tor-webwml.git

@@ -103,6 +103,9 @@ SSL <a href="<page documentation>#Developers">SVN repository?</a></li>

 <a id="Coding"></a>

 <h2><a class="anchor" href="#Coding">Coding and Design</a></h2>

+<p>Want to spend your Google Summer of Code working on Tor? Great. More

+details coming soon. In the mean time, see if any of these ideas catch

+your eye.</p>

 <ol>

 <li>Tor servers don't work well on Windows XP. On

 Windows, Tor uses the standard <tt>select</tt> system

@@ -120,18 +123,15 @@ buffers. Maybe this should be modelled after the Linux kernel buffer

 design, where we have many smaller buffers that link to each other,

 rather than monolithic buffers?</li>

 <li>We need an official central site to answer "Is this IP address a Tor

-server?" questions. This should provide several interfaces, including

+exit server?" questions. This should provide several interfaces, including

 a web interface and a DNSBL-style interface. It can provide the most

 up-to-date answers by keeping a local mirror of the Tor directory

-information. Bonus points if it does active testing through each exit

-node to find out what IP address it's really exiting from.</li>

-<li>We need a measurement study of <a

-href="http://www.pps.jussieu.fr/~jch/software/polipo/">Polipo</a>

-vs <a href="http://www.privoxy.org/">Privoxy</a>. Is Polipo in fact

-significantly faster, once you factor in the slow-down from Tor? Are the

-results the same on both Linux and Windows? Related, does Polipo handle

-more web sites correctly than Privoxy, or vice versa? Are there stability

-issues on any common platforms, e.g. Windows?</li>

+information. The tricky point is that being an exit server is not a

+boolean: so the question is actually "Is this IP address a Tor exit

+server that can exit to my IP address:port?" The DNSBL interface

+will probably receive hundreds of queries a minute, so some smart

+algorithms are in order. Bonus points if it does active testing through

+each exit node to find out what IP address it's really exiting from.</li>

 <li>It would be great to have a LiveCD that includes the latest

 versions of Tor, Polipo or Privoxy, Firefox, Gaim+OTR, etc. There are

 two challenges here: first is documenting the system and choices well

@@ -139,9 +139,39 @@ enough that security people can form an opinion on whether it should be

 secure, and the second is figuring out how to make it easily maintainable,

 so it doesn't become quickly obsolete like AnonymOS. Bonus points if

 the CD image fits on one of those small-form-factor CDs.</li>

+<li>Related to the LiveCD image, we should work on an intuitively secure

+and well-documented USB image for Tor and supporting applications. A

+lot of the hard part here is deciding what configurations are secure,

+documentating these decisions, and making something that is easy to

+maintain going forward.</li>

+<li>We need to actually start building our <a href="<page

+documentation>#DesignDoc">blocking-resistance design</a>. This involves

+fleshing out the design, modifying many different pieces of Tor, working

+on a <a href="http://vidalia-project.net/">GUI</a> that's intuitive,

+and planning for deployment.</li>

+<li>We need a flexible simulator framework for studying end-to-end

+traffic confirmation attacks. Many researchers have whipped up ad hoc

+simulators to support their intuition either that the attacks work

+really well or that some defense works great. Can we build a simulator

+that's clearly documented and open enough that everybody knows it's

+giving a reasonable answer? This will spur a lot of new research.

+See the entry <a href="#Research">below</a> on confirmation attacks for

+details on the research side of this task — who knows, when it's

+done maybe you can help write a paper or three also.</li>

+<li>We need a measurement study of <a

+href="http://www.pps.jussieu.fr/~jch/software/polipo/">Polipo</a>

+vs <a href="http://www.privoxy.org/">Privoxy</a>. Is Polipo in fact

+significantly faster, once you factor in the slow-down from Tor? Are the

+results the same on both Linux and Windows? Related, does Polipo handle

+more web sites correctly than Privoxy, or vice versa? Are there stability

+issues on any common platforms, e.g. Windows?</li>

+<li>Related on the above, would you like to help port <a

+href="http://www.pps.jussieu.fr/~jch/software/polipo/">Polipo</a> so it

+runs stably and efficiently on Windows?</li>

 <li>We need a distributed testing framework. We have unit tests,

 but it would be great to have a script that starts up a Tor network, uses

 it for a while, and verifies that at least parts of it are working.</li>

+<!--

 <li>Right now the hidden service descriptors are being stored on just a

 few directory servers. This is bad for privacy and bad for robustness. To

 get more robustness, we're going to need to make hidden service

@@ -156,6 +186,7 @@ and signature on a hidden service descriptor so they can't be tricked

 into giving out fake ones. Second, any reliable distributed storage

 system will do, as long as it allows authenticated updates, but as far

 as we know no implemented DHT code supports authenticated updates.</li>

+-->

 <li>Tor 0.1.1.x and later include support for hardware crypto accelerators

 via

 OpenSSL. Nobody has ever tested it, though. Does somebody want to get

@@ -171,7 +202,8 @@ it means we can only reasonably support TCP streams. We have a <a

 href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP">list

 of reasons why we haven't shifted to UDP transport</a>, but it would

 be great to see that list get shorter. We also have a proposed <a

-href="<svnsandbox>doc/tor-spec-udp.txt">specification for Tor and

+href="<svnsandbox>doc/spec/proposals/100-tor-spec-udp.txt">specification

+for Tor and

 UDP</a> &mdash; please let us know what's wrong with it.</li>

 <li>We're not that far from having IPv6 support for destination addresses

 (at exit nodes). If you care strongly about IPv6, that's probably the