Here we have a set of proposals for changes to the Tor protocol. Some of these proposals are implemented; some are works in progress; and some will never be implemented.
Below are a list of proposals sorted by status. See INDEX.md for a list of proposals sorted by number.
These are proposals that we think are likely to be complete, and ripe for discussion.
239-consensus-hash-chaining.txt: Consensus Hash Chaining240-auth-cert-revocation.txt: Early signing key revocation for directory authorities267-tor-consensus-transparency.txt: Tor Consensus Transparency277-detect-id-sharing.txt: Detect multiple relay instances running with same ID287-reduce-lifetime.txt: Reduce circuit lifetime without overloading the network295-relay-crypto-with-adl.txt: Using ADL for relay cryptography (solving the crypto-tagging attack)296-expose-bandwidth-files.txt: Have Directory Authorities expose raw bandwidth list files301-dont-vote-on-package-fingerprints.txt: Don't include package fingerprints in consensus documents303-protover-removal-policy.txt: When and how to remove support for protocol versions306-ipv6-happy-eyeballs.txt: A Tor Implementation of IPv6 Happy Eyeballs308-counter-galois-onion.txt: Counter Galois Onion: A New Proposal for Forward-Secure Relay Cryptography309-optimistic-socks-in-tor.txt: Optimistic SOCKS Data322-dirport-linkspec.md: Extending link specifiers to include the directory port323-walking-onions-full.md: Specification for Walking Onions324-rtt-congestion-control.txt: RTT-based Congestion Control for Tor326-tor-relay-well-known-uri-rfc8615.md: The "tor-relay" Well-Known Resource Identifier330-authority-contact.md: Modernizing authority contact entries340-packed-and-fragmented.md: Packed and fragmented relay messages341-better-oos.md: A better algorithm for out-of-sockets eviction343-rend-caa.txt: CAA Extensions for the Tor Rendezvous Specification
These are the proposals that we agree we'd like to implement. They might or might not have a specific timeframe planned for their implementation.
265-load-balancing-with-overhead.txt: Load Balancing with Overhead Parameters282-remove-named-from-consensus.txt: Remove "Named" and "Unnamed" handling from consensus voting285-utf-8.txt: Directory documents should be standardized as UTF-8292-mesh-vanguards.txt: Mesh-based vanguards311-relay-ipv6-reachability.txt: Tor Relay IPv6 Reachability312-relay-auto-ipv6-addr.txt: Tor Relay Automatic IPv6 Address Discovery313-relay-ipv6-stats.txt: Tor Relay IPv6 Statistics321-happy-families.md: Better performance and usability for the MyFamily option (v2)336-randomize-guard-retries.md: Randomized schedule for guard retries337-simpler-guard-usability.md: A simpler way to decide, "Is this guard usable?"338-netinfo-y2038.md: Use an 8-byte timestamp in NETINFO cells339-udp-over-tor.md: UDP traffic over Tor
These proposals are implemented in some version of Tor; the proposals themselves still need to be merged into the specifications proper.
260-rend-single-onion.txt: Rendezvous Single Onion Services332-ntor-v3-with-extra-data.md: Ntor protocol with extra data, version 3333-vanguards-lite.md: Vanguards lite
These proposals describe ongoing policies and changes to the proposals process.
000-index.txt: Index of Tor Proposals001-process.txt: The Tor Proposal Process098-todo.txt: Proposals that should be written099-misc.txt: Miscellaneous proposals202-improved-relay-crypto.txt: Two improved relay encryption protocols for Tor cells257-hiding-authorities.txt: Refactoring authorities and making them more isolated from the net290-deprecate-consensus-methods.txt: Continuously update consensus methods
These proposals describe a process or project, but aren't actually proposed changes in the Tor specifications.
159-exit-scanning.txt: Exit Scanning300-walking-onions.txt: Walking Onions: Scaling and Saving Bandwidth
These proposals have been marked as a draft by their author or the editors, indicating that they aren't yet in a complete form. They're still open for discussion.
294-tls-1.3.txt: TLS 1.3 Migration316-flashflow.md: FlashFlow: A Secure Speed Test for Tor (Parent Proposal)327-pow-over-intro.txt: A First Take at PoW Over Introduction Circuits331-res-tokens-for-anti-dos.md: Res tokens: Anonymous Credentials for Onion Service DoS Resilience342-decouple-hs-interval.md: Decoupling hs_interval and SRV lifetime
These proposals have some promise, but we can't implement them without certain changes.
212-using-old-consensus.txt: Increase Acceptable Consensus Age219-expanded-dns.txt: Support for full DNS and DNSSEC resolution in Tor245-tap-out.txt: Deprecating and removing the TAP circuit extension protocol248-removing-rsa-identities.txt: Remove all RSA identity keys269-hybrid-handshake.txt: Transitionally secure hybrid handshakes279-naming-layer-api.txt: A Name System API for Tor Onion Services291-two-guard-nodes.txt: The move to two guard nodes317-secure-dns-name-resolution.txt: Improve security aspects of DNS name resolution329-traffic-splitting.txt: Overcoming Tor's Bottlenecks with Traffic Splitting
These proposals are interesting ideas, but there's more research that would need to happen before we can know whether to implement them or not, or to fill in certain details.
(There are no proposals in this category)
These proposals have been implemented in some version of Tor, and the changes from the proposals have been merged into the specifications as necessary.
101-dir-voting.txt: Voting on the Tor Directory System102-drop-opt.txt: Dropping "opt" from the directory format103-multilevel-keys.txt: Splitting identity key from regularly used signing key104-short-descriptors.txt: Long and Short Router Descriptors105-handshake-revision.txt: Version negotiation for the Tor protocol106-less-tls-constraint.txt: Checking fewer things during TLS handshakes107-uptime-sanity-checking.txt: Uptime Sanity Checking108-mtbf-based-stability.txt: Base "Stable" Flag on Mean Time Between Failures109-no-sharing-ips.txt: No more than one server per IP address110-avoid-infinite-circuits.txt: Avoiding infinite length circuits111-local-traffic-priority.txt: Prioritizing local traffic over relayed traffic114-distributed-storage.txt: Distributed Storage for Tor Hidden Service Descriptors117-ipv6-exits.txt: IPv6 exits119-controlport-auth.txt: New PROTOCOLINFO command for controllers121-hidden-service-authentication.txt: Hidden Service Authentication122-unnamed-flag.txt: Network status entries need a new Unnamed flag123-autonaming.txt: Naming authorities automatically create bindings125-bridges.txt: Behavior for bridge users, bridge relays, and bridge authorities126-geoip-reporting.txt: Getting GeoIP data and publishing usage summaries129-reject-plaintext-ports.txt: Block Insecure Protocols by Default130-v2-conn-protocol.txt: Version 2 Tor connection protocol135-private-tor-networks.txt: Simplify Configuration of Private Tor Networks136-legacy-keys.txt: Mass authority migration with legacy keys137-bootstrap-phases.txt: Keep controllers informed as Tor bootstraps138-remove-down-routers-from-consensus.txt: Remove routers that are not Running from consensus documents139-conditional-consensus-download.txt: Download consensus documents only when it will be trusted140-consensus-diffs.txt: Provide diffs between consensuses148-uniform-client-end-reason.txt: Stream end reasons from the client side should be uniform150-exclude-exit-nodes.txt: Exclude Exit Nodes from a circuit151-path-selection-improvements.txt: Improving Tor Path Selection152-single-hop-circuits.txt: Optionally allow exit from single-hop circuits155-four-hidden-service-improvements.txt: Four Improvements of Hidden Service Performance157-specific-cert-download.txt: Make certificate downloads specific158-microdescriptors.txt: Clients download consensus + microdescriptors160-bandwidth-offset.txt: Authorities vote for bandwidth offsets in consensus161-computing-bandwidth-adjustments.txt: Computing Bandwidth Adjustments162-consensus-flavors.txt: Publish the consensus in multiple flavors166-statistics-extra-info-docs.txt: Including Network Statistics in Extra-Info Documents167-params-in-consensus.txt: Vote on network parameters in consensus171-separate-streams.txt: Separate streams across circuits by connection metadata174-optimistic-data-server.txt: Optimistic Data for Tor: Server Side176-revising-handshake.txt: Proposed version-3 link handshake for Tor178-param-voting.txt: Require majority of authorities to vote for consensus parameters179-TLS-cert-and-parameter-normalization.txt: TLS certificate and parameter normalization180-pluggable-transport.txt: Pluggable transports for circumvention181-optimistic-data-client.txt: Optimistic Data for Tor: Client Side183-refillintervals.txt: Refill Intervals184-v3-link-protocol.txt: Miscellaneous changes for a v3 Tor link protocol186-multiple-orports.txt: Multiple addresses for one OR or bridge187-allow-client-auth.txt: Reserve a cell type to allow client authorization193-safe-cookie-authentication.txt: Safe cookie authentication for Tor controllers196-transport-control-ports.txt: Extended ORPort and TransportControlPort198-restore-clienthello-semantics.txt: Restore semantics of TLS ClientHello200-new-create-and-extend-cells.txt: Adding new, extensible CREATE, EXTEND, and related cells204-hidserv-subdomains.txt: Subdomain support for Hidden Service addresses205-local-dnscache.txt: Remove global client-side DNS caching206-directory-sources.txt: Preconfigured directory sources for bootstrapping207-directory-guards.txt: Directory guards208-ipv6-exits-redux.txt: IPv6 Exits Redux214-longer-circids.txt: Allow 4-byte circuit IDs in a new link protocol215-update-min-consensus-ver.txt: Let the minimum consensus method change with time216-ntor-handshake.txt: Improved circuit-creation key exchange217-ext-orport-auth.txt: Tor Extended ORPort Authentication218-usage-controller-events.txt: Controller events to better understand connection/circuit usage220-ecc-id-keys.txt: Migrate server identity keys to Ed25519221-stop-using-create-fast.txt: Stop using CREATE_FAST222-remove-client-timestamps.txt: Stop sending client timestamps224-rend-spec-ng.txt: Next-Generation Hidden Services in Tor227-vote-on-package-fingerprints.txt: Include package fingerprints in consensus documents228-cross-certification-onionkeys.txt: Cross-certifying identity keys with onion keys232-pluggable-transports-through-proxy.txt: Pluggable Transport through SOCKS proxy235-kill-named-flag.txt: Stop assigning (and eventually supporting) the Named flag236-single-guard-node.txt: The move to a single guard node237-directory-servers-for-all.txt: All relays are directory servers238-hs-relay-stats.txt: Better hidden service stats from Tor relays243-hsdir-flag-need-stable.txt: Give out HSDir flag only to relays with Stable flag244-use-rfc5705-for-tls-binding.txt: Use RFC5705 Key Exporting in our AUTHENTICATE calls250-commit-reveal-consensus.txt: Random Number Generation During Tor Voting251-netflow-padding.txt: Padding for netflow record resolution reduction254-padding-negotiation.txt: Padding Negotiation264-subprotocol-versions.txt: Putting version numbers on the Tor subprotocols271-another-guard-selection.txt: Another algorithm for guard selection272-valid-and-running-by-default.txt: Listed routers should be Valid, Running, and treated as such274-rotate-onion-keys-less.txt: Rotate onion keys less frequently275-md-published-time-is-silly.txt: Stop including meaningful "published" time in microdescriptor consensus278-directory-compression-scheme-negotiation.txt: Directory Compression Scheme Negotiation283-ipv6-in-micro-consensus.txt: Move IPv6 ORPorts from microdescriptors to the microdesc consensus284-hsv3-control-port.txt: Hidden Service v3 Control Port289-authenticated-sendmes.txt: Authenticating sendme cells to mitigate bandwidth attacks293-know-when-to-publish.txt: Other ways for relays to know when to publish297-safer-protover-shutdowns.txt: Relaxing the protover-based shutdown rules298-canonical-families.txt: Putting family lines in canonical form302-padding-machines-for-onion-clients.txt: Hiding onion service clients using padding304-socks5-extending-hs-error-codes.txt: Extending SOCKS5 Onion Service Error Codes305-establish-intro-dos-defense-extention.txt: ESTABLISH_INTRO Cell DoS Defense Extension310-bandaid-on-guard-selection.txt: Towards load-balancing in Prop 271314-allow-markdown-proposals.md: Allow Markdown for proposal format315-update-dir-required-fields.txt: Updating the list of fields required in directory documents318-limit-protovers.md: Limit protover values to 0-63328-relay-overload-report.md: Make Relays Report When They Are Overloaded335-middle-only-redux.md: An authority-only design for MiddleOnly
These proposals aren't anything we plan to implement soon, but for one reason or another we think they might be a good idea in the future. We're keeping them around as a reference in case we someday confront the problems that they try to solve.
133-unreachable-ors.txt: Incorporate Unreachable ORs into the Tor Network172-circ-getinfo-option.txt: GETINFO controller option for circuit information177-flag-abstention.txt: Abstaining from votes on individual flags188-bridge-guards.txt: Bridge Guards and other anti-enumeration defenses201-bridge-v3-reqs-stats.txt: Make bridges report statistics on daily v3 network status requests211-mapaddress-tor-status.txt: Internal Mapaddress for Tor Configuration Testing223-ace-handshake.txt: Ace: Improved circuit-creation key exchange226-bridgedb-database-improvements.txt: "Scalability and Stability Improvements to BridgeDB: Switching to a Distributed Database System and RDBMS"255-hs-load-balancing.txt: Controller features to allow for load-balancing hidden services256-key-revocation.txt: Key revocation for relays and authorities262-rekey-circuits.txt: Re-keying live circuits with new cryptographic material273-exit-relay-pinning.txt: Exit relay pinning for web services281-bulk-md-download.txt: Downloading microdescriptors in bulk288-privcount-with-shamir.txt: Privacy-Preserving Statistics with Privcount in Tor (Shamir version)307-onionbalance-v3.txt: Onion Balance Support for Onion Service v3
These proposals were obsoleted by a later proposal before they were implemented.
112-bring-back-pathlencoinweight.txt: Bring Back Pathlen Coin Weight113-fast-authority-interface.txt: Simplifying directory authority administration118-multiple-orports.txt: Advertising multiple ORPorts at once124-tls-certificates.txt: Blocking resistant TLS certificate usage143-distributed-storage-improvements.txt: Improvements of Distributed Storage for Tor Hidden Service Descriptors145-newguard-flag.txt: Separate "suitable as a guard" from "suitable as a new guard"146-long-term-stability.txt: Add new flag to reflect long-term stability149-using-netinfo-data.txt: Using data from NETINFO cells153-automatic-software-update-protocol.txt: Automatic software update protocol154-automatic-updates.txt: Automatic Software Update Protocol156-tracking-blocked-ports.txt: Tracking blocked ports on the client side163-detecting-clients.txt: Detecting whether a connection comes from a client169-eliminating-renegotiation.txt: Eliminate TLS renegotiation for the Tor connection handshake170-user-path-config.txt: Configuration options regarding circuit building185-dir-without-dirport.txt: Directory caches without DirPort194-mnemonic-urls.txt: Mnemonic .onion URLs210-faster-headless-consensus-bootstrap.txt: Faster Headless Consensus Bootstrapping225-strawman-shared-rand.txt: Strawman proposal: commit-and-reveal shared rng242-better-families.txt: Better performance and usability for the MyFamily option247-hs-guard-discovery.txt: Defending Against Guard Discovery Attacks using Vanguards249-large-create-cells.txt: Allow CREATE cells with >505 bytes of handshake data252-single-onion.txt: Single Onion Services266-removing-current-obsolete-clients.txt: Removing current obsolete clients from the Tor network280-privcount-in-tor.txt: Privacy-Preserving Statistics with Privcount in Tor299-ip-failure-count.txt: Preferring IPv4 or IPv6 based on IP Version Failure Count334-middle-only-flag.txt: A Directory Authority Flag To Mark Relays As Middle-only
These proposals are not on-track for discussion or implementation. Either discussion has stalled out (the proposal is DEAD), the proposal has been considered and not adopted (the proposal is REJECTED), or the proposal addresses an issue or a solution that is no longer relevant (the proposal is OBSOLETE).
100-tor-spec-udp.txt: Tor Unreliable Datagram Extension Proposal [DEAD]115-two-hop-paths.txt: Two Hop Paths [DEAD]116-two-hop-paths-from-guard.txt: Two hop paths from entry guards [DEAD]120-shutdown-descriptors.txt: Shutdown descriptors when Tor servers stop [DEAD]127-dirport-mirrors-downloads.txt: Relaying dirport requests to Tor download site / website [OBSOLETE]128-bridge-families.txt: Families of private bridges [DEAD]131-verify-tor-usage.txt: Help users to verify they are using Tor [OBSOLETE]132-browser-check-tor-service.txt: A Tor Web Service For Verifying Correct Browser Configuration [OBSOLETE]134-robust-voting.txt: More robust consensus voting with diverse authority sets [REJECTED]141-jit-sd-downloads.txt: Download server descriptors on demand [OBSOLETE]142-combine-intro-and-rend-points.txt: Combine Introduction and Rendezvous Points [DEAD]144-enforce-distinct-providers.txt: Increase the diversity of circuits by detecting nodes belonging the same provider [OBSOLETE]147-prevoting-opinions.txt: Eliminate the need for v2 directories in generating v3 directories [REJECTED]164-reporting-server-status.txt: Reporting the status of server votes [OBSOLETE]165-simple-robust-voting.txt: Easy migration for voting authority sets [REJECTED]168-reduce-circwindow.txt: Reduce default circuit window [REJECTED]173-getinfo-option-expansion.txt: GETINFO Option Expansion [OBSOLETE]175-automatic-node-promotion.txt: Automatically promoting Tor clients to nodes [REJECTED]182-creditbucket.txt: Credit Bucket [OBSOLETE]189-authorize-cell.txt: AUTHORIZE and AUTHORIZED cells [OBSOLETE]190-shared-secret-bridge-authorization.txt: Bridge Client Authorization Based on a Shared Secret [OBSOLETE]191-mitm-bridge-detection-resistance.txt: Bridge Detection Resistance against MITM-capable Adversaries [OBSOLETE]192-store-bridge-information.txt: Automatically retrieve and store information about bridges [OBSOLETE]195-TLS-normalization-for-024.txt: TLS certificate normalization for Tor 0.2.4.x [DEAD]197-postmessage-ipc.txt: Message-based Inter-Controller IPC Channel [REJECTED]199-bridgefinder-integration.txt: Integration of BridgeFinder and BridgeFinderHelper [OBSOLETE]203-https-frontend.txt: Avoiding censorship by impersonating an HTTPS server [OBSOLETE]209-path-bias-tuning.txt: Tuning the Parameters for the Path Bias Defense [OBSOLETE]213-remove-stream-sendmes.txt: Remove stream-level sendmes from the design [DEAD]229-further-socks5-extensions.txt: Further SOCKS5 extensions [REJECTED]230-rsa1024-relay-id-migration.txt: How to change RSA1024 relay identity keys [OBSOLETE]231-migrate-authority-rsa1024-ids.txt: Migrating authority RSA1024 identity keys [OBSOLETE]233-quicken-tor2web-mode.txt: Making Tor2Web mode faster [REJECTED]234-remittance-addresses.txt: Adding remittance field to directory specification [REJECTED]241-suspicious-guard-turnover.txt: Resisting guard-turnover attacks [REJECTED]246-merge-hsdir-and-intro.txt: Merging Hidden Service Directories and Introduction Points [REJECTED]253-oob-hmac.txt: Out of Band Circuit HMACs [DEAD]258-dirauth-dos.txt: Denial-of-service resistance for directory authorities [DEAD]259-guard-selection.txt: New Guard Selection Behaviour [OBSOLETE]261-aez-crypto.txt: AEZ for relay cryptography [OBSOLETE]263-ntru-for-pq-handshake.txt: Request to change key exchange protocol for handshake v1.2 [OBSOLETE]268-guard-selection.txt: New Guard Selection Behaviour [OBSOLETE]270-newhope-hybrid-handshake.txt: RebelAlliance: A Post-Quantum Secure Hybrid Handshake Based on NewHope [OBSOLETE]276-lower-bw-granularity.txt: Report bandwidth with lower granularity in consensus documents [DEAD]286-hibernation-api.txt: Controller APIs for hibernation access on mobile [REJECTED]319-wide-everything.md: RELAY_FRAGMENT cells [OBSOLETE]320-tap-out-again.md: Removing TAP usage from v2 onion services [REJECTED]325-packed-relay-cells.md: Packed relay cells: saving space on small commands [OBSOLETE]