NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

I suppose one shouldn't ask for whom you develop exploits or what your intentions are.

That aside, I think you have correctly explained why currently TP really has no viable alternative to being based upon Firefox ESR.

I think it's a fine thing to ask. Answer: I develop exploits because it's fun and lets me root personal devices that otherwise would be locked down ("jailbreaking"), because I hate DRM and I hate that a device you own is not truly yours. When I find bugs in software that people rely on (e.g. browsers, OS components) I contact the vendor and disclose the vulnerability used so that they can fix it. I am not an exploit broker who sells bugs, and I despise people and companies which do.

An exploit dev is not automatically a black hat who sells their bugs!

Anonymous

May 04, 2019

Permalink

Firefox is dead since their intentional ridding of ALSA as a fallback audio interface in Linux, their sly attempt at adverts as a browser and these incidents....
Palemoon Browser needs more publicity... if the team behind Palemoon and Tor worked together at making Palemoon "secure" and the default Tor browser, that would be perfect.

Yes, Pale Moon is the bloat-free, lightweight version (fork) of Firefox, i love it too. It would be optimal for Tor. And - if privacy - don't trust Google-related products.
Reading it on Pale Moon at the moment :)

Anonymous

May 05, 2019

In reply to by Judge Judy (not verified)

Permalink

prove what? you must be ignorant. if you think Google and Facebook are spying on you but Mozilla isn't you must be brainwashed.
1. this isn't the first time Mozilla slipped into this mess, do you like Mr. Robot because Firefox knows you do.

2. check out the steps needed for a temp fix.

3. your browser just REMOTELY disabled something without your permission. no alarm bells are ringing in your head? ???? have you checked the source to see if anything else can be remotely controlled?

Hey that thought came(?) to my mind as well....how was it disabled without me doing anything?

But we should believe someone sometimes, just to make ourselves feel better.

What is even more funny, they became bold and push for remote controlled "hotfix" in the "studies" - literally the thing that let's them control your browser remotely 24/7. If you disable that, you wont receive the "hotfix" - corporate fear tactics.

Anonymous

May 04, 2019

Permalink

Hi friends...having noticed that Java Script is still enabled despite using (as always) the highest level in my settings, I would like to know whether you recommend to stop using Tor till the problem is finally solved...sorry for my simple question, but I am a "newbie" in technical matters...Thank you very much indeed for all your efforts and permanent support...best regards.

Don't worry, there is no chance TP will ever adopt Chrome (or even Chromium probably) as the basis for "Tor Browser gen 2".

Adding security features after the fact as Mozilla tries to do with FF is not the best way, but currently it may be the best way TP can actually use.

To get a specialty browser writtten ground up for TP you need to give TP a LOT of money.

Anonymous

May 04, 2019

Permalink

warning.
mozilla disabled noscript extension, leaving javascript enabled

set this to "false".
about:config?filter=javascript.enabled

also, when mozilla auto-disables an extension, they should automatically set associated Firefox prefs to the secure value.

is this mozilla "bug worthy"?

Anonymous

May 04, 2019

Permalink

blunder of the decade... but sure, let's keep firefox as our frontend, just toogle this boolean and that boolean and then toogle it again... :poolparty:

tor needs something simple like epiphany, midori or falcon.

Anonymous

May 04, 2019

Permalink

Shame on you!

Don't even think about using Chrome with the tor project. Google Chrome - Spyware

Anonymous

May 04, 2019

Permalink

Has anyone noticed that The Tor Project has been open and honest about this problem ?
Anyone notice that posts critical of The Tor Project have remained ?

Sometimes its the little things.

Anonymous

May 04, 2019

Permalink

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Don't forget Tor 0.4.0.5!

0.4.0.5 won't be included in this update, as we try to minimize unrelated changes to avoid issues which would delay the update. We also did not test the dormant feature introduced in 0.4.0.5 in an alpha yet, so it will probably get included in the next alpha first.

Anonymous

May 04, 2019

Permalink

During this time, malicious actors are likely to take advantage of the fact that many people do not read this blog. This is a big deal and puts into question trust in Mozilla.

Take advantage in what way? It's basically the same as moving the security slider to "low" isn't it? If someone was going to take advantage, for example by a javascript exploit, wouldn't they have been doing so all along? I guess there could be a greater number of tor users now with JS enabled and thus more potential victims, but...

It's not like it was silently disabled. The browser gives you a big yellow banner the moment NoScript is disabled. If you moved the security slider above its default "low" in the first place, than you should have a pretty good idea of what that warning means and the implications of it. If you choose to go on using the browser without NoScript, and you choose not to check the Tor blog for news about the issue, then it kind of becomes your own fault.

It's like ignoring your check engine light and then blaming the manufacturer when your car finally breaks down.

> Take advantage in what way? It's basically the same as moving the security slider to "low" isn't it?

For most users who were (only briefly we hope) affected, that is probably right.

The problem is that the higher settings of the security slider offer substantial security improvements which might really be needed by some users for some things, and (for a short time) some of them might not have realized that NoScript had been disabled which broke the higher settings.

Right now there appears to be no reason to think the cert expiration was deliberate (it is well known that large organizations have a lot of trouble avoiding this kind of mistake entirely) so there is reason to hope that adversaries such as NSA were caught flat footed just like we were, and were unable to quickly exploit the problem to attack us. We hope.

Anonymous

May 04, 2019

Permalink

In addition to disabling a security feature, does this change the browser fingerprint at all? Wouldn't this workaround significantly increase the attack surface in the browser? Why is Tor Browser "phoning home" to Mozilla anyways? I'm not a cybersecurity expert nor do I pretend to be, I am genuinely curious.

xpinstall.signatures.required doesn't change the browser's fingerprint. Add-ons, for one thing, do. By setting it to false and making sure NoScript comes back, your fingerprint will go back to looking like Tor Browser as long as you don't install or manually disable add-ons. Tor Browser updates its privacy-security add-ons from Mozilla's repository and works with add-ons as Firefox. Tor Project works with the developers of the add-ons it bundles and audits their source code. But it's definitely good to look into the extent of what's phoning Mozilla and if it's necessary.

Minus one.

Tor devs often face tough choices to be made in a short time with imperfect information. On the whole I think they tend to make the best possible choices under often difficult circumstances.

I think we probably agree that in an ideal world, security/privacy/anonymity would not be so hard. And I hope you agree that we can get closer to the ideal if we can move Tor Project to a user supported funding model and greatly increase its operating budget, free of government/corporate influence. I hope you will consider making a donation to TP.

(I am a user like you, not an employee of TP.)

Anonymous

May 04, 2019

Permalink

Georg Koppen, why do you, as the only one decision-making person, publish this inconvenient blog post about forcing users to manually switch off the security feature in order to make Tor Browser to operate properly instead of doing an emergency release with NoScript added to sig verification exceptions as Torbutton?

We are currently working on an update, but this cannot be done instantly. Meanwhile, we have this short blog post (which was also reviewed by a few people) to explain the issue and give a possible workaround for the people that can't wait for the update.

1. In part, because I (a Tor user) asked him to do so (in the #tor chat room).

2. Mostly because keeping Tor users informed about critical security issues is obviously an absolutely appropriate thing to do.

Also, the problem is that Mozilla goofed by letting a certificate expire, which had the horrible effect of silently disabling NoScript, an essential part of TB security. So TP needs to wait for Mozilla to fix the cert before TP can issue an emergency bug fix for TB.

@ gk:

Thanks again for posting!

> NoScript added to sig verification exceptions as Torbutton

Hey, that's a good idea. extensions.legacy.exceptions Easy for developers, transparent to users, and if I understand correctly has the same effect as xpinstall.signatures.required but precise to NoScript, not all add-ons.

Yes, that's one of the options on the table. However, this kind of exception has the risk that there might be holes open now to get you a non-signed malicious NoScript installed. So, there is a trade-off to make here as well.

Anonymous

May 04, 2019

Permalink

OMG, not having no script really sucks. I was ad-free at a spot I visit often. Now, I'm getting one ad after another. I hope whatever this problem is, it can be solved. I feel like I'm under attack.

Anonymous

May 04, 2019

Permalink

The workaround isn't working in regular Fx 63. Changing "xpinstall.signatures.required
to false & restarting Fx doesn't reverse disabling of addons.

Maybe forcing Fx to check for addon updates AFTER the about:config change is needed for the fix to work? In regular Firefox I did a manual check for addon updates - were none.
Restarted Fx - no change.

However, in regular Fx following Mozilla's suggestion of enabling "Studies" in Fx preferences, here: https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-…
& restarting Fx, then waiting a couple of minutes - doing another check for addons & all addons were enabled again.

They mention it might take much longer (hours) for the Studies to be applied in Fx and also some different, associated issues some users reported (& list possible fixes) .

Anonymous

May 04, 2019

Permalink

The real fix to this would be to develop on the Gnome or KDE browsers instead.

If people keep using chromium or firefox as bases they will inevitably keep breaking features and by extension users privacy and security. I'm sure quite a few peoples password security will be at risk right now as well.

Firefox has been slowly feature creeping to a standard that the big tech companies want: more cloud features, more 3rd party extension, and less data actually kept securely in the hands of their actual users.

At least with a project like Gnome you'd know there'd be an army of other linux users waiting to fork the browser if there was any issues like this.