A few things everyone can do now:

  1. Please consider running a relay to help the Tor network grow.
  2. Tell your friends! Get them to run relays. Get them to run hidden services. Get them to tell their friends.
  3. If you like Tor's goals, please take a moment to donate to support further Tor development. We're also looking for more sponsors — if you know any companies, NGOs, agencies, or other organizations that want anonymity / privacy / communications security, let them know about us.
  4. We're looking for more good examples of Tor users and Tor use cases. If you use Tor for a scenario or purpose not yet described on that page, and you're comfortable sharing it with us, we'd love to hear from you.


  1. Help translate the documentation into other languages. See the translation guidelines if you want to help out. We especially need Arabic or Farsi translations, for the many Tor users in censored areas.
  2. Evaluate and document our list of programs that can be configured to use Tor.
  3. We have a huge list of potentially useful programs that interface with Tor. Which ones are useful in which situations? Please help us test them out and document your results.


  1. Monitor some of our public mailing lists, like tor-talk, tor-relays, tor-dev, or tbb-dev, and summarize noteworthy exchanges into articles for Tor Weekly News.
  2. Create a presentation that can be used for various user group meetings around the world.
  3. Create a video about the positive uses of Tor, what Tor is, or how to use it. Some have already started on Tor's Media server, Howcast, and YouTube.
  4. Create a poster around a theme, such as "Tor for Freedom!"
  5. Create a t-shirt design that incorporates "Congratulations! You are using Tor!" in any language.
  6. Spread the word about Tor at a symposium or conference and use these Tor brochures in PDF and ODG format and translated to at least ten different languages as conversation starter.


Below are a list of Tor related projects we're developing and/or maintaining. Most discussions happen on IRC so if you're interested in any of these (or you have a project idea of your own), then please join us in #tor-dev. Don't be shy to ask questions, and don't hesitate to ask even if the main contributors aren't active at that moment.

For a presentation summarizing many of these projects see...

Name Category Language Activity Contributors
Tor Core C Heavy nickm, athena, arma
Tor Browser Bundle Javascript, XUL, Scripting Heavy mikeperry, Pearl Crescent
HTTPS Everywhere Browser Add-on Javascript Heavy pde, mikeperry
Nyx User Interface Python, Curses Light atagar
Orbot User Interface Java Moderage n8fr8
Tails OS image Sys Admin Heavy #tails
tor-ramdisk OS image Sys Admin Light blueness
Torsocks Usability C Light David Goulet
TorBirdy Browser Add-on JavaScript Light sukhe
Obfsproxy Client Add-on Python Light asn
Flash Proxy Client Add-on Python, JavaScript, Go Light dcf, infinity0, Arlo Breault
Shadow Simulator C, Python Heavy robgjansen
Chutney Simulator Python Light nickm
Stem Library Python Moderate atagar
Txtorcon Library Python, Twisted Light meejah
Tlsdate Utility C Light ioerror
Metrics Client Service Java Light karsten
Atlas Client Service JavaScript None
Globe Client Service JavaScript None
Compass Client Service Python None
Onionoo Backend Service Java Light karsten
ExitMap Backend Service Python Moderate phw
DocTor Backend Service Python None atagar
Weather Client Service Python None kaner
GetTor Client Service Python None kaner
TorCheck Client Service Go None Arlo
BridgeDB Backend Service Python Heavy isis
Ooni Probe Scanner Python Light hellais, aagbsn
TorPS Backend Service Python None Aaron Johnson
TorFlow Backend Service Python None aagbsn
*TorBEL Backend Service Python None Sebastian
Tor2web Client Service Python Light evilaliv3, hellais
Anonbib Website Python Light arma, nickm
* Project is still in an alpha state.

Tor (code, bug tracker)

Central project, providing the core software for using and participating in the Tor network. Numerous people contribute to the project to varying extents, but the chief architects are Nick Mathewson and Roger Dingledine.

Project Ideas:
Tor Codebase Cleanup
Improve test coverage in Tor
Have the Tor daemon use more cores
Help improve Tor hidden services
Improved DNS support for Tor

Tor Browser (code, bug tracker, design doc)

Tor Browser is an easy-to-use, portable package of Tor, HTTPS-Everywhere, NoScript, TorLauncher, Torbutton, and a Firefox fork, all preconfigured to work together out of the box. The modified copy of Firefox aims to resolve the privacy and security issues in mainline version.

HTTPS Everywhere (code, bug tracker)

HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure.

Nyx (code, bug tracker)

Nyx (previously arm) is a terminal status monitor for Tor intended for command-line aficionados, ssh connections, and anyone with a tty terminal. This works much like top does for system usage, providing real time statistics for bandwidth, resource usage, connections, and quite a bit more.

Orbot (code, bug tracker)

Provides Tor on the Android platform. The project is under active development, updates to latest Tor releases, and working to stay up to date with all changes in Android and mobile threats.

The Amnesic Incognito Live System (code, bug tracker, documentation, design, contribute)

The Amnesic Incognito Live System is a live CD/USB distribution preconfigured so that everything is safely routed through Tor and leaves no trace on the local system. This is a merger of the Amnesia and Incognito projects, and still under very active development.

Tor-ramdisk (code, documentation)

Tor-ramdisk is a uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM.

Torsocks (code, bug tracker)

Utility for adapting other applications to work with Tor. Development has slowed and compatibility issues remain with some platforms, but it's otherwise feature complete.

TorBirdy (code, bug tracker)

TorBirdy is Torbutton for Thunderbird and related Mozilla mail clients.

Project Ideas:
Make TorBirdy Better

Obfsproxy (code, bug tracker)

A proxy that shapes Tor traffic, making it harder for censors to detect and block Tor. This has both a C and python implementation.

Project Ideas:
Various coding tasks
Build Better Pluggable Transports

Flash Proxy (code, bug tracker)

Pluggable transport using proxies running in web browsers to defeat address-based blocking.

Chutney (code, bug tracker)

Integration test suite that spawns a local tor network, checking the interactions of its components.

Shadow (code, bug tracker)

Shadow is a discrete-event network simulator that runs the real Tor software as a plug-in. Shadow is open-source software that enables accurate, efficient, controlled, and repeatable Tor experimentation. For another simulator, see ExperimenTor.

Stem (code, bug tracker)

Python controller library for scripts and controller applications using Tor.

Project Ideas:
Txtorcon/Stem Integration
Relay Web Status Panel

Txtorcon (code, bug tracker)

Twisted-based asynchronous Tor control protocol implementation. Includes unit-tests, examples, state-tracking code and configuration abstraction. Used by OONI and APAF.

Project Ideas:
Txtorcon/Stem Integration

Tlsdate (code)

tlsdate: secure parasitic rdate replacement

tlsdate sets the local clock by securely connecting with TLS to remote servers and extracting the remote time out of the secure handshake. Unlike ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS enabled service, and provides some protection against adversaries that try to feed you malicious time information.

Metrics (code: db, utils, web)

Processing and analytics of consensus data, provided to users via the metrics portal. This has been under active development for several years by Karsten Loesing. See also TorPerf.

Atlas (code)

Atlas is a web application to discover Tor relays and bridges. It provides useful information on how relays are configured along with graphics about their past usage.

This is the spiritual successor to TorStatus, the original codebase for which was written in PHP, and rewritten by students from Wesleyan as Django.

Globe (code, bug tracker)

Globe is a web application that allows you to search for Tor relays and bridges. It gives you a detailed overview of properties and configurations of a relay or bridge.

Compass (code, bug tracker)

Compass is a web and command line application that filters and aggregates the Tor relays based on various attributes.

Onionoo (code, bug tracker)

Onionoo is a JSON based protocol to learn information about currently running Tor relays and bridges.

ExitMap (code, bug tracker)

Scanner for the Tor network by Philipp Winter to detect malicious and misconfigured exits. For more information about how it works see his Spoiled Onions research paper.

DocTor (code, bug tracker)

DocTor is a notification service that monitors newly published descriptor information for issues. This is primarily a service to help the tor directory authority operators, but it also checks for a handful of other issues like sybil attacks.

Weather (code, bug tracker)

Provides automatic notification to subscribed relay operators when their relay's unreachable. This underwent a rewrite by the Wesleyan HFOSS team, which went live in early 2011.

GetTor (code, bug tracker)

E-mail autoresponder providing Tor's packages over SMTP. This has been relatively unchanged for quite a while.

TorCheck (code, bug tracker)

Site for determining if the visitor is using Tor or not.

BridgeDB (code, bug tracker)

Backend bridge distributor, handling the various pools they're distributed in. This was actively developed until Fall of 2010.

Ooni Probe (code, bug tracker)

Censorship scanner, checking your local connection for blocked or modified content.

Project Ideas:
Develop a Censorship Analyzer
Add Support for Reporting Pcaps to OoniBackend and OoniProbe

TorPS (code)

The Tor Path Simulator (TorPS) is a tool for efficiently simulating path selection in Tor. It chooses circuits and assigns user streams to those circuits in the same way that Tor does. TorPS is fast enough to perform thousands of simulations over periods of months.

TorFlow (code, bug tracker)

Library and collection of services for actively monitoring the Tor network. These include the Bandwidth Scanners (measuring throughput of relays) and SoaT (scans for malicious or misconfigured exit nodes). SoaT was last actively developed in the Summer of 2010, and the Bandwidth Scanners a few months later. Both have been under active use since then, but development has stopped.

TorBEL (code, bug tracker)

The Tor Bulk Exitlist provides a method of identifying if IPs belong to exit nodes or not. This is a replacement for TorDNSEL which is a stable (though unmaintained) Haskell application for this purpose. The initial version of TorBEL was started in GSOC 2010 but since then the project has been inactive.

Tor2web (code)

Tor2web allows Internet users to browse websites running in Tor hidden services. It trades user anonymity for usability by allowing anonymous content to be distributed to non-anonymous users.

Anonymity Bibliography (code)

Anonbib is a list of important papers in the field of anonymity. It's also a set of scripts to generate the website from Latex (bibtex). If we're missing any important papers, please let us know!

Project Ideas

You may find some of these projects to be good ideas for Google Summer of Code and the Outreach Program for Women. We have labelled each idea with how much work we expect it would be (effort level), how much clue you should start with (skill level), and which of our core developers would be good mentors. If one or more of these ideas looks promising to you, please contact us to discuss your plans rather than sending blind applications. You may also want to propose your own project idea — which often results in the best applications.

  1. Txtorcon/Stem Integration
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: meejah, Damian (atagar)

    Txtorcon is a Twisted-based Python controller library, and Stem is a synchronous (threaded) one, also in Python. There is no need to have two implementations of (at least) the protocol parsing code. This project would entail eliminating duplication by leveraging Stem's parsing in txtorcon while keeping txtorcon's API the same (or at least close).

    Besides this you should identify some additional tasks to improve our controller space across these two libraries. Some ideas are...

    • Write a tutorial for stem's tutorial page demonstrating cross txtorcon/stem usage.
    • Expand the txtorcon API to include functionality of stem's controller that would be of interest to twisted users. All additions should include tests!
    • Come up with some ideas of your own! We'd love to discuss them with you.

    This would very likely involve changes to both libraries, although most would be expected to be in txtorcon. meejah is available to mentor txtorcon changes, and Damian (atagar) can help with Stem.

    It would help if you're already familiar with event-based programming, bonus points if it's Twisted.

  2. Relay Web Status Dashboard
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Damian (atagar)

    Relay operators presently have a good option for monitoring the status of their relay: arm which uses curses. This project would be to make a new kind of monitor specifically for relay operators that provides a status dashboard site on localhost.

    The interface will likely borrow heavily from arm, except of course in areas where we can improve upon it. Two important design constraints is that a localhost controller provides a bigger attack surface than guis or curses, so we should be a little more wary of what it does. This should be a read-only controller (ie, you can't *do* anything to the relay) and by default not surface any sensitive information (such as arm's connection panel). Also take a peek at ntop for ideas on what we can do with a web interface.

    This project will likely include two parts: an AJAX site and a localhost daemon to fulfill those requests. Stem is the backend of arm, and can be used to get everything you see in arm's interface (making it a natural choice for the daemon). That said, this project might entail some Stem improvements if we run across any gaps.

    Applicants should be familiar with Python, JavaScript, and learn about Stem. As part of your application for this project please make both mockups of the interface and a proof of concept demo application using JS to surface something with Stem. Involvement with Stem development during the application process is also a big plus.

  3. Tor Codebase Cleanup
    Effort Level: Low to High, depending on subproject chosen
    Skill Level: Medium to High
    Likely Mentors: Nick (nickm), David (dgoulet)

    The Tor code is more than 10 years old in places, and we haven't always had enough time or wisdom to write things as well as we could have. Our unit test coverage is shamefully low, and the dependency graph of our modules is shamefully convoluted . We could use refactoring and unit tests! Please look through the Tor source code and look for ugly or tricky code or dependencies -- the uglier and trickier the better -- and think about how you could make the code look better, read better, and (subject to testing) work better.

    If this is for a fun side-project, it would be great for you to work on anything that can be made better and more tested. For an internship-level position, we'd hope that you could find a number of particularly tricky or knotty piece of the code to clean up, and aim for resolving the ugliest problems, not necessarily the easiest.

    For a big project here, it would be great to pick one of the major "submodules" of Tor -- path selection, node discovery, directory authority operations, directory service -- and refactor its interface completely, to minify and codify its points of contact with the rest of Tor.

    As part of your application for this project please identify one of the thorniest Tor functions and submit a patch refactoring it to be better. If you find this to be difficult then this likely isn't the project for you.

  4. Build Better Pluggable Transports
    Effort Level: Medium to High
    Skill Level: Medium
    Likely Mentors: Ximin (infinity0)

    For Tor users in censored countries, we have a pluggable transports framework that uses external programs to bypass censorship in different ways. Each of these have their own strengths and weaknesses.

    We have deployed obfsproxy, flashproxy, scramblesuit, meek, and FTE bridges into the main Tor Browser.

    There are several possible directions for this project. Ideas include:

    1. Address gaps or weaknesses in our existing pluggable transports
      • Flashproxy: Add WebRTC support to traverse NATs.
      • Flashproxy: Improve the facilitator's resistance against DoS and poisoning attacks.
    2. Finish and release our pluggable transport combiner, that chains several transports together to take advantage of orthogonal types of blocking resistance.
    3. Improve the UX for selecting the appropriate pluggable transport in the new Tor Browser, whilst maintaining user security.
    4. Implement a new pluggable transport that resists blocking in a novel way.

    Applicants should be familiar with asynchronous/reactive programming, in particular the Twisted framework or something related. Most of the existing code is written in Python, with some parts in JavaScript and Go, so you should know at least one of these. You are invited to talk to us and ask questions, via our mailing lists or IRC. As part of your application, please contribute a patch that implements a small feature or fixes a bug related to this area, e.g. 1, 2, 3.

  5. Profile UDP transport protocols
    Effort Level: Medium to High
    Skill Level: High
    Likely Mentors: Yawning

    There are lots of options as to how Tor could send its data over UDP rather than TCP, and some will likely perform significantly better than others. This project will evaluate these options, so as to decide which should be used in future versions of Tor. A first step will be to benchmark the various transport protocols being considered, in terms of performance and also code quality, including userspace TCP, μTP, SCTP and CurveCP. Initially these transport protocols will be examined in isolation, but if the project progresses well one or more could be integrated in Tor.

  6. Develop a Censorship Analyzer
    Effort Level: Medium
    Skill Level: Medium to High (depends on the implemented tests)
    Likely Mentors: Philipp (phw)

    Tor is documented to be blocked in several countries. Analyzing these censorship incidents can be a tedious task; especially without access to machines inside the censoring networks. To make analysis easier, it would be great to have a lightweight analysis tool which can be run by censored users. This tool would conduct a number of networking tests and figure out if and how Tor could be blocked. The tool's final report should then somehow make it back to the Tor project.

    The theory behind this tool is already documented in a research paper. What we now need is code! Implementing it would first mean getting familiar with OONI and Twisted. After that, the tool should be implemented as a number of OONI-specific networking tests.

    Applicants should be familiar with Python and asynchronous programming, e.g., as it is used in Twisted. As part of your application for this project please contribute a patch for a bug in OONI.

  7. Make TorBirdy Better
    Effort Level: High
    Skill Level: Medium
    Likely Mentors: Sukhbir Singh (sukhe), Jacob Appelbaum (ioerror)

    TorBirdy is an extension that configures Thunderbird to make connections over the Tor anonymity network. TorBirdy has been under development for quite a while but there are two known leaks that prevent it from being used by a wider audience. As part of this project, you will be working on plugging the known leaks and implementing a HTTP proxy.

    Part 1: There are two patches pending with Mozilla that will plug the two known leaks in Thunderbird where the local time is disclosed through the date and the message-ID header. As part of your project, you will work on getting these patches finished/reimplemented and getting them merged with Mozilla. Please look at tickets #6314 and #6315 for more information.

    Part 2: TorBirdy needs a HTTP proxy or a HTTP -> SOCKS5 shim. Please look at ticket #6958 for more information. Note: this has to be done using JavaScript and not using an external proxy.

    If time permits and you are awesome enough to finish the above two tasks, you will be working on the remaining TorBirdy tickets.

    Applicants should be familiar with C++ and JavaScript. As part of your application for this project, please submit code samples for previous C++ and JavaScript projects that you have developed or point us to projects you have been involved with (links to a public Git/GitHub repository preferred). Prior extension development is a big plus and will be given preference during application ranking.

    You may contact the mentors on IRC for more information. (sukhe on #tor-dev, #tor on irc.oftc.net)

  8. Add Support for Reporting Pcaps to OoniBackend and OoniProbe
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Arturo (hellais)

    The feature should also add support for including only packet capture data that is relevant to the test being run. This means that the pcap should not contain all the data sniffed on the users machine, but only that which was generated and intended to be received by ooniprobe.

    This can probably be implemented by setting up a tun/tap device and routing all the ooniprobe traffic through it and only capturing data sent and received from that device. The task for the student will also be that of doing research into what are possible strategies for doing this. For more information see ticket 7416.

  9. Improve test coverage in Tor
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Nick (nickm), David (dgoulet)

    Right now, our unit test coverage with the tests we ship is around 30% -- only 30% of the executable lines in our source are reached by the unit tests. Improving this test coverage could make Tor development much more reliable.

    So we need better unit tests, and we need better integration tests too.

    Improving unit tests would involve refactoring functions to be more testable, and writing a bunch of unit tests.

    Improving integration tests would involve refactoring and improving the "chutney" program that launches a test tor network, and writing a bunch of tests to see what works and what doesn't work on such a network. It could also involve writing tests using the library "stem" to script individual clients on a Chutney network.

    To get a feel for how testing works in Tor today, download Tor and Chutney, and make sure you can build Tor and use Chutney. See how the unit tests work by skimming some of the test code in the src/test subdirectory. Try computing test coverage (according to the instructions in the doc/HACKING file.

    Also, have a look at the one current integration test that works on chutney today: it is a shell script distributed with Tor as src/test/test-tor-network.sh . We probably don't want to have all of our integration tests be written as shell scripts, but it's interesting to see how one works.

    If working on designs for an improved or refactored Chutney, watch out for "archicture astronautics": while it's important that we have a well-designed and maintainable Chutney architecture, it wouldn't be very useful if a good architecture were the only outcome here: we need tests too.

    As part of the application process, please contribute a patch that makes a non-trivial improvement to chutney, and/or include a new test for some interesting Tor function. (Please pick a function that isn't completely easy to test.)

  10. Have the Tor daemon use more cores
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Nick (nickm), David (dgoulet)

    Right now, if you run a busy Tor server on a multicore computer, most of the cores are mostly unused. We have a "cpuworker" mechanism to move expensive computations into worker threads, but that mechanism is currently only used for a small fraction of our cryptography. Moving more work into the worker threads could improve performance immensely.

    So it would be great to parallelize our cryptography more in order to better handle more cores. See MultithreadedCrypto for some background info, and ticket 7572 for some subtickets on our tracker.

    (If you're reading through the code to see how it works today, you will also want to have a look at the new implementation for cpuworkers described in 9682.)

    Completing the implementation of ticket #7572 --which would move our circuit crypto onto separate threads-- could be a good summer project. Alternatively, moving all of the signature generation and verification code onto the cpuworkers could be fun. In either case, you will have some important architectural decisions to make about how to minimize shared data between the main thread and the workers, how to avoid race conditions between them, and how to test it all to make sure it has no hidden failure cases.

    As part of the application process for this project, please contribute a nontrivial patch to Tor -- ideally, one that will affect some part of the codebase that you want to work on.

  11. Help improve Tor hidden services
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Nick (nickm), David (dgoulet), George (asn)

    We're working on a revamp of the entire Tor hidden service design to improve the security and reliability of the hidden service system.

    This is a big project: see proposal 224 for the latest design. Are you interested in implementing some part of that?

    This is a very ambitious project, so we're deliberately not suggesting particular sub-topics. If you're interested in participating, try to read and understand the existing design and the design proposal for the new design, and then talk to us about what part you want to work on.

    As part of the application process for this project, please contribute a nontrivial patch to Tor -- ideally, one that will affect some part of the codebase that you want to work on.

  12. Improved DNS support for Tor
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Nick (nickm), David (dgoulet)

    Right now, you can only use Tor's DNS support to look up IPv4 and IPv6 addresses, and to fetch PTR records. But DNS can do so much more!

    Proposal 219 describes some new cell types that Tor could use to support more types of DNS over Tor.

    To see how Tor implements its existing DNS lookups, start by tracing the the connection_exit_begin_resolve() function in src/or/connection_edge.c , and see how we pass these requests downwards through src/or/dns.c to the underlying resolver. It's not too complicated, but there are some tricky parts to understand.

    As part of the application process for this project, please contribute a nontrivial patch to Tor -- ideally, one that will affect some part of the codebase that you want to work on.

  13. Ahmia - Hidden Service Search
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Juha Nurmi (numes), George (asn)

    Ahmia is open-source search engine software for Tor hidden service deep dark web sites. You can test the running search engine at ahmia.fi. For more information see our blog post about Ahmia's GSoC2014 development.

    Ahmia is a working search engine that indexes, searches, and catalogs content published on Tor Hidden Services. Furthermore, it is an environment to share meaningful insights, statistics, insights, and news about the Tor network itself. In this context, there is a lot of work to do.

    The Ahmia web service is written using the Django web framework. As a result, the server-side language is Python. On the client-side, most of the pages are plain HTML. There are some pages that require JavaScript, but the search itself works without client-side JavaScript.

    There are several possible directions for this project, including...

    1. Improving the search results (very important)
      • Tweaking search algorithms
      • Adjust Apache Solr
      • Enrich the data that is used to rank the search results
    2. Improving UX and UI (very important)
      • Showing relevant knowledge
      • Design the navigation and information architecture
      • HTML5, CSS and Django development
    3. Review code and infrastructure
      • Review code and fix bugs
      • Writing Django test cases
      • Linux configurations, automatizations
    4. Gather statistics over time and publish them
      • Gather different kind of stats about Hidden Services
      • Publish these stats using HTTP REST API
      • Using this API show meaningful tables, charts and visualizations

  14. Exitmap Improvements
    Effort Level: Medium
    Skill Level: Medium
    Likely Mentors: Philipp (phw)

    The Tor Project makes use of the Python tool Exitmap to systematically scan for malicious and misbehaving exit relays. Once such a relay is found, it is assigned the BadExit flag which prevents clients from selecting the relay as last hop in their circuit.

    Exitmap supports scanning modules which implement a specific scan over exit relays. Examples are the DNS module which checks for DNS poisoning or the patching check module which looks out for tampered file downloads.

    This project is meant to extend exitmap in several ways. First, it should be made fully autonomous. That means that exitmap should be able to run in the background, periodically fetch new relay descriptors, and have a smart algorithm which keeps scanning all exit relays periodically. Second, exitmap should be able to emulate some user interaction and dynamically "explore" the web in order to detect tampering. Third, unit tests should be added for existing and new code in order to make the code base more robust.

  15. Bring up new ideas!
    Don't like any of these? Look at the Tor development roadmap for more ideas, or just try out Tor and Tor Browser, and find out what you think needs fixing. Some of the current proposals might also be short on developers.

Other Coding and Design related ideas

  1. Tor relays don't work well on Windows XP. On Windows, Tor uses the standard select() system call, which uses space in the non-page pool. This means that a medium sized Tor relay will empty the non-page pool, causing havoc and system crashes. We should probably be using overlapped IO instead. One solution would be to teach libevent how to use overlapped IO rather than select() on Windows, and then adapt Tor to the new libevent interface. Christian King made a good start on this in the summer of 2007.
  2. We need a flexible simulator framework for studying end-to-end traffic confirmation attacks. Many researchers have whipped up ad hoc simulators to support their intuition either that the attacks work really well or that some defense works great. Can we build a simulator that's clearly documented and open enough that everybody knows it's giving a reasonable answer? This will spur a lot of new research. See the entry below on confirmation attacks for details on the research side of this task — who knows, when it's done maybe you can help write a paper or three also.
  3. Tor 0.1.1.x and later include support for hardware crypto accelerators via OpenSSL. It has been lightly tested and is possibly very buggy. We're looking for more rigorous testing, performance analysis, and optimally, code fixes to OpenSSL and Tor if needed.
  4. Write a fuzzer for Tor to discover security vulnerabilities. Determine if there are good fuzzing frameworks out there for what we want. Win fame by getting credit when we put out a new release because of you!
  5. Tor uses TCP for transport and TLS for link encryption. This is nice and simple, but it means all cells on a link are delayed when a single packet gets dropped, and it means we can only reasonably support TCP streams. We have a list of reasons why we haven't shifted to UDP transport, but it would be great to see that list get shorter. We also have a proposed specification for Tor and UDP — please let us know what's wrong with it.
  6. We're not that far from having IPv6 support for destination addresses (at exit nodes). If you care strongly about IPv6, that's probably the first place to start.
  7. We need a way to generate the website diagrams (for example, the "How Tor Works" pictures on the overview page from source, so we can translate them as UTF-8 text rather than edit them by hand with Gimp. We might want to integrate this as an wml file so translations are easy and images are generated in multiple languages whenever we build the website.
  8. How can we make the various LiveCD/USB systems easier to maintain, improve, and document? One example is The Amnesic Incognito Live System.
  9. Another anti-censorship project is to try to make Tor more scanning-resistant. Right now, an adversary can identify Tor bridges just by trying to connect to them, following the Tor protocol, and seeing if they respond. To solve this, bridges could act like webservers (HTTP or HTTPS) when contacted by port-scanning tools, and not act like bridges until the user provides a bridge-specific key. To start, check out Shane Pope's thesis and prototype.


  1. The "end-to-end traffic confirmation attack": by watching traffic at Alice and at Bob, we can compare traffic signatures and become convinced that we're watching the same stream. So far Tor accepts this as a fact of life and assumes this attack is trivial in all cases. First of all, is that actually true? How much traffic of what sort of distribution is needed before the adversary is confident he has won? Are there scenarios (e.g. not transmitting much) that slow down the attack? Do some traffic padding or traffic shaping schemes work better than others?
  2. A related question is: Does running a relay/bridge provide additional protection against these timing attacks? Can an external adversary that can't see inside TLS links still recognize individual streams reliably? Does the amount of traffic carried degrade this ability any? What if the client-relay deliberately delayed upstream relayed traffic to create a queue that could be used to mimic timings of client downstream traffic to make it look like it was also relayed? This same queue could also be used for masking timings in client upstream traffic with the techniques from adaptive padding, but without the need for additional traffic. Would such an interleaving of client upstream traffic obscure timings for external adversaries? Would the strategies need to be adjusted for asymmetric links? For example, on asymmetric links, is it actually possible to differentiate client traffic from natural bursts due to their asymmetric capacity? Or is it easier than symmetric links for some other reason?
  3. Repeat Murdoch and Danezis's attack from Oakland 05 on the current Tor network. See if you can learn why it works well on some nodes and not well on others. (My theory is that the fast nodes with spare capacity resist the attack better.) If that's true, then experiment with the RelayBandwidthRate and RelayBandwidthBurst options to run a relay that is used as a client while relaying the attacker's traffic: as we crank down the RelayBandwidthRate, does the attack get harder? What's the right ratio of RelayBandwidthRate to actually capacity? Or is it a ratio at all? While we're at it, does a much larger set of candidate relays increase the false positive rate or other complexity for the attack? (The Tor network is now almost two orders of magnitude larger than it was when they wrote their paper.) Be sure to read Don't Clog the Queue too.
  4. The "routing zones attack": most of the literature thinks of the network path between Alice and her entry node (and between the exit node and Bob) as a single link on some graph. In practice, though, the path traverses many autonomous systems (ASes), and it's not uncommon that the same AS appears on both the entry path and the exit path. Unfortunately, to accurately predict whether a given Alice, entry, exit, Bob quad will be dangerous, we need to download an entire Internet routing zone and perform expensive operations on it. Are there practical approximations, such as avoiding IP addresses in the same /8 network?
  5. Other research questions regarding geographic diversity consider the tradeoff between choosing an efficient circuit and choosing a random circuit. Look at Stephen Rollyson's position paper on how to discard particularly slow choices without hurting anonymity "too much". This line of reasoning needs more work and more thinking, but it looks very promising.
  6. Tor doesn't work very well when relays have asymmetric bandwidth (e.g. cable or DSL). Because Tor has separate TCP connections between each hop, if the incoming bytes are arriving just fine and the outgoing bytes are all getting dropped on the floor, the TCP push-back mechanisms don't really transmit this information back to the incoming streams. Perhaps Tor should detect when it's dropping a lot of outgoing packets, and rate-limit incoming streams to regulate this itself? I can imagine a build-up and drop-off scheme where we pick a conservative rate-limit, slowly increase it until we get lost packets, back off, repeat. We need somebody who's good with networks to simulate this and help design solutions; and/or we need to understand the extent of the performance degradation, and use this as motivation to reconsider UDP transport.
  7. A related topic is congestion control. Is our current design sufficient once we have heavy use? Maybe we should experiment with variable-sized windows rather than fixed-size windows? That seemed to go well in an ssh throughput experiment. We'll need to measure and tweak, and maybe overhaul if the results are good.
  8. Our censorship-resistance goals include preventing an attacker who's looking at Tor traffic on the wire from distinguishing it from normal SSL traffic. Obviously we can't achieve perfect steganography and still remain usable, but for a first step we'd like to block any attacks that can win by observing only a few packets. One of the remaining attacks we haven't examined much is that Tor cells are 512 bytes, so the traffic on the wire may well be a multiple of 512 bytes. How much does the batching and overhead in TLS records blur this on the wire? Do different buffer flushing strategies in Tor affect this? Could a bit of padding help a lot, or is this an attack we must accept?
  9. Tor circuits are built one hop at a time, so in theory we have the ability to make some streams exit from the second hop, some from the third, and so on. This seems nice because it breaks up the set of exiting streams that a given relay can see. But if we want each stream to be safe, the "shortest" path should be at least 3 hops long by our current logic, so the rest will be even longer. We need to examine this performance / security tradeoff.
  10. It's not that hard to DoS Tor relays or directory authorities. Are client puzzles the right answer? What other practical approaches are there? Bonus if they're backward-compatible with the current Tor protocol.
  11. Programs like Torbutton aim to hide your browser's UserAgent string by replacing it with a uniform answer for every Tor user. That way the attacker can't splinter Tor's anonymity set by looking at that header. It tries to pick a string that is commonly used by non-Tor users too, so it doesn't stand out. Question one: how badly do we hurt ourselves by periodically updating the version of Firefox that Torbutton claims to be? If we update it too often, we splinter the anonymity sets ourselves. If we don't update it often enough, then all the Tor users stand out because they claim to be running a quite old version of Firefox. The answer here probably depends on the Firefox versions seen in the wild. Question two: periodically people ask us to cycle through N UserAgent strings rather than stick with one. Does this approach help, hurt, or not matter? Consider: cookies and recognizing Torbutton users by their rotating UserAgents; malicious websites who only attack certain browsers; and whether the answers to question one impact this answer.
  12. How many bridge relays do you need to know to maintain reachability? We should measure the churn in our bridges. If there is lots of churn, are there ways to keep bridge users more likely to stay connected?

Let us know if you've made progress on any of these!

Tor Tip

Tor is written for and supported by people like you. Donate today!