a>)
 </li>
 </ul>
 
 
 A student undertaking this project should have some C++ and JavaScript
 development experience. Previous experience with Firefox/Thunderbird
 extension development is a plus, but not required.
 
 </li>
 
 
 
 <a id="chutneyExpansion"></a>
 <li>
 Make Chutney Do More, More Reliably
 
 Effort Level: Medium to High, depending on scope of project
 
 Skill Level: Medium
 
 Likely Mentors: Nick (nickm)
 
 We have a little Python tool called <a
 href="https://gitweb.torproject.org/nickm/chutney.git">Chutney</a> for
 making small local test networks. It's small, not widely used, and not as
 automated as it could be.
 
 
 
 It would be great to see chutney extended and a set of supporting tests
 built to the point where we could use Chutney to exercise various Tor
 features as an automated integration test.
 
 </li>
 
 
 
 
 
 
 
 
 
 <a id="limitCapabilities"></a>
 <li>
 Run With Limited Capabilities
 
 Effort Level: Medium to High
 
 Skill Level: High
 
 Likely Mentors: Nick (nickm)
 
 Many modern operating systems give a running program the ability to drop
 capabilities that it no longer needs, and other ways for a program to run
 pieces of itself in a sandbox with diminished privileges.
 
 
 
 We'd like to do this with Tor, to improve its resistance to attacks. The
 easiest areas to address would be on systems like <a
 href="https://lwn.net/Articles/475361/">recent Linux kernels</a> that make
 it easy to drop or restrict the set of syscalls that a program can invoke.
 That's a great project, but probably not big enough for an internship just
 on its own. For that, we'd want to make progress on at least multiple
 platforms, or look into refactoring Tor into pieces that need more
 privileges and pieces that don't with an eye towards sandboxing them
 differently.
 
 
 
 See tickets <a href="https://trac.torproject.org/7005">#7005</a> and <a
 href="https://trac.torproject.org/5219">#5219</a>, and their descendants,
 for more information.
 
 </li>
 
 <a id="metricsSearch"></a>
 <li>
 Searchable Tor descriptor and Metrics data archive
 
 Effort Level: Medium
 
 Skill Level: Medium
 
 Likely Mentors: Karsten
 The <a href="https://metrics.torproject.org/data.html">Metrics data
 archive</a> of Tor relay descriptors and other Tor-related network data has
 grown to over 100G in size, bz2-compressed. We have developed two search
 interfaces: the <a
 href="https://metrics.torproject.org/relay-search.html">relay search</a>
 finds relays by nickname, fingerprint, or IP address in a given month; <a
 href="https://metrics.torproject.org/exonerator.html">ExoneraTor</a> finds
 whether a given IP address was a relay on a given day.
 
 We'd like to have a more general search application for Tor descriptors
 and metrics data. There are more <a
 href="https://metrics.torproject.org/formats.html">descriptor types</a>
 that we'd like to include in the search. The search application should
 handle most of them and understand some semantics like what's a timestamp,
 what's an IP address, and what's a link to another descriptor. Users
 should then be able to search for arbitrary strings or limit their search
 to given time periods or IP address ranges. Descriptors that reference
 other descriptors should contain links, and descriptors should be able to
 say from where they are linked. The goal is to make the archive easily
 browsable.
 
 The search application shall be separate from the metrics website and
 shouldn't rely on the metrics website codebase. The search application
 will contain hourly updated descriptor data from the metrics website via
 rsync. Programming language and database system are not specified yet,
 though there's a slight preference for Python/Django and Postgres for
 maintenance reasons. If there are good reasons to pick something else,
 e.g, some NoSQL variant or some search application framework, that's fine,
 too. Further requirements are that lookups should be really fast and that
 changes to the search application can be implemented in reasonable
 time.
 
 Applications for this project should come with a design of the proposed
 search application, ideally with a proof-of-concept based on a subset of
 the available data to show that it will be able to handle the 100G+ of
 data.
 </li>
 
 
 
 
 
 <a id="stemUsability"></a>
 <li>
 Stem Usability Improvements
 
 Effort Level: Medium
 
 Skill Level: Medium
 
 Likely Mentors: Damian (atagar)
 
 <a href="https://stem.readthedocs.org/en/latest/index.html">Stem</a> is a
 python controller library for tor. Like it's predecessor, <a
 href="#project-torctl">TorCtl</a>, it uses tor's <a
 href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt">control
 protocol</a> to help developers program against the tor process, enabling
 them to build things similar to <a href="#project-vidalia">Vidalia</a> and
 <a href="#project-arm">arm</a>.
 
 
 
 While TorCtl provided a fine first draft for this sort of functionality,
 it has not proved to be extensible nor maintainable. Stem is a rewrite of
 TorCtl with a heavy focus on testing, documentation, and providing a
 developer friendly API.
 
 
 
 Stem is very nearly feature complete but presently has no users. We
 want to change that prior to making our first release for a couple
 reasons...
 
 
 <ul>
 <li>Make sure that we have a reasonably good API, and improve the rough
 edges that hurt its usability.</li>
 <li>Provide examples for how stem can be used.</li>
 </ul>
 
 
 This project involves several tasks...
 
 
 <ol>
 <li>Move stem's site to Tor's website (<a href="https://trac.torproject.org/projects/tor/ticket/7324">ticket</a>)</li>
 <li>Set up Piwik for our site (<a href="https://trac.torproject.org/projects/tor/ticket/7424">ticket</a>)</li>
 <li>Come up with a better, more developer friendly "Module Overview" for our documentation (<a href="https://stem.readthedocs.org/en/latest/api/control.html">example page</a>). For instance, it would be nice to provide interlinking between the overview and the classes/methods that it lists. This will probably involve asking for help from the <a href="http://sphinx-doc.org/">Sphinx user list</a>.</li>
 <li>Finally get your hands dirty using stem. We want to expand stem's <a href="https://stem.readthedocs.org/en/latest/tutorial.html">tutorial page</a> with more examples. To do this you'll want to both brainstorm some of your own and contact the <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/">tor-dev@ email list</a> to solicit ideas. This last step is pretty open ended, so go nuts with whatever you think will improve stem's usability!</li>
 </ol>
 </li>
 
 
 
 <a id="torCleanup"></a>
 <li>
 Tor Codebase Cleanup
 
 Effort Level: Low to High, depending on subproject chosen
 
 Skill Level: Medium to High
 
 Likely Mentors: Nick (nickm)
 
 The Tor code is almost 10 years old in places, and we haven't always had
 enough time or wisdom to write things as well as we could have. Our unit
 test coverage is shamefully low, and the dependency graph of our modules is
 shamefully convoluted . We could use refactoring and unit tests! Please
 look through the Tor source code and look for ugly or tricky code or
 dependencies -- the uglier and trickier the better -- and think about how
 you could make the code look better, read better, and (subject to testing)
 work better.
 
 
 
 If this is for a fun side-project, it would be great for you to work on
 anything that can be made better and more tested. For an internship-level
 position, we'd hope that you could find a number of particularly tricky or
 knotty piece of the code to clean up, and aim for resolving the ugliest
 problems, not necessarily the easiest.
 
 
 
 For a big project here, it would be great to pick one of the major
 "submodules" of Tor -- path selection, node discovery, directory authority
 operations, directory service -- and refactor its interface completely, to
 minify and codify its points of contact with the rest of Tor.
 
 </li>
 
 
 
 
 
 
 
 
 
 <a id="docUpdate"></a>
 <li>
 Website and video documentation update
 
 Effort Level: Medium
 
 Skill Level: Medium
 
 Likely Mentors: Runa, Karen
 
 Identify outdated and/or weak pages on torproject.org and re-write the
 documentation to appeal to a less technical, more goal-oriented
 audience. Create a number of 3-5 minute videos with graphically
 portray the written documentation. See
 <a href="https://trac.torproject.org/projects/tor/query?component=Website&status=new">the
 website tickets</a> for more information and a starting point.
 
 </li>
 
 <li>
 Bring up new ideas!
 
 Don't like any of these? Look at the <a
 href="/press/presskit/2008-12-19-roadmap-full.pdf">Tor development
 roadmap</a> for more ideas, or just try out Tor, Vidalia, and Torbutton,
 and find out what you think needs fixing.
 Some of the <a href="<spectree>proposals">current proposals</a>
 might also be short on developers.
 </li>
 
 </ol>
 
 <a id="OtherCoding"></a>
 <h2><a class="anchor" href="#OtherCoding">Other Coding and Design related ideas</a></h2>
 <ol>
 <li>Tor relays don't work well on Windows XP. On
 Windows, Tor uses the standard <tt>select()</tt> system
 call, which uses space in the non-page pool. This means
 that a medium sized Tor relay will empty the non-page pool, <a
 href="<wiki>doc/WindowsBufferProblems">causing
 havoc and system crashes</a>. We should probably be using overlapped IO
 instead. One solution would be to teach <a
 href="http://www.monkey.org/~provos/libevent/">libevent</a> how to use
 overlapped IO rather than select() on Windows, and then adapt Tor to
 the new libevent interface. Christian King made a
 <a href="https://svn.torproject.org/svn/libevent-urz/trunk/">good
 start</a> on this in the summer of 2007.</li>
 
 <li>We need to actually start building our <a href="<page
 docs/documentation>#DesignDoc">blocking-resistance design</a>. This involves
 fleshing out the design, modifying many different pieces of Tor, adapting
 <a href="<page projects/vidalia>">Vidalia</a> so it supports the
 new features, and planning for deployment.</li>
 
 <li>We need a flexible simulator framework for studying end-to-end
 traffic confirmation attacks. Many researchers have whipped up ad hoc
 simulators to support their intuition either that the attacks work
 really well or that some defense works great. Can we build a simulator
 that's clearly documented and open enough that everybody knows it's
 giving a reasonable answer? This will spur a lot of new research.
 See the entry <a href="#Research">below</a> on confirmation attacks for
 details on the research side of this task &mdash; who knows, when it's
 done maybe you can help write a paper or three also.</li>
 
 <li>Tor 0.1.1.x and later include support for hardware crypto
 accelerators via OpenSSL. It has been lightly tested and is
 possibly very buggy. We're looking for more rigorous testing,
 performance analysis, and optimally, code fixes to OpenSSL and
 Tor if needed.</li>
 
 <li>Perform a security analysis of Tor with <a
 href="https://secure.wikimedia.org/wikipedia/en/wiki/Fuzz_testing">"fuzz"</a>. Determine
 if there are good fuzzing libraries out there for what we want. Win fame by
 getting credit when we put out a new release because of you!</li>
 
 <li>Tor uses TCP for transport and TLS for link
 encryption. This is nice and simple, but it means all cells
 on a link are delayed when a single packet gets dropped, and
 it means we can only reasonably support TCP streams. We have a <a
 href="<page docs/faq>#TransportIPnotTCP">list
 of reasons why we haven't shifted to UDP transport</a>, but it would
 be great to see that list get shorter. We also have a proposed <a
 href="<specblob>proposals/100-tor-spec-udp.txt">specification
 for Tor and
 UDP</a> &mdash; please let us know what's wrong with it.</li>
 
 <li>We're not that far from having IPv6 support for destination addresses
 (at exit nodes). If you care strongly about IPv6, that's probably the
 first place to start.</li>
 
 <li>We need a way to generate the website diagrams (for example, the "How
 Tor Works" pictures on the <a href="<page about/overview>">overview page</a>
 from source, so we can translate them as UTF-8 text rather than edit
 them by hand with Gimp. We might want to
 integrate this as an wml file so translations are easy and images are
 generated in multiple languages whenever we build the website.</li>
 
 <li>How can we make the various LiveCD/USB systems easier
 to maintain, improve, and document? One example is <a
 href="https://tails.boum.org/">The Amnesic Incognito Live
 System</a>.
 </li>
 
 <li>
 Another anti-censorship project is to try to make Tor
 more scanning-resistant. Right now, an adversary can identify <a
 href="<specblob>proposals/125-bridges.txt">Tor bridges</a>
 just by trying to connect to them, following the Tor protocol,
 and seeing if they respond. To solve this, bridges could <a
 href="<svnprojects>design-paper/blocking.html#tth_sEc9.3">act like
 webservers</a> (HTTP or HTTPS) when contacted by port-scanning tools,
 and not act like bridges until the user provides a bridge-specific key.
 To start, check out Shane Pope's <a
 href="http://dl.dropbox.com/u/37735/index.html">thesis and prototype</a>.
 </li>
 
 </ol>
 
 <a id="Research"></a>
 <h2><a class="anchor" href="#Research">Research</a></h2>
 <ol>
 <li>The "end-to-end traffic confirmation attack":
 by watching traffic at Alice and at Bob, we can <a
 href="http://freehaven.net/anonbib/#danezis:pet2004">compare
 traffic signatures and become convinced that we're watching the same
 stream</a>. So far Tor accepts this as a fact of life and assumes this
 attack is trivial in all cases. First of all, is that actually true? How
 much traffic of what sort of distribution is needed before the adversary
 is confident he has won? Are there scenarios (e.g. not transmitting much)
 that slow down the attack? Do some traffic padding or traffic shaping
 schemes work better than others?</li>
 <li>A related question is: Does running a relay/bridge provide additional
 protection against these timing attacks? Can an external adversary that can't
 see inside TLS links still recognize individual streams reliably?
 Does the amount of traffic carried degrade this ability any? What if the
 client-relay deliberately delayed upstream relayed traffic to create a queue
 that could be used to mimic timings of client downstream traffic to make it
 look like it was also relayed? This same queue could also be used for masking
 timings in client upstream traffic with the techniques from <a
 href="http://www.freehaven.net/anonbib/#ShWa-Timing06">adaptive padding</a>,
 but without the need for additional traffic. Would such an interleaving of
 client upstream traffic obscure timings for external adversaries? Would the
 strategies need to be adjusted for asymmetric links? For example, on
 asymmetric links, is it actually possible to differentiate client traffic from
 natural bursts due to their asymmetric capacity? Or is it easier than
 symmetric links for some other reason?</li>
 <li>Repeat Murdoch and Danezis's <a
 href="http://www.cl.cam.ac.uk/~sjm217/projects/anon/#torta">attack from
 Oakland 05</a> on the current Tor network. See if you can learn why it
 works well on some nodes and not well on others. (My theory is that the
 fast nodes with spare capacity resist the attack better.) If that's true,
 then experiment with the RelayBandwidthRate and RelayBandwidthBurst
 options to run a relay that is used as a client while relaying the
 attacker's traffic: as we crank down the RelayBandwidthRate, does the
 attack get harder? What's the right ratio of RelayBandwidthRate to
 actually capacity? Or is it a ratio at all? While we're at it, does a
 much larger set of candidate relays increase the false positive rate
 or other complexity for the attack? (The Tor network is now almost two
 orders of magnitude larger than it was when they wrote their paper.) Be
 sure to read <a href="http://freehaven.net/anonbib/#clog-the-queue">Don't
 Clog the Queue</a> too.</li>
 <li>The "routing zones attack": most of the literature thinks of
 the network path between Alice and her entry node (and between the
 exit node and Bob) as a single link on some graph. In practice,
 though, the path traverses many autonomous systems (ASes), and <a
 href="http://freehaven.net/anonbib/#feamster:wpes2004">it's not uncommon
 that the same AS appears on both the entry path and the exit path</a>.
 Unfortunately, to accurately predict whether a given Alice, entry,
 exit, Bob quad will be dangerous, we need to download an entire Internet
 routing zone and perform expensive operations on it. Are there practical
 approximations, such as avoiding IP addresses in the same /8 network?</li>
 <li>Other research questions regarding geographic diversity consider
 the tradeoff between choosing an efficient circuit and choosing a random
 circuit. Look at Stephen Rollyson's <a
 href="http://swiki.cc.gatech.edu:8080/ugResearch/uploads/7/ImprovingTor.pdf">position
 paper</a> on how to discard particularly slow choices without hurting
 anonymity "too much". This line of reasoning needs more work and more
 thinking, but it looks very promising.</li>
 <li>Tor doesn't work very well when relays have asymmetric bandwidth
 (e.g. cable or DSL). Because Tor has separate TCP connections between
 each hop, if the incoming bytes are arriving just fine and the outgoing
 bytes are all getting dropped on the floor, the TCP push-back mechanisms
 don't really transmit this information back to the incoming streams.
 Perhaps Tor should detect when it's dropping a lot of outgoing packets,
 and rate-limit incoming streams to regulate this itself? I can imagine
 a build-up and drop-off scheme where we pick a conservative rate-limit,
 slowly increase it until we get lost packets, back off, repeat. We
 need somebody who's good with networks to simulate this and help design
 solutions; and/or we need to understand the extent of the performance
 degradation, and use this as motivation to reconsider UDP transport.</li>
 <li>A related topic is congestion control. Is our
 current design sufficient once we have heavy use? Maybe
 we should experiment with variable-sized windows rather
 than fixed-size windows? That seemed to go well in an <a
 href="http://www.psc.edu/index.php/hpn-ssh/638">ssh
 throughput experiment</a>. We'll need to measure and tweak, and maybe
 overhaul if the results are good.</li>
 <li>Our censorship-resistance goals include preventing
 an attacker who's looking at Tor traffic on the wire from <a
 href="<svnprojects>design-paper/blocking.html#sec:network-fingerprint">distinguishing
 it from normal SSL traffic</a>. Obviously we can't achieve perfect
 steganography and still remain usable, but for a first step we'd like to
 block any attacks that can win by observing only a few packets. One of
 the remaining attacks we haven't examined much is that Tor cells are 512
 bytes, so the traffic on the wire may well be a multiple of 512 bytes.
 How much does the batching and overhead in TLS records blur this on the
 wire? Do different buffer flushing strategies in Tor affect this? Could
 a bit of padding help a lot, or is this an attack we must accept?</li>
 <li>Tor circuits are built one hop at a time, so in theory we have the
 ability to make some streams exit from the second hop, some from the
 third, and so on. This seems nice because it breaks up the set of exiting
 streams that a given relay can see. But if we want each stream to be safe,
 the "shortest" path should be at least 3 hops long by our current logic, so
 the rest will be even longer. We need to examine this performance / security
 tradeoff.</li>
 <li>It's not that hard to DoS Tor relays or directory authorities. Are client
 puzzles the right answer? What other practical approaches are there? Bonus
 if they're backward-compatible with the current Tor protocol.</li>
 <li>Programs like <a
 href="<page torbutton/index>">Torbutton</a> aim to hide
 your browser's UserAgent string by replacing it with a uniform answer for
 every Tor user. That way the attacker can't splinter Tor's anonymity set
 by looking at that header. It tries to pick a string that is commonly used
 by non-Tor users too, so it doesn't stand out. Question one: how badly
 do we hurt ourselves by periodically updating the version of Firefox
 that Torbutton claims to be? If we update it too often, we splinter the
 anonymity sets ourselves. If we don't update it often enough, then all the
 Tor users stand out because they claim to be running a quite old version
 of Firefox. The answer here probably depends on the Firefox versions seen
 in the wild. Question two: periodically people ask us to cycle through N
 UserAgent strings rather than stick with one. Does this approach help,
 hurt, or not matter? Consider: cookies and recognizing Torbutton users
 by their rotating UserAgents; malicious websites who only attack certain
 browsers; and whether the answers to question one impact this answer.
 </li>
 <li>How many bridge relays do you need to know to maintain
 reachability? We should measure the churn in our bridges. If there is
 lots of churn, are there ways to keep bridge users more likely to stay
 connected?
 </li>
 </ol>
 
 
 <a href="<page about/contact>">Let us know</a> if you've made progress on any
 of these!
 
 </div>
 
 <div id = "sidecol">
#include "side.wmi"
#include "info.wmi"
 </div>
 
</div>

#include <foot.wmi>

tor-webwml.git

Adding Txtorcon to the volunteer project table