Mike Perry commited on 2008-03-11 08:10:26
Zeige 1 geänderte Dateien mit 122 Einfügungen und 11 Löschungen.
... | ... |
@@ -436,18 +436,129 @@ also requires a lot of coding. |
436 | 436 |
</li> |
437 | 437 |
|
438 | 438 |
<li> |
439 |
-<b>TorFlow improvements</b> |
|
440 |
-<br /> |
|
441 |
-Help Mike Perry on his <a |
|
442 |
-href="https://www.torproject.org/svn/torflow/">TorFlow</a> |
|
443 |
-library (<a href="https://www.torproject.org/svn/torflow/TODO">TODO</a>): |
|
444 |
-it's a python library that uses the <a |
|
445 |
-href="https://www.torproject.org/svn/torctl/doc/howto.txt">Tor controller |
|
446 |
-protocol</a> to instruct Tor to build circuits in a variety of ways, |
|
447 |
-and then it measures performance and tries to detect anomalies. |
|
448 |
-Help detect bad relays and automatically get that |
|
449 |
-info to the directory authorities for realtime blacklisting. |
|
439 |
+<b>Tor Exit Scanner Improvements</b> |
|
440 |
+<br /> |
|
441 |
+Priority: <i>High</i> |
|
442 |
+<br /> |
|
443 |
+Effort Level: <i>High</i> |
|
444 |
+<br /> |
|
445 |
+Likely Mentors: <i>Mike Perry</i> |
|
446 |
+ |
|
447 |
+<br /> |
|
448 |
+The Tor exit node scanner 'SoaT', part of the <a |
|
449 |
+href="https://www.torproject.org/svn/torflow/">Torflow project</a>, is |
|
450 |
+currently written in rather rickety perl and relies on MD5sums of |
|
451 |
+entire documents in order to determine if exit nodes are modifying |
|
452 |
+content. The problem with this is threefold: 1) Perl sucks at life. |
|
453 |
+2) The scanner can't verify pages that are dynamic, and attackers can |
|
454 |
+focus malicious content injection on only those dynamic pages. 3) |
|
455 |
+Pages change after a while (or based on GeoIP) and begin generating |
|
456 |
+false positives. |
|
457 |
+<br /> |
|
458 |
+Ideally, soat.pl would be reimplemented in a sane language with a |
|
459 |
+robust html parser library (since the rest of Torflow is in Python, |
|
460 |
+that would be nice, but not required), and calculate signatures only for |
|
461 |
+tags and content likely to be targeted by a malicious attacker (script |
|
462 |
+tags, object links, images). It should also be robust in the face of |
|
463 |
+changes to content outside of Tor, and ultimately even GeoIP localized |
|
464 |
+content. |
|
465 |
+<br /> |
|
466 |
+This scanner would likely be run by the directory authorities and |
|
467 |
+report its results to the control port via the AuthDirBadExit config |
|
468 |
+setting. |
|
469 |
+<br /> |
|
470 |
+</li> |
|
471 |
+<li> |
|
472 |
+<b>Tor Node Scanner Improvements</b> |
|
473 |
+<br /> |
|
474 |
+Priority: <i>High</i> |
|
475 |
+<br /> |
|
476 |
+Effort Level: <i>Medium-High</i> |
|
477 |
+<br /> |
|
478 |
+Likely Mentors: <i>Mike Perry</i> |
|
479 |
+<br /> |
|
480 |
+Similar to the exit scanner (or perhaps even during exit scanning), |
|
481 |
+statistics can be gathered about the reliability of nodes. Nodes that |
|
482 |
+fail a certain percentage of their circuits should not be used for |
|
483 |
+Guard status, and perhaps should have their reported bandwidth |
|
484 |
+penalized by some ratio as well, or just get marked as Invalid. In |
|
485 |
+addition, nodes that exhibit a very low average stream capacity but |
|
486 |
+advertise a very high node bandwidth can also be marked as Invalid. |
|
487 |
+Much of this statistics gathering is already done, it just needs to be |
|
488 |
+transformed into something that can be reported to the Directory |
|
489 |
+Authorities to blacklist/penalize nodes in such a way that clients |
|
490 |
+will listen. |
|
491 |
+<br /> |
|
492 |
+In addition, these same statistics can be gathered about the traffic |
|
493 |
+through a node. Events can be added to the <a |
|
494 |
+href="https://www.torproject.org/svn/torctl/doc/howto.txt">Tor Control |
|
495 |
+Protocol</a> to |
|
496 |
+report if a circuit extend through the node succeeds or fails, and |
|
497 |
+passive statistics can be gathered on both bandwidth and reliability |
|
498 |
+of other nodes via a node-based monitor using these events. Such a |
|
499 |
+scanner which would also report information on oddly-behaving nodes to |
|
500 |
+the Directory Authorities, but a communication channel for this |
|
501 |
+currently does not exist and would need to be developed as well. |
|
502 |
+</li> |
|
503 |
+<li> |
|
504 |
+<b>Tor path selection improvements</b> |
|
505 |
+<br /> |
|
506 |
+Priority: <i>High</i> |
|
507 |
+<br /> |
|
508 |
+Effort Level: <i>Low-Medium</i> |
|
509 |
+<br /> |
|
510 |
+Likely Mentors: <i>Mike Perry</i> |
|
511 |
+<br /> |
|
512 |
+Some simple improvements can be made to Tor's path selection to vastly |
|
513 |
+improve Tor speed. For instance, some of the (unofficial) <a |
|
514 |
+href="http://wiki.noreply.org/noreply/TheOnionRouter/FireFoxTorPerf">Tor |
|
515 |
+Performance Recommendations</a> on the wiki are to increase the number of |
|
516 |
+guards and decrease the CircuitBuildTimeout. Ideally, the client would |
|
517 |
+learn these values by gathering statistics on circuit construction |
|
518 |
+time (and/or using values gained from Torflow), and set the timeouts |
|
519 |
+low enough such that some high percentile (75%, 90%, 1-stddev?) of |
|
520 |
+circuits succeed, yet extremely slow nodes are avoided. This would |
|
521 |
+involve some statistics gathering+basic research, and some changes to |
|
522 |
+Tor path selection code. |
|
523 |
+<br /> |
|
524 |
+ |
|
525 |
+In addition, to improve path security, some elements from the <a |
|
526 |
+href="http://www.torproject.org/svn/trunk/doc/spec/proposals/115-two-hop-paths.txt">Two |
|
527 |
+Hop Paths proposal</a> could be done as part of this (since it will |
|
528 |
+likely touch the same code anyways), regardless of the adoption of |
|
529 |
+thatproposal. In particular, clients probably should avoid guards thatseem to |
|
530 |
+fail an excessive percentage of their circuits through them, and non-bridged |
|
531 |
+clients should issue a warn if they are only able toconnect to a limited set |
|
532 |
+of guard nodes. |
|
533 |
+ |
|
534 |
+</li> |
|
535 |
+<li> |
|
536 |
+<b>Torbutton improvements</b> |
|
537 |
+<br /> |
|
538 |
+Priority: <i>Low</i> |
|
539 |
+<br /> |
|
540 |
+Effort Level: <i>Medium-High</i> |
|
541 |
+<br /> |
|
542 |
+Likely Mentors: <i>Mike Perry</i> |
|
543 |
+<br/> |
|
544 |
+ |
|
545 |
+Torbutton has a number of improvements that can be made in the post-1.2 |
|
546 |
+timeframe. Most of these are documented as feature requests in the <a |
|
547 |
+href="https://bugs.torproject.org/flyspray/index.php?tasks=all&project=5">Torbutton |
|
548 |
+flyspray section</a>. Good examples include: stripping off node.exit on http |
|
549 |
+headers, more fine-grained control over formfill blocking, improved referrer |
|
550 |
+spoofing based on the domain of the site (a-la refspoof extension), tighter |
|
551 |
+integration with Vidalia for reporting Tor status, a New Identity button with |
|
552 |
+Tor integration and multiple identity management, and anything else you might |
|
553 |
+think of. |
|
450 | 554 |
|
555 |
+<br /> |
|
556 |
+ |
|
557 |
+This work would be independent coding in Javascript and the fun world of <a |
|
558 |
+href="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">XUL</a>, |
|
559 |
+with not too much involvement in the Tor internals. |
|
560 |
+ |
|
561 |
+</li> |
|
451 | 562 |
<li> |
452 | 563 |
<b>Help track the overall Tor Network status</b> |
453 | 564 |
Torstatus. Set up an automated system for tracking network health |
454 | 565 |