NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

If I remember correctly, the issue with Chromium wasn't so much that you'd have to make all this changes. After all, many changes had to be made to Firefox too. Rather, Chromium not accepting changes upstream was the issue and having all this patches rebased onto every release is error prone and time intensive. Probably not doable with the small team working on Tor Browser at all. Mozilla, however, accepts patches to upstream Firefox and is even willing to help with advice, review and making sure the features keep working.

Lets use an insecure browser, because "muh free market economics".

The Chromium code base originated in the open source code community, while Firefox is commercial code that comes from the company that made the Netscape browser. Google doesn't own Chromium, it belongs to the world.

Does anyone really think Google's going to backport security or anti-tracking stuff from a Tor Chromium to mainline Chromium? Because Firefox does. For example:

https://www.zdnet.com/article/firefox-to-add-tor-browser-anti-fingerpri…
Or just search for "Tor Uplift", the Firefox project to review and integrate privacy changes from Tor into Firefox master.

Mateus

May 04, 2019

Permalink

Weird. My Tor Browser (8.0.8) and its default plugins (NoScript 10.6.1, HTTPSEverywhere 2019.1.31 are working without issue and it's showing that I'm running the latest version.
Is this blog post in relation to non-default plugins only?

Mateus

May 04, 2019

Permalink

Has anyone been able to get NoScript working? The work around posted does not work for me. Regular firefox has been fixed for me and all the addons are now working, but TOR still has NoScript disabled. Is TOR going to push an update?

Yes, the workaround worked for me. The NoScript icon came back on the toolbar some minutes after I set the preference to false, and I didn't restart. See if it comes back after you close and restart the browser.

>The work around posted does not work for me

After you change the about:config preference "xpinstall.signatures.required" from Value "true" to Value "false", you have to quit and restart Tor Browser.

Mateus

May 04, 2019

Permalink

SHAME ON MOZILLA!
What happened with prenty of already installed add-ons which suddenly got remotely deactivated by Mozilla (no choice given to the user about what to do) is UNACCEPTABLE and INEXCUSABLE since it unexpectedly left Tor Browser users exposed, without security feautres they were trusting and using in that moment to protect their privacy: a rogue move by Mozilla that could have possibly pose threat to the lives of activists and dissenters whose presence in the world wide web relies on Tor Browser. The Mozilla Foundation and those in charge of the Firefox development roadmap must be held accountable for their misconduct. Plain and simple: they acted as miscreants. Was it only a matter of carelessness?
It's extremely sad to state that the Mozilla Foundation seems to be increasingly focused on its own politically biased agenda: more propaganda and far less technological care, respect and responsibility towards its user base.
I call on the steering group of Tor developers: please take seriously into account the incident of such sudden deactivation of (critical) Firefox add-ons, including those bundled with Tor Browser!
Firefox is an UNRELIABLE piece of software to build privacy upon. The Mozilla Foundation is an UNRELIABLE and TREASONOUS partner. Seriously, look for a viable alternative!

If you happen to come back to check replies, please state any conflicts of interest you may have in writing this comment such as:

  • if you receive any money from a competitor that could benefit from Mozilla's loss
  • if you receive money or participate in a consumer protection organization that could benefit from maligning Mozilla
  • if you have had a dispute with Mozilla in the past that hasn't been satisfactorily resolved.

as you do not seem to be looking at this situation objectively.

I think that risking one's freedom or one's life is a sufficient reason, it is not necessary to assume any conflict of interests.
This is not (only) a usability problem and it is not even a 0-day worth a million dollar, this is a very serious problem caused by an equally serious carelessness from the mozilla team.

javascript can now be covertly used to find the real ip address of dissidents. but this is now apparently unobjective. i would point out that whether or not this is the law of unintended consequences biting torproject in the ass before mozilla, i would say thats irrelevant. the fact remains that because of firefox devs making a poorly judged decision, and then brute forcing it on people rather than giving a warning and offering them the choice whether to take a judgement call on the risk on their addons, that peoples real lives are now at risk, more than they would have been had they not had tor at all.

no i have no connection to mozilla or any browser maker. i actually prefer firefox over chrome because i find ff easier to deal with in terms of addons, finding and using them. chrome can be quite opaque in its features also.

but while i used both, i no longer trust firefox, because of the FORCED nature of its decision. and because tor did not seemingly know about it.

its going to be a while if this gets on the mainstream news, and longer if anyone dies because of it, for mozilla to recover. if it doesnt wind up going under.

> rather than giving a warning and offering them the choice

Mandatory signing was controversial when it was introduced in 2015. Speaking of warnings, there was "a transition period of two release cycles (12 weeks total) during which unsigned extensions [only generated] a warning in Firefox. After the transition period, it [was not] possible to install unsigned extensions in Release or Beta versions of Firefox."
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-expe…
https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signi…
https://wiki.mozilla.org/Add-ons/Extension_Signing

Ignored by tor developers? You realize you're commenting on a Tor blog post that is dedicated to addressing this specific issue? They gave a workaround and said they will ship a fix when it is available from Mozilla. What else do you want?

I'm unsure what you mean by ignoring. It's only a handful of people working on Tor Browser, and yet there is already this blog post, the necessary changes to the code have been made and the fixed version is already being built and tested. Seems pretty good to me.

Of course, it would be better if more people helped out. Perhaps, then the next issue like this is discovered and fixed even before the certificate expires.

> The Mozilla Foundation and those in charge of the Firefox development roadmap must be held accountable for their misconduct. Plain and simple: they acted as miscreants.

Mozilla has been doing a great job at improving privacy for their users lately. There is Firefox Focus, implementation of containers, accepting patches for Tor Browser (investing a considerable amount of their own time on advice and review), matching donations to Tor and much, much more.

Do you really want to blame Mozilla? To me, I'd seem they are doing a better job at security and privacy than almost all of organizations on the internet. Also, it rather odd to blame someone for trying to do the right things.

> Was it only a matter of carelessness?

Are you suggesting this could have been intentional? If so, with what purpose?

> Seriously, look for a viable alternative!

Is there one? Please let me know.

> Was it only a matter of carelessness?

The fact that the inadvertent logic bomb detonated a few days *after* May Day is indirect but useful evidence that this was not a deliberate act engineered by "the usual suspects" (e.g. FBI). Because the usual suspects would likely want to spy on Tor users just *prior* to May Day not just *after* May Day.

More importantly, over the years there have been a number of widely reported new stories about some huge company forgetting to update a cert. So there's plenty of evidence that organizations large and small are finding it very difficult to maintain their cryptographic assets.

I don't mean we should excuse Mozilla (or anyone else) from overlooking a critical deadline; my point is that there is no reason (AFAIK) to think this was anything other than a mistake. A serious mistake, but a mistake which to their credit Mozilla quickly fixed.

Sadly, I must agree with the final assessment. Though FireFox/Mozilla has, over time, come to be trusted, the excuse that it doesn't allow such add-ons as NoScript due to cert failure, simply doesn't hold water. As the base, which controls cert behavior and setting the handshake needed for validation, FireFox does not require a specific cert to be incorporated w/in their Add-on suite and therefore, restrictions to the HTTPS/NoScript add-ons should not have that excuse used (overlooking cert validation) when they fail to permit an Add-On.

In most cases, the reasoning the general public hears, is not true. There are multiple channels that can be used to ensure that a specific event does or does not happen, and something that has been a stable capability for years is not suddenly affected.

Developers for both FireFox/TOR and other Mozilla based products in most occasions follow one simple rule: If it's not broken, don't fix it. This spans across any organization which must fund their resources based on time-spent towards a specific Goal and Objectives. That funding can only occur if there is sufficient money to use in order to make enhancements and/or platform changes.

By blocking and preventing key components from being installed and used, especially for those that have been around for as long as NoScript has, this change was conscious and intentional, with the target for what this add-on offered to the public.

And, while the Organization shall find a so-called "workaround" or eventually permit the originally branded product to be used, this entire approach to suddenly remove its ability from the platform did nothing but buy some time for the platform developers to devise a side-step to what shall eventually be permitted.

Make no mistake about it. There are people w/in Mozilla and elsewhere that expect anything based on this technology to follow requirements, otherwise, funding shall be stripped, and failure to comply shall result in unpleasant and personally impact consequences for all stakeholders in the product and product supply chain.

It is a sad day folks... Your privacy and all aspects surrounding your public and private life can and is likely to be impacted. Not only in free countries, but around the globe where others tend to simply make someone disappear when they don't think they want what they're doing to stay with them.

Signatures of add-ons are checked in Firefox's code whenever something calls XPIDatabase.verifySignatures() or possibly XPIInstall.verifySignedStateForRoot. A timer is hard-coded to call verifySignatures() every 24 hours after you open the browser, but other actions may call it at any time. I was unable to search for "verifySignatures" to find all actions that call it on Mozilla's web repository because the search timed out, and I didn't want to clone the whole repository just to search for a string. I don't know if Mozilla's hotfixes verify them immediately or how long it waits.

  1. const XPI_SIGNATURE_CHECK_PERIOD = 24 * 60 * 60;<br />
  2. ...<br />
  3. timerManager.registerTimer("xpi-signature-verification", () => {<br />
  4. XPIDatabase.verifySignatures();<br />
  5. }, XPI_SIGNATURE_CHECK_PERIOD);

https://phabricator.services.mozilla.com/source/mozilla-central/browse/…

You can reinstall Tor and do not wait for the Mozilla's "solution" using the following workaround:
...Browser\TorBrowser\Data\Browser\profile.default\user.js
########################
# User Preferences
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);

user_pref("extensions.update.enabled", false);
user_pref("extensions.update.autoUpdateDefault", false);

user_pref("xpinstall.signatures.required", false);

########################
So you have to
1) install fresh Tor
2) +remove checkbox "start TBB" at the ending of installation!!! (do not start TBB!!!
)
3) put user.js to the "profile.default" folder
4) now you can start TBB easy - it will work

It helps with Windows TBB. BTW when Mozilla&TBB will solve the issue - you HAVE to change all "false" to "true" certainly.

Old versions are just as susceptible and have more unpatched vulnerabilities. I don't know if your method of turning off updates has any effect on checking signatures, but if it does, it wouldn't work unless you turned it off very quickly before it ran the automatic routines.

So you use a version with the commercial spy stuff removed.

Interesting comment about the two code bases here:

https://marc.info/?l=openbsd-misc&m=152876412422034&w=2

"There's a great irony here…

Firefox is a derivative of the Mozilla code base which used to be known
in the general public as Netscape. Netscape Communications was a
for-profit company, that actually *sold* their browser for commercial
use (it was only free for personal use).

Chrome and Safari both derive from Apple WebKit which itself is a fork
of the KHTML rendering engine developed by the KDE project, and has
*always* been, LGPL licensed code since its first release in 1998.

Yet today, Firefox is held up as the open-source darling and
Chrome/Safari is seen as the proprietary devil. Go figure. :-)"

I disagree. It's true that google has the resource to employ world-class security researchers in the world (google project zero discovered numerous security bugs) to make their browser secure.

However, privacy-wise (which is Tor Browser all about!), chrome is a very poor choice. One has to understand that making profit with user's data is part of google's business model, e.g, gmail scans user's mail for targeted advertisement. Chrome is especially bad, it is a chromium (which is free/libre and open-source) based proprietary browser with many anti-privacy features (such as sending your usage pattern to google).

Being proprietary, it is impossible to audit the code. Even if we choose to base tor browser on chromium instead of chrome, it would be a maintenance nightmare to make absolutely sure all anti-privacy features has been turned off in chromium.

A better option is to use a non-corporate-backed browser - which is firefox!

If you want firefox to be more secure, please help to report bugs or denote!

Chrome (well, Chromium, which is the open source version) is significantly better. I'm an exploit dev, so I'm not just parroting what someone else said! Chromium has more and better security mitigations that make traditional exploits very hard to use and necessitate complex and unreliable exploit chains. Firefox is much easier to exploit. The only benefit Firefox had over Chromium, which was the power of the XUL browser extension API, no longer exists now that WebExtensions are a thing and now NoScript in Firefox is not nearly as powerful as it used to be.

Unfortunately the real reason Tor Project can't move to Chromium is that Firefox is easier to maintain a fork of because it releases snapshot versions called "ESR". Chromium is much harder to track and requires a bigger and more dedicated team to manage, even if it is more secure.

No, but it's all too plausible that NSA/TAO, GRU, and other state sponsored hackers regularly read Tor dev lists, monitor Tor dev chat rooms, and even occasionally post in this blog.

It's also plausible that such entities have tried, are trying, and will continue to try to insert their own operatives into TP as a kind of "double agent". I hope that TP is trying hard to make that difficult.

You're right, you just have to trust me. It doesn't really matter though anyway because it's not that elite of a position. I'm not one of those experts with a dozen priceless 0days in his home dir.