Be "at least as secure" as Tor (as a client)
This is a fairly open-ended ticket; it is a requirement for %Arti 1.0.0: Ready for production use, but we need to decide what exactly it comprises.
Some likely candidates to include are:
- SafeLogging (#189 (closed))
- Zeroizing keys (#254 (closed))
- Circuit isolation code (#150 (closed))
- File permission checking (#315 (closed))
- Setting per-process flags and dropping permissions as in C tor's
winprocess_sys.c,restrict.c,setuid.h(#364 (closed)) - Netflow padding (#62 (closed))
Some things not necessarily to include (now) are:
- seccomp2 sandboxing (huge kludge, less necessary in Rust)
- memory-DoS resistance (waits for %"Arti 1.2.0: Onion service support" )
- hardened PRNG (current prng is "good enough")
Edited by Nick Mathewson