mirror of
https://github.com/torproject/torspec.git
synced 2024-12-13 21:48:45 +00:00
556 lines
23 KiB
Plaintext
556 lines
23 KiB
Plaintext
[Last updated 9 Sep 2015]
|
|
|
|
This is an update to the Tor proposal status overview. I last sent one
|
|
of these out almost a year ago; since 0.2.6 has entered feature freeze,
|
|
I really ought to do this regularly again.
|
|
|
|
Future versions of this document will be maintained in the torspec
|
|
repository as "proposals/proposal-status.txt". I'll still send them
|
|
to tor-dev periodically.
|
|
|
|
If you're looking for something to review, think about, or comment
|
|
on:
|
|
|
|
Review 219 if you're a DNS geek, or you'd like Tor to work
|
|
better with more DNS types.
|
|
|
|
Review 220 (ed25519 identity keys) and 228
|
|
(cross-certification) if you like designing signature things,
|
|
if you have good ideas about future-proofing key type
|
|
migration, or if you care about making Tor servers' identity
|
|
keys stronger.
|
|
|
|
Review 223 (ACE handshake) if you're a cryptographer, or a
|
|
cryptography implementer, and you'd like an even faster
|
|
replacement for the ntor handshake.
|
|
|
|
Review 224 if you want to look through a big, complex protocol
|
|
with a lot of pieces. Also review it if you care about hidden
|
|
services and making them better.
|
|
|
|
Review 226 if you're interested in bridgedb development.
|
|
|
|
Review 241 for a big chance at making Tor clients and hidden services
|
|
more secure.
|
|
|
|
Review something else if you want to take a possibly good idea
|
|
that needs more momentum and promote it, fix it up, or finally
|
|
kill it off.
|
|
|
|
I note in passing that many of the proposals below seem stalled,
|
|
perhaps permanently: some because we don't know how to answer their
|
|
open questions, others because we're not sure if they're a good
|
|
idea, others because they don't seem implementable yet. Is that the
|
|
best way to characterize it? Should we have a new "stalled"
|
|
proposal status or something? Should we have a
|
|
"rejected-pending-revision" status that we use effectively for
|
|
everything that doesn't seem likely to get revised or implemented
|
|
any time soon? Other suggestions would be welcome.
|
|
|
|
Finally: if you've sent something to tor-dev or to me that should
|
|
have a proposal number, but doesn't have one yet, please ping me
|
|
again to remind me!
|
|
|
|
**NOTE**: The dates after each paragraph indicate when I last
|
|
revised the paragraph.
|
|
|
|
|
|
140 Provide diffs between consensuses [ACCEPTED]
|
|
|
|
This proposal describes a way to transmit less directory
|
|
traffic by sending only differences between consensuses, rather
|
|
than the consensuses themselves. Daniel Marti implemented this for his
|
|
GSoC project last summer; it is still under revision and on target
|
|
for merge into 0.2.8. (See ticket #13339) (9/2015)
|
|
|
|
156 Tracking blocked ports on the client side
|
|
|
|
This proposal provides a way for clients to learn which ports
|
|
they are (and aren't) able to connect to, and connect to the
|
|
ones that work. It comes with a patch, too. It also lets
|
|
routers track ports that _they_ can't connect to.
|
|
|
|
I'm a little unconvinced that this will help a great deal: most
|
|
clients that have some ports blocked will need bridges, not
|
|
just restriction to a smaller set of ports. This could be good
|
|
behind restrictive firewalls, though.
|
|
|
|
The router-side part is a little iffy: routers that can't
|
|
connect to each other violate one of our network topology
|
|
assumptions, and even if we do want to track failed
|
|
router->router connections, the routers need to be sure that
|
|
they aren't fooled into trying to connect repeatedly to a
|
|
series of nonexistent addresses in an attempt to make them
|
|
believe that (say) they can't reach port 443.
|
|
|
|
This one is a paradigmatic "open" proposal: it needs more
|
|
discussion. The patch probably also needs to be ported to
|
|
0.2.3.x; it touches some code that has changed.
|
|
|
|
This is likely also to be relevant for the ideas of proposal 241,
|
|
and maybe superseded by some version of that proposal. (2/2015)
|
|
|
|
164 Reporting the status of server votes
|
|
|
|
This proposal explains a way for authorities to provide a
|
|
slightly more verbose document that relay operators can use to
|
|
diagnose reasons that their router was or was not listed in the
|
|
consensus. These documents would be like slightly more verbose
|
|
versions of the authorities' votes, and would explain *why* the
|
|
authority voted as it did. It wouldn't be too hard to
|
|
implement, and would be a fine project for somebody who wants
|
|
to get to know the directory code. (5/2011)
|
|
|
|
165 Easy migration for voting authority sets
|
|
|
|
This is a design for how to change the set of authorities without
|
|
having a flag day where the authority operators all reconfigure
|
|
their authorities at once. It needs more discussion. One
|
|
difficulty here is that we aren't talking much about changing the
|
|
set of authorities, but that may be a chicken-and-egg issue, since
|
|
changing the set is so onerous.
|
|
|
|
If anybody is interested, it would be great to move the discussion
|
|
ahead here. (5/2011)
|
|
|
|
168 Reduce default circuit window
|
|
|
|
This proposal reduces the default window for circuit sendme
|
|
cells. I think it's implemented (or mostly implemented) in
|
|
0.2.1.20? If so, we should make sure that tor-spec.txt is
|
|
updated and close it. (11/2013)
|
|
|
|
Should update Tor-spec, should close this. (9/2015)
|
|
|
|
Actually, wait, did we ever implement this? Ugh. (9/2015)
|
|
|
|
172 GETINFO controller option for circuit information [accepted]
|
|
173 GETINFO Option Expansion [accepted]
|
|
|
|
These would help controllers (particularly arm) provide more
|
|
useful information about a running Tor process. They're
|
|
accepted and some parts of 173 are even implemented: somebody
|
|
just needs to implement the rest. (5/2011)
|
|
|
|
177 Abstaining from votes on individual flags
|
|
|
|
Here's my proposal for letting authorities have opinions about some
|
|
(flag,router) combinations without voting on whether _every_ router
|
|
should have that flag. It's simple, and I think it's basically
|
|
right. With more discussion and review, somebody could/should
|
|
build it, I think. (11/2013)
|
|
|
|
182 Credit Bucket
|
|
|
|
This proposal suggests an alternative approach to our current
|
|
token-bucket based rate-limiting, that promises better
|
|
performance, less buffering insanity, and a possible end to
|
|
double-gating issues. (6/2012)
|
|
|
|
188 Bridge Guards and other anti-enumeration defenses
|
|
|
|
This proposal suggests some ways to make it harder for a relay
|
|
on the Tor network to enumerate a list of Tor bridges. Worth
|
|
investigating and possibly implementing. (6/2012)
|
|
189 AUTHORIZE and AUTHORIZED cells
|
|
190 Bridge Client Authorization Based on a Shared Secret [NEEDS-REVISION]
|
|
191 Bridge Detection Resistance against MITM-capable Adversaries
|
|
|
|
Proposal 187 reserved the AUTHORIZE cell type; these
|
|
proposals suggests how it could work to try to make it
|
|
harder to probe for Tor bridges. They need more alternatives
|
|
and attention, and possibly some revision and analysis.
|
|
Number 190 needs revision, since its protocol isn't actually
|
|
so great. (11/2013)
|
|
|
|
Mark as RESERVE? (9/2015)
|
|
|
|
192 Automatically retrieve and store information about bridges
|
|
|
|
This proposal gives an enhancement to the bridge information
|
|
protocol, where clients remember more things about bridges, and
|
|
are able to update what they know about them over time. Could
|
|
help a lot with bridge churn. (6/2012)
|
|
|
|
Mark as RESERVE? Do we still even want this? (9/2015)
|
|
|
|
195 TLS certificate normalization for Tor 0.2.4.x
|
|
|
|
Here's the followup to proposal 179, containing all the parts
|
|
of proposal 179 that didn't get built, and a couple of other
|
|
tricks besides to try to make Tor's default protocol less
|
|
detectable. I'm pretty psyched about the part where we let
|
|
relays drop in any any self-signed or CA-issued certificate
|
|
that they like. Some of this is done in ticket #7145;
|
|
we should decide, however, how much we want to push towards
|
|
normalizing the main Tor protocol. Some of the NSA documents
|
|
published in Der Spiegel this past December imply that this kind of
|
|
fingerprinting can be helpful for snoops; we should take another
|
|
look at it. (2/2015)
|
|
|
|
I think we should take a pass over this, pick the parts we still
|
|
think are relevant, and call them ACCEPTED. (9/2015)
|
|
|
|
---
|
|
201 Make bridges report statistics on daily v3 network status requests
|
|
|
|
Here's a proposal for bridges to better estimate the number of
|
|
bridge users. (6/2012)
|
|
|
|
202 Two improved relay encryption protocols for Tor cells
|
|
|
|
Here's a sketch of the two broad classes of alternatives for
|
|
improving how relay encryption works. Right now, progress on this
|
|
proposal is stalled waiting for the ideal wide-block construction
|
|
to come along the line. AEZ seems like it might be close to what
|
|
we need. Other cryptographers are also looking at designs that
|
|
might be a good match. (9/2015)
|
|
|
|
203 Avoiding censorship by impersonating an HTTPS server
|
|
|
|
This one is a design for making a bridge that acts like an
|
|
HTTPS server (by *being* an HTTPS server) until the user
|
|
proves they know it's a bridge. (11/2013)
|
|
|
|
Didn't we do something like this? (9/2015)
|
|
|
|
209 Tuning the Parameters for the Path Bias Defense
|
|
|
|
In this proposal, Mike discusses alternative parameters for
|
|
getting better result out of the path-bias-attack detection
|
|
code. (11/2013)
|
|
|
|
210 Faster Headless Consensus Bootstrapping
|
|
|
|
This proposal suggests that we get our initial consensus by
|
|
launching multiple connections in parallel, and fetching the
|
|
consensus from whichever one completes. In my opinion, that
|
|
would be a fine idea when we're fetching our initial
|
|
consensus from non-Authority DirSources, but we shouldnt' do
|
|
anything to increase the load on authorities. (11/2013)
|
|
|
|
This needs an update; it's a pretty good idea, and Mike and Roger
|
|
like it. It goes will with FallbackDirSource stuff. (9/2015)
|
|
|
|
212 Increase Acceptable Consensus Age
|
|
|
|
This proposal suggests that we increase the maximum age of a
|
|
consensus that clients are willing to use when they can't
|
|
find a new one, in order to make the network robust for
|
|
longer against a failure to reach consensus. In my
|
|
opinion, we should do that. If I recall correctly, there
|
|
was some tor-dev discussion on this one that should get
|
|
incorporated into a final, implementable version. (11/2013)
|
|
|
|
Mark as ACCEPTED? Needs another review first! (9/2015)
|
|
|
|
219 Support for full DNS and DNSSEC resolution in Tor
|
|
|
|
Here's a design to allow Tor to support a full range of DNS
|
|
request types. It probably isn't adequate on its to make
|
|
DNSSEC work realistically, since naive DNSSEC requires many
|
|
round trips that wouldn't be practical over Tor. It has a
|
|
ton of inline discussion that needs to get resolved before
|
|
this is buildable.
|
|
|
|
One thing to consider here is whether we can get the server-side
|
|
done with reasonable confidence, and figure out the client side
|
|
once more servers have upgraded. (12/2013)
|
|
|
|
224 Next-Generation Hidden Services in Tor
|
|
|
|
This proposal outlines a more or less completely revised version
|
|
of the Tor hidden services protocol, improved to accomodate
|
|
better cryptography, better scalability, and defenses for
|
|
several attacks we'd never considered when we did the original
|
|
design.
|
|
|
|
Some parts of this one are clearly right; some (like
|
|
scalability) are entirely unwritten. This proposal needs a lot
|
|
of attention and improvements to get it done right. I hope to
|
|
implement this over the course of 2015-2016. (2/2015)
|
|
|
|
226 Scalability and Stability Improvements to BridgeDB:
|
|
Switching to a Distributed Database System and RDBMS
|
|
|
|
This one outlines design and behavior changes for a seriously
|
|
refactored bridgedb. (2/2014)
|
|
|
|
I should find out if Isis has a status update for this. (9/2015)
|
|
|
|
229 Further SOCKS5 extensions
|
|
|
|
Here's a nice idea for how we can support a new SOCKS5 protocol
|
|
extension to relay information between clients and Tor, and
|
|
between Tor and pluggable transports, more effectively. It
|
|
also adds some additional SOCKS5 error codes. There are some
|
|
open questions to answer. "Trunnel" has an implementation of
|
|
the protocol extension formats in its examples directory. (2/2015)
|
|
|
|
230 How to change RSA1024 relay identity keys [DRAFT]
|
|
231 Migrating authority RSA1024 identity keys [DRAFT]
|
|
|
|
Who remembers the OpenSSL "Heartbleed" vulnerability?
|
|
These proposals I wrote try to explain safer mechanisms for a bunch
|
|
of servers to migrate their RSA1024 identity keys at once. I'm not
|
|
sure we'll be able to build thee, though: implementating proposal
|
|
220 above seems cleverer to me. (2/2015)
|
|
|
|
Proposal 220 is in progress, and will retroactively SUPERSEDE this
|
|
one. (9/2015)
|
|
|
|
232 Pluggable Transport through SOCKS proxy [OPEN]
|
|
|
|
Arturo Filastò wrote this proposal for chaining pluggable
|
|
transports which themselves need to go through proxies. Seems
|
|
potentially useful! (2/2015)
|
|
|
|
233 Making Tor2Web mode faster [OPEN]
|
|
|
|
This one by Virgil, Fabio, and Giovanni describes a couple of ways
|
|
that Tor2Web builds of Tor can save some circuit hops that they use
|
|
today. Potentially useful for Tor2Web; any implementation needs to
|
|
be sure that it never changes the behavior of non-tor2web clients.
|
|
(2/2015)
|
|
|
|
234 Adding remittance field to directory specification [OPEN]
|
|
|
|
Virgil, Leif, and Rob added this proposal for relays to specify
|
|
payment addresses for schemes that want to compensate relay
|
|
operators for their use of bandwidth. (2/2015)
|
|
|
|
235 Stop assigning (and eventually supporting) the Named flag [DRAFT]
|
|
|
|
This proposal is about removing the Named flag. (Thanks to
|
|
Sebastian Hahn for writing it!) The rationale is that the naming
|
|
system for relays never worked particularly well, and it had
|
|
strange and hard-to-explain security properties. We've implemented
|
|
the key part of this already: directory authorities don't assign
|
|
the Named flag any longer. Next up will be removing client support
|
|
for parsing and understanding it. (2/2015)
|
|
|
|
236 The move to a single guard node [OPEN]
|
|
|
|
This proposal suggests that to limit client fingerprinting, and to
|
|
limit opportunities for attacks, clients should use a single guard
|
|
node, rotated infrequently. This transition is in progress; we use
|
|
a single guard node for circuit traffic now, but in order to make
|
|
guards more long-lived, we need to adjust how they are chosen.
|
|
George has a patch for that as #9321, targetting inclusion into
|
|
0.2.6. (Thanks to George Kadianakis and Nicholas Hopper for
|
|
writing this one.) (2/2015)
|
|
|
|
237 All relays are directory servers [OPEN]
|
|
|
|
Matthew Finkel wrote this proposal to describe a transition to a
|
|
world where Tor relays can be directory servers without having an
|
|
open DirPort -- and eventually, where every relay can be a
|
|
DirServer. He has an implementation, possibly for 0.2.6 or 0.2.7,
|
|
in ticket #12538. (2/2015)
|
|
|
|
Compare to proposal 185; it may supersede that one. Review again
|
|
and mark as accepted maybe? (9/2015)
|
|
|
|
239 Consensus Hash Chaining [DRAFT]
|
|
|
|
Here's the start of a good idea that Andrea Shepard wrote up (with
|
|
some help from Nick). The idea is to make it hard even for a set
|
|
of corrupt authorities (or authority-key-thieves) to make a
|
|
personalized false consensus for a target user, by authenticating
|
|
the whole sequence as a hash chain. Others on tor-dev suggested
|
|
improvements and had good questions (thanks, Leif and Sebastian G!)
|
|
(2/2015)
|
|
|
|
Needs revisions while we still remember what those revisions are.
|
|
(9/2015)
|
|
|
|
240 Early signing key revocation for directory authorities [DRAFT]
|
|
|
|
This one is another Andrea+Nick collaboration about certificate
|
|
revocation for our most sensitive keys. If an authority key needs
|
|
to be replaced, it would be great to take the old one out of
|
|
circulation as fast as possible. Peter Palfrader on tor-dev had
|
|
some ideas for making this better. (2/2015)
|
|
|
|
Needs revisions while we still remember what those revisions are.
|
|
(9/2015)
|
|
|
|
242 Better performance and usability for the MyFamily option [OPEN]
|
|
|
|
Describes a mechanism for using a new ed25519 signature type to
|
|
reduce the complexity of adding nodes to a family and the size of
|
|
family lines. (9/2015)
|
|
|
|
245 Deprecating and removing the TAP circuit extension protocol [DRAFT]
|
|
|
|
Explains a migration path for finally removing all support for the
|
|
TAP circuit extension protocol over several Tor versions. (9/2015)
|
|
|
|
246 Merging Hidden Service Directories and Introduction Points [OPEN]
|
|
|
|
XXXX
|
|
|
|
247 Defending Against Guard Discovery Attacks using Vanguards [DRAFT]
|
|
|
|
XXXX
|
|
|
|
248 Remove all RSA identity keys [DRAFT]
|
|
|
|
Explains a migration path for removing RSA1024 identity keys in the
|
|
future, once all Tor instances support Ed25519 identity
|
|
keys. (9/2015)
|
|
|
|
249 Allow CREATE cells with >505 bytes of handshake data [DRAFT]
|
|
|
|
Explains how to split CREATE cells (and other stuff) across
|
|
multiple RELAY_EXTEND cells. This one will be helpful if we want
|
|
to add support for some kind of circuit extension protocol
|
|
containing a postquantum forward-secure handshake, like ntru or
|
|
ring-lwe. (9/2015)
|
|
|
|
250 Random Number Generation During Tor Voting [DRAFT]
|
|
|
|
Describes a commit-and-reveal protocol for creating shared
|
|
randomness among the authorities during the voting process. Required
|
|
for a few other proposals, such as 224. (9/2015)
|
|
|
|
251 Padding for netflow record resolution reduction [DRAFT]
|
|
|
|
Proposes a periodic "keepalive-like" packet be sent over quiet Tor
|
|
connections, so that incidental netflow record collection in
|
|
default router configurations reveals less about when flows begin
|
|
and end.
|
|
|
|
252 Single Onion Services [DRAFT]
|
|
|
|
XXXX
|
|
|
|
253 Out of Band Circuit HMACs [DRAFT]
|
|
|
|
Allows participating nodes to authenticate the whole contents of a
|
|
circuit point-to-point so as to better resist or detect some kinds
|
|
of tagging attacks. (9/2015)
|
|
|
|
254 Padding Negotiation [DRAFT]
|
|
|
|
Describes general mechanisms and new cells/commands for requesting
|
|
various types of padding between clients and relays, for use in defending
|
|
against both website traffic fingerprinting as well as hidden service
|
|
circuit setup fingerprinting. (9/2015)
|
|
|
|
255 Controller features to allow for load-balancing hidden services [DRAFT]
|
|
|
|
Specifies a technique to improve the scalability of hidden services by
|
|
decoupling the introduction and rendezvous functionality so that they can
|
|
be performed in separate physical machines.
|
|
|
|
256 Key revocation for relays and authorities [OPEN]
|
|
|
|
Specifies how directory authorities and relays can revoke compromised
|
|
long-term identity keys.
|
|
|
|
257 Refactoring authorities and making them more isolated from the net [META]
|
|
|
|
Describes a strategy for making directory authorities less vulnerable to
|
|
DoS by reducing their exposure to the network.
|
|
|
|
258 Denial-of-service resistance for directory authorities [ACCEPTED]
|
|
|
|
Describes heuristics that directory authorities can deploy to reduce the
|
|
threat of DoS due to large directory connection volumes.
|
|
|
|
259 New Guard Selection Behaviour [OBSOLETE]
|
|
|
|
Specifies an improved guard-picking algorithm that is capable of defending
|
|
against targetted attacks. The proposal has since been obsoleted by
|
|
proposal 271.
|
|
|
|
260 Rendezvous Single Onion Services [FINISHED]
|
|
|
|
Specifies a performance optimization for hidden service that do not care
|
|
about location anonymity, so that they build 1-hop circuits instead of
|
|
3-hop circuits to reduce communication latency.
|
|
|
|
261 AEZ for relay cryptography [OPEN]
|
|
|
|
Specifies a circuit encryption scheme that is resistant to tagging
|
|
end-to-end correlation attacks.
|
|
|
|
262 Re-keying live circuits with new cryptographic material [OPEN]
|
|
|
|
Specifies a way to rekey our circuit crypto so that we allow greater
|
|
amounts of encrypted data through them.
|
|
|
|
263 Request to change key exchange protocol for handshake v1.2 [OBSOLETE]
|
|
|
|
Specifies a quantum-safe key agreement algorithm for Tor circuits. The
|
|
proposal was supereceded by proposal 269.
|
|
|
|
264 Putting version numbers on the Tor subprotocols [CLOSED]
|
|
|
|
Specifies a way for relays to do versioning using their descriptors. In
|
|
the past we used the Tor version string for versioning, which is not an
|
|
elegant approach.
|
|
|
|
265 Load Balancing with Overhead Parameters [ACCEPTED]
|
|
|
|
The proposal provides new load balancing equations for Tor which are
|
|
capable of taking into account non-standard traffic like padding or
|
|
directory and hidden service traffic.
|
|
|
|
266 Removing current obsolete clients from the Tor network [DRAFT]
|
|
|
|
Specifies ways to disable outdated and insecure Tor clients.
|
|
|
|
267 Tor Consensus Transparency [DRAFT]
|
|
|
|
Specifies how to apply the certificate transparency approach of TLS to Tor
|
|
consensus and vote documents, in an attempt to make attacks more easily
|
|
detectable.
|
|
|
|
268 New Guard Selection Behaviour [DRAFT]
|
|
|
|
Specifies an improved guard-picking algorithm that is capable of defending
|
|
against targetted attacks. The proposal has since been obsoleted by
|
|
proposal 271.
|
|
|
|
269 Transitionally secure hybrid handshakes [DRAFT]
|
|
|
|
Describes a generalised protocol for composing X25519 key exchanges with
|
|
post-quantum ones.
|
|
|
|
270 RebelAlliance: A Post-Quantum Secure Hybrid Handshake Based on NewHope [DRAFT]
|
|
|
|
Describes a hybrid handshake based on the ntor handshake and the
|
|
NewHope post-quantum key exchange. Currently needs revision to
|
|
specify how this proposal depends upon prop#269.
|
|
|
|
271 Another algorithm for guard selection [OPEN]
|
|
|
|
Specifies an improved guard-picking algorithm that is capable of defending
|
|
against targetted attacks.
|
|
|
|
272 Listed routers should be Valid, Running, and treated as such [FINISHED]
|
|
|
|
This proposal describes a change in how clients understand consensus
|
|
flags, and how authorities vote on consensuses.
|
|
|
|
273 Exit relay pinning for web services [DRAFT]
|
|
|
|
The proposal specifies a scheme for websites to prevent additional
|
|
security against malicious exit nodes, by specifying their own set of exit
|
|
nodes.
|
|
|
|
279 A Name System API for Tor Onion Services [DRAFT]
|
|
|
|
The proposal specifies a modular system for integrating naming systems
|
|
(GNS, Namecoin, etc.) with Tor onion services.
|
|
|
|
294 TLS 1.3 Migration [DRAFT]
|
|
|
|
A work-in-progress draft proposal detailing the process of
|
|
migrating to TLS 1.3 (which is not yet finalised at the time of
|
|
this writing) and which parts of our current, more idiosyncratic,
|
|
uses of TLS can be removed.
|
|
|