Drop volunteer page footer idea blob
Damian Johnson

Damian Johnson commited on 2016-03-17 16:26:19
Zeige 1 geänderte Dateien mit 0 Einfügungen und 210 Löschungen.


This is an antique, horribly unreadable wad of text as denser than a legal
footer. We should invest effort in making project ideas readable or not have
them at all. Actually, this section predates me (meaning it's over six years
old) and never been maintained in that time. Guess it's so dense even we
ignored it. :P

If we want to resurrect any of these then it should be done so as tickets.
... ...
@@ -1556,216 +1556,6 @@ implementation.
1556 1556
     </li>
1557 1557
 
1558 1558
     </ol>
1559
-
1560
-    <a id="OtherCoding"></a>
1561
-    <h2><a class="anchor" href="#OtherCoding">Other Coding and Design related ideas</a></h2>
1562
-    <ol>
1563
-    <li>Tor relays don't work well on Windows XP. On
1564
-    Windows, Tor uses the standard <tt>select()</tt> system
1565
-    call, which uses space in the non-page pool. This means
1566
-    that a medium sized Tor relay will empty the non-page pool, <a
1567
-    href="<wiki>doc/WindowsBufferProblems">causing
1568
-    havoc and system crashes</a>. We should probably be using overlapped IO
1569
-    instead. One solution would be to teach <a
1570
-    href="http://www.monkey.org/~provos/libevent/">libevent</a> how to use
1571
-    overlapped IO rather than select() on Windows, and then adapt Tor to
1572
-    the new libevent interface. Christian King made a
1573
-    <a href="https://svn.torproject.org/svn/libevent-urz/trunk/">good
1574
-    start</a> on this in the summer of 2007.</li>
1575
-
1576
-    <li>We need a flexible simulator framework for studying end-to-end
1577
-    traffic confirmation attacks. Many researchers have whipped up ad hoc
1578
-    simulators to support their intuition either that the attacks work
1579
-    really well or that some defense works great. Can we build a simulator
1580
-    that's clearly documented and open enough that everybody knows it's
1581
-    giving a reasonable answer? This will spur a lot of new research.
1582
-    See the entry <a href="#Research">below</a> on confirmation attacks for
1583
-    details on the research side of this task &mdash; who knows, when it's
1584
-    done maybe you can help write a paper or three also.</li>
1585
-
1586
-    <li>Tor 0.1.1.x and later include support for hardware crypto
1587
-    accelerators via OpenSSL. It has been lightly tested and is
1588
-    possibly very buggy.  We're looking for more rigorous testing,
1589
-    performance analysis, and optimally, code fixes to OpenSSL and
1590
-    Tor if needed.</li>
1591
-
1592
-    <li>Write a <a
1593
-    href="https://secure.wikimedia.org/wikipedia/en/wiki/Fuzz_testing">fuzzer</a>
1594
-    for Tor to discover security vulnerabilities. Determine if there
1595
-    are good fuzzing frameworks out there for what we want. Win fame by
1596
-    getting credit when we put out a new release because of you!</li>
1597
-
1598
-    <li>Tor uses TCP for transport and TLS for link
1599
-    encryption. This is nice and simple, but it means all cells
1600
-    on a link are delayed when a single packet gets dropped, and
1601
-    it means we can only reasonably support TCP streams. We have a <a
1602
-    href="<page docs/faq>#TransportIPnotTCP">list
1603
-    of reasons why we haven't shifted to UDP transport</a>, but it would
1604
-    be great to see that list get shorter. We also have a proposed <a
1605
-    href="<specblob>proposals/100-tor-spec-udp.txt">specification
1606
-    for Tor and
1607
-    UDP</a> &mdash; please let us know what's wrong with it.</li>
1608
-
1609
-    <li>We're not that far from having IPv6 support for destination addresses
1610
-    (at exit nodes). If you care strongly about IPv6, that's probably the
1611
-    first place to start.</li>
1612
-
1613
-    <li>We need a way to generate the website diagrams (for example, the "How
1614
-    Tor Works" pictures on the <a href="<page about/overview>">overview page</a>
1615
-    from source, so we can translate them as UTF-8 text rather than edit
1616
-    them by hand with Gimp. We might want to
1617
-    integrate this as an wml file so translations are easy and images are
1618
-    generated in multiple languages whenever we build the website.</li>
1619
-
1620
-    <li>How can we make the various LiveCD/USB systems easier
1621
-    to maintain, improve, and document?  One example is <a
1622
-    href="https://tails.boum.org/">The Amnesic Incognito Live
1623
-    System</a>.
1624
-    </li>
1625
-
1626
-    <li>
1627
-    Another anti-censorship project is to try to make Tor
1628
-    more scanning-resistant.  Right now, an adversary can identify <a
1629
-    href="<specblob>proposals/125-bridges.txt">Tor bridges</a>
1630
-    just by trying to connect to them, following the Tor protocol,
1631
-    and seeing if they respond.  To solve this, bridges could <a
1632
-    href="<svnprojects>design-paper/blocking.html#tth_sEc9.3">act like
1633
-    webservers</a> (HTTP or HTTPS) when contacted by port-scanning tools,
1634
-    and not act like bridges until the user provides a bridge-specific key.
1635
-    To start, check out Shane Pope's <a
1636
-    href="http://dl.dropbox.com/u/37735/index.html">thesis and prototype</a>.
1637
-    </li>
1638
-
1639
-    </ol>
1640
-
1641
-    <a id="Research"></a>
1642
-    <h2><a class="anchor" href="#Research">Research</a></h2>
1643
-    <ol>
1644
-    <li>The "end-to-end traffic confirmation attack":
1645
-    by watching traffic at Alice and at Bob, we can <a
1646
-    href="http://freehaven.net/anonbib/#danezis:pet2004">compare
1647
-    traffic signatures and become convinced that we're watching the same
1648
-    stream</a>. So far Tor accepts this as a fact of life and assumes this
1649
-    attack is trivial in all cases. First of all, is that actually true? How
1650
-    much traffic of what sort of distribution is needed before the adversary
1651
-    is confident he has won? Are there scenarios (e.g. not transmitting much)
1652
-    that slow down the attack? Do some traffic padding or traffic shaping
1653
-    schemes work better than others?</li>
1654
-    <li>A related question is: Does running a relay/bridge provide additional
1655
-    protection against these timing attacks? Can an external adversary that can't
1656
-    see inside TLS links still recognize individual streams reliably?
1657
-    Does the amount of traffic carried degrade this ability any? What if the
1658
-    client-relay deliberately delayed upstream relayed traffic to create a queue
1659
-    that could be used to mimic timings of client downstream traffic to make it
1660
-    look like it was also relayed? This same queue could also be used for masking
1661
-    timings in client upstream traffic with the techniques from <a
1662
-    href="http://www.freehaven.net/anonbib/#ShWa-Timing06">adaptive padding</a>,
1663
-    but without the need for additional traffic. Would such an interleaving of
1664
-    client upstream traffic obscure timings for external adversaries? Would the
1665
-    strategies need to be adjusted for asymmetric links? For example, on
1666
-    asymmetric links, is it actually possible to differentiate client traffic from
1667
-    natural bursts due to their asymmetric capacity? Or is it easier than
1668
-    symmetric links for some other reason?</li>
1669
-    <li>Repeat Murdoch and Danezis's <a
1670
-    href="http://www.cl.cam.ac.uk/~sjm217/projects/anon/#torta">attack from
1671
-    Oakland 05</a> on the current Tor network. See if you can learn why it
1672
-    works well on some nodes and not well on others. (My theory is that the
1673
-    fast nodes with spare capacity resist the attack better.) If that's true,
1674
-    then experiment with the RelayBandwidthRate and RelayBandwidthBurst
1675
-    options to run a relay that is used as a client while relaying the
1676
-    attacker's traffic: as we crank down the RelayBandwidthRate, does the
1677
-    attack get harder? What's the right ratio of RelayBandwidthRate to
1678
-    actually capacity? Or is it a ratio at all? While we're at it, does a
1679
-    much larger set of candidate relays increase the false positive rate
1680
-    or other complexity for the attack? (The Tor network is now almost two
1681
-    orders of magnitude larger than it was when they wrote their paper.) Be
1682
-    sure to read <a href="http://freehaven.net/anonbib/#clog-the-queue">Don't
1683
-    Clog the Queue</a> too.</li>
1684
-    <li>The "routing zones attack": most of the literature thinks of
1685
-    the network path between Alice and her entry node (and between the
1686
-    exit node and Bob) as a single link on some graph. In practice,
1687
-    though, the path traverses many autonomous systems (ASes), and <a
1688
-    href="http://freehaven.net/anonbib/#feamster:wpes2004">it's not uncommon
1689
-    that the same AS appears on both the entry path and the exit path</a>.
1690
-    Unfortunately, to accurately predict whether a given Alice, entry,
1691
-    exit, Bob quad will be dangerous, we need to download an entire Internet
1692
-    routing zone and perform expensive operations on it. Are there practical
1693
-    approximations, such as avoiding IP addresses in the same /8 network?</li>
1694
-    <li>Other research questions regarding geographic diversity consider
1695
-    the tradeoff between choosing an efficient circuit and choosing a random
1696
-    circuit. Look at Stephen Rollyson's <a
1697
-    href="http://swiki.cc.gatech.edu:8080/ugResearch/uploads/7/ImprovingTor.pdf">position
1698
-    paper</a> on how to discard particularly slow choices without hurting
1699
-    anonymity "too much". This line of reasoning needs more work and more
1700
-    thinking, but it looks very promising.</li>
1701
-    <li>Tor doesn't work very well when relays have asymmetric bandwidth
1702
-    (e.g. cable or DSL). Because Tor has separate TCP connections between
1703
-    each hop, if the incoming bytes are arriving just fine and the outgoing
1704
-    bytes are all getting dropped on the floor, the TCP push-back mechanisms
1705
-    don't really transmit this information back to the incoming streams.
1706
-    Perhaps Tor should detect when it's dropping a lot of outgoing packets,
1707
-    and rate-limit incoming streams to regulate this itself? I can imagine
1708
-    a build-up and drop-off scheme where we pick a conservative rate-limit,
1709
-    slowly increase it until we get lost packets, back off, repeat. We
1710
-    need somebody who's good with networks to simulate this and help design
1711
-    solutions; and/or we need to understand the extent of the performance
1712
-    degradation, and use this as motivation to reconsider UDP transport.</li>
1713
-    <li>A related topic is congestion control. Is our
1714
-    current design sufficient once we have heavy use? Maybe
1715
-    we should experiment with variable-sized windows rather
1716
-    than fixed-size windows? That seemed to go well in an <a
1717
-    href="http://www.psc.edu/index.php/hpn-ssh/638">ssh
1718
-    throughput experiment</a>. We'll need to measure and tweak, and maybe
1719
-    overhaul if the results are good.</li>
1720
-    <li>Our censorship-resistance goals include preventing
1721
-    an attacker who's looking at Tor traffic on the wire from <a
1722
-    href="<svnprojects>design-paper/blocking.html#sec:network-fingerprint">distinguishing
1723
-    it from normal SSL traffic</a>. Obviously we can't achieve perfect
1724
-    steganography and still remain usable, but for a first step we'd like to
1725
-    block any attacks that can win by observing only a few packets. One of
1726
-    the remaining attacks we haven't examined much is that Tor cells are 512
1727
-    bytes, so the traffic on the wire may well be a multiple of 512 bytes.
1728
-    How much does the batching and overhead in TLS records blur this on the
1729
-    wire? Do different buffer flushing strategies in Tor affect this? Could
1730
-    a bit of padding help a lot, or is this an attack we must accept?</li>
1731
-    <li>Tor circuits are built one hop at a time, so in theory we have the
1732
-    ability to make some streams exit from the second hop, some from the
1733
-    third, and so on. This seems nice because it breaks up the set of exiting
1734
-    streams that a given relay can see. But if we want each stream to be safe,
1735
-    the "shortest" path should be at least 3 hops long by our current logic, so
1736
-    the rest will be even longer. We need to examine this performance / security
1737
-    tradeoff.</li>
1738
-    <li>It's not that hard to DoS Tor relays or directory authorities. Are client
1739
-    puzzles the right answer? What other practical approaches are there? Bonus
1740
-    if they're backward-compatible with the current Tor protocol.</li>
1741
-    <li>Programs like <a
1742
-    href="<page docs/torbutton/index>">Torbutton</a> aim to hide
1743
-    your browser's UserAgent string by replacing it with a uniform answer for
1744
-    every Tor user. That way the attacker can't splinter Tor's anonymity set
1745
-    by looking at that header. It tries to pick a string that is commonly used
1746
-    by non-Tor users too, so it doesn't stand out. Question one: how badly
1747
-    do we hurt ourselves by periodically updating the version of Firefox
1748
-    that Torbutton claims to be? If we update it too often, we splinter the
1749
-    anonymity sets ourselves. If we don't update it often enough, then all the
1750
-    Tor users stand out because they claim to be running a quite old version
1751
-    of Firefox. The answer here probably depends on the Firefox versions seen
1752
-    in the wild. Question two: periodically people ask us to cycle through N
1753
-    UserAgent strings rather than stick with one. Does this approach help,
1754
-    hurt, or not matter? Consider: cookies and recognizing Torbutton users
1755
-    by their rotating UserAgents; malicious websites who only attack certain
1756
-    browsers; and whether the answers to question one impact this answer.
1757
-    </li>
1758
-    <li>How many bridge relays do you need to know to maintain
1759
-    reachability? We should measure the churn in our bridges. If there is
1760
-    lots of churn, are there ways to keep bridge users more likely to stay
1761
-    connected?
1762
-    </li>
1763
-    </ol>
1764
-
1765
-    <p>
1766
-    <a href="<page about/contact>">Let us know</a> if you've made progress on any
1767
-    of these!
1768
-    </p>
1769 1559
   </div>
1770 1560
   <!-- END MAINCOL -->
1771 1561
   <div id = "sidecol">
1772 1562