NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

Anonymous

May 04, 2019

Permalink

Thanks for the workaround! Did it, it works fine so far. What exactly is the risk by setting it to false?

OT: Google captcha drives me crazy with Tor while surfing on many sites. It says my results are wrong and I have to do it again and again and again. :-( Is there a workaround? Thanks!

> installing add-ons in Tor Browser is generally not recommended
Well... having less-trusted addons like NoScript preloaded in browser bundle sorta nullifies this recommendation. While some other addon can improve privacy even in private browsing environment and junk traffic thru tor circuits (which are slow already).

Sure thing. Problem is that NoScript receives updates thru addons.mozilla.org as well - as preconfigured in browser bundle effectively leaving an open sesame for any attack NoScript's author wishes to perform again, see https://adblockplus.org/blog/attention-noscript-users
That's why I don't use NoScript at all (it is rather pointless in 2019 anyway).

It's ok as long as you remember to check (enable) it again after the patch is installed. Leaving automatic updates to add-ons turned off prevents automatic security updates to add-ons, so don't leave it disabled for longer than it needs to be.

But it has no effect on the disabled status of NoScript.

This happened WITHOUT WARNING. The sudden disabling of NoScript resembles a ransomware assault. I interpreted this as corruption and I tried to re-install, and lost ALL my bookmarks! I have been digging but have no idea how or even if I can recover them.

This is OBSCENE.

There's this little-known, super secret concept in IT, which allows to recover pretty much anything. It's called a "Backup".

In this case you should use TRUE time machine instead of "backup". Nothing has changed in Firefox/TOR/addons - internal certificates are just expired.

What is true time machine please?

She didn't think of backing up but she's right to be upset that it happened without warning.

Stop moaning you lame ass moaners. You get this service for free. You act like 2 year olds some of you selfish, self centered candy ass moaners. Did it ever cross your self centered mind to say "hey Firefox/Tor, thank you for all the effort you put in to providing selfish moaning little nobody me with a free and usually pretty good and safe service.
Thank you Firefox/Tor workers for providing me a safe place on the Internet!

I agree that posters who are expressing harsh criticism of Tor devs or spreading FUD based upon misconceptions or misleading "spin" are not helping anyone, but I also feel that we all need to be sympathetic when something like this happens and some Tor users panic. After all, the most at-risk Tor users really might lose their freedom or even their life if a seriously bad entity is able to exploit some bug in the Tor ecosystem.

The good news in this story is that it seems the problem existed for only minutes to hours before Mozilla was notified, and Mozilla, Tor Project, and Tails Project all promptly issued fixes.

I would agree with anyone who says people who complain about TP should be making donations to help make things better, for example by allowing TP to become less reliant upon USG/Google.

You are right.

In the fact is was more likely a TRIALWARE after time bomb went off.

Bookmarks are stored in the browser's profile folder inside the tor-browser folder. They're deleted if you delete the tor-browser folder. First, open your Recycle Bin. If they aren't there, you need to immediately stop writing to the partition and scan it with forensic recovery software for deleted files. If you aren't able to stop writing to the partition while your OS is running, plug the drive into another computer, and scan it from there, or scan it from a Live USB.
https://en.wikipedia.org/wiki/Data_recovery#List_of_data_recovery_softw…

For how to backup before you lost them, see the final paragraphs here:
https://blog.torproject.org/comment/280732#comment-280732
and here:
https://blog.torproject.org/comment/281023#comment-281023

Поддерживаю! У меня в связи с этим тоже были опасения по поводу внезапного отключения всех дополнений в Tor Browser! Сначала копался в файлах так как полагал, что слетела система. Потом попробовал отключить проверку сертификата мозилла и дополнения появились в браузере и работали. Затем снова произошёл сбой! И тут я подумал, что поймал дикий вирус и система в полном ауте а я в полной жопе. Так и до инфаркта недалеко!

You don't understand the principle how torbrowser works.
If you ad Add-ons you change your Browser-fingerprint and loose your anonymity, cause you are a special snowflake in the mass of tor users.
Do you really think the tor project did not check noscript? Why do you use torbrowser if you do not trust them and think they are that stupid? If you think you understand the internet better than all the programmers, software-engineers and network-specialist at tor project, why don't you build your own anonymous browser or network.
I am shocked every time to see how much people suffer from Dunning-Kruger-Effect.

> It's a lie.
> why don't you build your own
Going to disregard kindergarten-tier exclamations, sorry.

> all the programmers, software-engineers and network-specialist at tor project
But let me remind you, what you are here on this page because one our trusted dependency been sloppy enough to lose the key (and, if you insist, the other our trusted dependency overlooked the flaw). This happened because such is life where sheet happens.

The case of NoScript is different because during that little war with Wladimir Palant, NoScript's author INTENTIONALLY deployed the questionable updates (see the ABP blog link above). That's why I'm treating NoScript addon as less-trusted and adding some entropy to my fingerprint having it disabled. Moreover, I have even more entropy from the use of uBlock Origin w/country specific lists for as partial replacement of NoScript functionality. I'd happily return back to line but not with NoScript, sorry, can't make myself to trust it.

> Wladimir Palant

You mean the guy who charge companies for not blocking their ads? uBlock blocks everything without compromises and ransom-like schemes.

Was he disputing the fact he was charging them or just non-disclosing it?

@anon, you seem to know a lot about uBlock Origin.
Are you sure it doesn't reveal your TRUE IP as some addons do? Or track you in some other way?
I see all the time that uBlock Origin sets a bunch of cookies every time it updates the Filter Lists from Easylist, Fanboy etc...

What about themes? Do they change the browser fingerprint?

Speaking of add-ons. I think there should be a preinstalled ad-blocker too. NoScript blocks ads as long as you don't allow ANY scripts. Once you need to allow some scripts in order to make the website work correctly you'll get the ads as well so if you don't want ads you need to install at least an ad-blocker.

By blocking ads you are telling them something about yourself and making yourself stand out.

This wouldn't be an issue if an adblocker was included by default with tor browser (and configured the same for all users). Tor browser users already stand out, the important thing is that you shouldn't be able to tell one tor browser user from another.

The suggested workaround is an UNEQUIVOCALLY BAD IDEA. WTF, disable signature checks? Never, never, never!

In the small picture, this is a real risk. In the big picture, Tor Project, are you deliberately training users to defeat "certificate validation" failed errors?

Good workaround: Open about:config and set javascript.enabled to false.

This will totally disable JavaScript. Therefore, NoScript is not needed. (Thanks to other cypherpunks in #30394.)

It may mess up the Security Slider, so this *after* setting the Slider to High. This way, you will also get settings such as disabling SVG, MathML, Web fonts... Or if you need JavaScript on some sites, set the Slider to Medium first (disables ultra-dangerous script features). Then, leave an about:config tab open so you can toggle JavaScript on and off.

(John, OT, Google is evil. Google, Cloudflare, et al. use soft coercion to make you abandon untrackable means of accessing the Internet. Don't give in; just boycott affected sites as much as practical, and politely let their owners know why.)

First, about:preferences#privacy -> Permissions -> "Warn you when websites try to install add-ons" is enabled by default, and the only exceptions are to Mozilla-controlled first-party add-on websites. Mozilla vets the add-ons they list, and a user would have to visit Mozilla's website, click the button on the page to install, and then see the warning that the browser displays and click on that. Difficult to do accidentally. Finally, the post makes very clear that the workaround should only be used temporarily (in bold) and reverted after the patch is installed. Disabling signature checks is not good, but there are many other layers of protection in place including telling users about the effects of the workaround and how to behave with it, so it isn't as bad as you make it out to be.

Second, while disabling javascript will close many of the holes that were opened when NoScript was disabled, many users will need javascript enabled as you noted, but try explaining the intricacies of the relationship between the slider, NoScript, and Preferences to non-technical users and expecting them to know when to change what.

I agree on boycotting incessant captchas and pervasive Cloudflare, but many websites roll their own javascript or depend on relatively benign javascript frameworks to function. Disabling javascript disables all of them, not just Google and Cloudflare.

When the patch is released, its blog post and the next few that follow it should absolutely repeat the message to reset the preference back to True.

Plus one.

This is helpful. Thanks.

This is the spirit!
The world will be a better place if we have more people like you and less like the one who recommend this sh**.

YOU ARE THE HERO, I LOVE YOU

Is that supposed to be irony?
Or a case of "my girlfriend from Canada, you don't know her"?
Sad in either case...

I think the disabled signature checks are only for installing extensions. Unless you are installing extensions in Tor Browser (which is a bad idea), then it is totally harmless. It's not like you're disabling TLS PKI signature checks that are necessary for secure HTTPS sites.

That is a good point.

@ gk:

Is cypherpunks right? Is disabling javascript that way s/he suggests a safer fix?

The safer fix is to wait for the update.

Avoid web-surfing until the fix is available? I am willing to try, but any idea when we can expect the fix? I know we depend upon Mozilla to fix the cause for NoScript breakage.

We now have a build that we think is fixing the issue. If you want to help test it: https://people.torproject.org/~boklm/builds/8.0.9-build1/

We still need to sign it, do some QA and upload everything. If all goes well it should be released tomorrow (Monday).

Thanks for the build! FTR, the above link is also available in onion: http://sbe5fi5cka5l3fqe.onion/~boklm/builds/8.0.9-build1/

I've visited sites that I commonly visited for 15 mins. Nothing bad seems to happen, except the tor button keeps blinking with an exclamation mark.

The blinking is expected as the version is not releases yet (and, hence, not recommended).

Me too; the fix in 8.0.9 seems to be working fine for me.

It turns out the fix was not complete, so we need to do a second build, delaying the release (probably until Tuesday): https://trac.torproject.org/projects/tor/ticket/30388#comment:39

Does this mean that TB 8.0.9 and the latest Tails are not yet safe but still need to be fixed?

8.0.9 includes the fix for this issue.

Anyway, even the previous version was still relatively "safe" if you were using the "standard" security level. It mostly made a difference for the users of the "safer" and "safest" security levels.

Whew, OK, thanks, this thread has moved so quickly that it was a little hard to tell that 8.0.9 fixes the second issue which arose.

However, I use "safer" and "safest" almost exclusively.