NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

Mateus

May 06, 2019

Permalink

My firefox is fixed by installing 66.04 but torbrowser still does not work. May-5- 17:00 HR EST

I have version 66.04 on firefox for my Mac and it is working with my add-on after performing an update from 66.03. Has no one had success performing this upgrade?

Mateus

May 06, 2019

Permalink

Dear dev's, you should put an update for the Tor Browsers that changes the start page with the information on the current situation and with a message that using Tor Browser currently is risky.

Instead we provided an update that fixes the problem. We thought it would be better to spend our engineering capacity to get a fix out as fast as possible and inform about the problem in this blog post instead.

Mateus

May 06, 2019

Permalink

Hi..
does this relate to Netflix not showing on the TOR browser anymore? i keep getting an error page asking to use HTML 5 or silverlight..netflix was actually working fine on the browser when it was first installed

Mateus

May 06, 2019

Permalink

It's all fixed now but...

It's a frightening online world without NoScript. Advertisements, pop-ups, gifs and audio run wildly rampant!

Viva N/S! Viva
...

Mateus

May 06, 2019

Permalink

Little question here: does that xpinstall.signatures.required work in all Firefox ESR version or just in Tor Browser? If the former, wow I'm switching to ESR as soon as 68 arrives!

Mateus

May 06, 2019

Permalink

Noob here, rather than join the complain-fest I thought I'd try and assist by downloading the 8.0.9rc1 tarball and apply my limited tech knowledge to testing it out. NoScript icon appeared in it's usual place, looks good to go so I started to go further afield. After a couple of minutes though, the yellow warning banner appeared, the NoScript icon disappeared and Add-Ons manager reported it as disabled. I realized what I did, or rather didn't do, and that was to go to the Add-Ons manager and set the NoScript updating to 'Off'. I re-downloaded rc1 and re-installed, immediately changed the NoScript setting and all seems stable now.

Could one of the devs, if they read this, please confirm that NoScript 10.6.1 is the version to stick with in 8.0.9?

Mateus

May 06, 2019

Permalink

I continue to trust and thank the Tor team for the work they did, but the huge "incident" on Saturday and especially the lack of any information really makes me doubt Mozilla.

Maybe, perhaps, the suggestion to rebuild a new Tor Browser around something other than Firefox would be a good thing...

Mozilla was releasing lots of information. Some was on their blog and support site, but the majority of work was being done hurriedly in their development communication channels, bug tracker, source code branches, etc. Regrettably, they didn't make a fraction of as much effort to recognize the expiration date before it arrived.

Mateus

May 06, 2019

Permalink

Just an hour or so ago, extensions in my Tor browser went bust. Strange enough, I didn't notice any of this yesterday when the Firefoxes had their add-on-troubles. I have two Ff, 52.3 ESR and 58.0, both portable. The 52.3 ESR was 'fixed' right away with setting the xpinstall.signatures.required to false (and it still works), but nothing helped with the 58.0.

I hate the idea of anyone fussing around with my computer or switching off any add-ons in my browser with no warning and without my consent. I'm not a geek, I'm not even particularly security-minded, I'm actually the proverbial DAU who just wants a nice, uncomplicated browser. But I'm stubborn - my computer is my castle, so to say.

It seems Mozilla will use the chance to peddle its latest version, so I might have to look for a new browser. For now, only Tor and an utterly outdated K-Meleon are left - and the 52.3 ESR (but who knows for how long). I downloaded a Palemoon yesterday and it seems I might get used to it. Does anyone know if there is a portable version of Icecat?

(That's one of my silly quirks - all of my browsers are portable. I avoid installing anything if I don't have to.)

Mateus

May 06, 2019

Permalink

Please remember to

This is a bane of security. Please force this back to 'false' and alert the user if the flip is made. Better to have people have to toggle it again than to leave people accidentally unguarded.

I realize both options are bad, so "fail safe".

Developer!
This case is a disgraceful crash in your project. Blame everyone who works in the project. I think in the future you need to forever get rid of add-ons from the site "mozilla" and other third-party repositories. You need to create your own repository tied exclusively to your project, with additions specifically for Tor Browser, signed by your signature and only your certificates. This will allow you to avoid such embarrassment in the future. And users will be satisfied.

In my opinion you have seriously misunderstood what happened.

> This case is a disgraceful crash in [Tor] project.

Actually, the problem arose from someone at Mozilla missing a deadline to generate a new cert.

TP's response was in my opinion rather exemplary. Indeed, while the original mistake at Mozilla was a serious good, Mozilla also responded quickly.

> Blame everyone who works in the project.

Actually, I think everyone who worked over the weekend to deal with the emergency deserves a lot of praise and a fine dinner.

> I think in the future you need to forever get rid of add-ons from the site "mozilla" and other third-party repositories. You need to create your own repository tied exclusively to your project, with additions specifically for Tor Browser, signed by your signature and only your certificates.

In an ideal world, I suppose, TP would have enough money and employees to do that well.

If enough people donate enough money (hint hint) many long-standing worries can be addressed in a more direct manner.

Mateus

May 06, 2019

Permalink

So, as of 09:30 EST, I see a posting at mozilla.org stating that an update to ESR has been pushed. Having no idea what that might mean in reality, I started up TOR 8.08 and went to add-ons. There, I find that all add-ons (except HTTPS Everywhere) says it is working. So, I look at Help>About Tor Browser. It says that 8.08 is curtrent.
??
Are we done now? Or is the great add-on CF still in process?

Mateus

May 06, 2019

Permalink

The issue in TOR still remains unresolved, when will this be fixed, however I do appreciate the work the devs have been doing to resolve the issue, might be good to actually put it on the heading on TOR page so people dont download the previous version of TOR until the fix is completed.

Agreed completely! A warning on the download webpage or disabling all download sources! 8.0.9 fixed is released however, and links are updated. Too late. No reason to warn downloaders anymore.

Mateus

May 06, 2019

Permalink

The new ESR firefox has been out for hours. Why don't you chaps - gieven you interenatioinal user base - update as has Devuan?

Mateus

May 06, 2019

Permalink

So I installed 8.0.9, put "javascript.enabled:true" and NoScript works again, thanks a lot.
But now my "Tor enabled" onion icon, upper left, is blinking with a yellow triangle.
"Check for Tor Browser Update" it says, but there is nothing to upload.
Is FBI on its way, or what does that mean?

Mateus

May 06, 2019

Permalink

Hi.
Until today, Roboform Password Manager was working fine with 8.0.8. But today it has been disabled. Even downloading it again from Mozilla Addons site, it says that the file is corrupt. Why it was working fine and stopped working. How can I fix it?

Mateus

May 06, 2019

Permalink

Idk about you guys but i made my extensions work again in normal Firefox by just resetting the browser to defaults and login back into my account to get back addons and settings

Mateus

May 06, 2019

Permalink

I am a "user" in both the regular and the social sense. i.e. I "use" without really giving back. So the least I thought I should do after many years of Tor use is to add my voice to thank and encourage Tor devs.

Disagreement is to be welcomed -- that's kinda what Tor protects -- but it is appalling to see some comments that go far beyond disagreement or excited concern to the point of being flatly offensive.

The far-and-away number one threat to free and open source development projects in my more than 30 years of observation is the loss of dedicated developers. Hell, the loss of moderately interested developers. Being subjected to hyperbolic attacks is often the beginning of people drifting away.

Do remember that the vast majority of Tor users will never participate in a forum discussion, but they represent the true value of your work. One comment rightly pointed out that that work for meaningful numbers includes protecting their very lives, and so some upset is not unexpected.

But also remember that there are those who are served by discouraging Tor developers and creating dissension in the Tor community. When you see something that is particularly offensive, or that makes you want to walk away, just consider that is probably what the source wants.

In the world as it now is, your work is exceedingly important. With Western democracies themselves becoming more authoritarian the importance of your work just continues to grow.

Truly, thank you, be well, be happy.

Very well said and very true. Thank you for pointing this out to others. This is my first post after using Tor for many, many years. Complaining, and "acting" knowledgeable are certainly not worthy in any sense.

People need to realize what open source is and then dig deeper. If a person is that concerned about the issue, stop using Tor until the next update which will include the proper fix.

Overall, I do not think this is a serious concern to most Tor users.

https://2019.www.torproject.org/getinvolved/volunteer.html.en
https://donate.torproject.org/

I see many instances of dissent that illuminate neglected things to improve or reconsider. Seeing through the emotion sometimes reveals a technical or ethical issue. It helps mentally if you do tech support but have a relationship to apply it to development at the same time.

> But also remember that there are those who are served by discouraging Tor developers and creating dissension in the Tor community. When you see something that is particularly offensive, or that makes you want to walk away, just consider that is probably what the source wants.

Plus one.

Years ago I often tried to make that point but you said it much more graceful;y and concisely than I ever did :-)

Mateus

May 06, 2019

Permalink

Mozilla released a fix, ESR 60.6.2, yesterday afternoon: 16:25 EDT May 5 2019. When will a new TorBrowser version be available?