NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

Anonymous

May 04, 2019

Permalink

One important point no-one is talking about: when did the cert expire and when did Mozilla learn about the problem?

If this was an unrecognized critical flaw for many months that would change this from "a serious blunder which could potentially endanger people all over the world" to "a serious blunder which likely cost an unknowable number of political dissidents their lives or freedom".

Thank you, every bit of information helps. What I really need to know now is when the certificate which caused the problem actually expired.

Note for anyone following the link, the "fix" they describe does not apply to Firefox ESR, which will be fixed "soon".

> when did the cert expire and when did Mozilla learn about the problem?

Expired:
Sat May 4 00:09:46 2019 UTC (2019-05-04)
Mozilla bug #1548973 reported:
Sat May 4 00:49:00 2019 UTC (2019-05-04)
About 39 minutes after it expired.

"Some reports on reddit says that they had their clocks a day forward, but they may be just early canaries for the actual widespread issue." [1]

It's a PKCS #7 certificate. [2] Certificate information:

  1. Organization (O) = Mozilla Corporation<br />
  2. Organizational Unit (OU) = Mozilla AMO Production Signing Service<br />
  3. Common Name (CN) = signingca1.addons.mozilla.org<br />
  4. Validity:<br />
  5. Not Before: May 4 00:09:46 2017 GMT<br />
  6. Not After : May 4 00:09:46 2019 GMT
[3] [4]

Or do it yourself:

  1. Copy the NoScript add-on installer (XPI file) from your Tor Browser folder to a temporary folder so you can work on it. The XPI file is named as the UUID of NoScript: 73a6fe31-595d-460b-a920-fcc0f8843232 (See question 2.6 in NoScript FAQ. Microsoft calls them GUID's.) ./tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
  2. XPI files are ZIP files, so open it in your local unzip program. If it returns errors, rename the XPI file to something normal like noscript.xpi.
  3. Extract the mozilla.rsa file. ./META-INF/mozilla.rsa
  4. If you have openssl command line tools installed, open a terminal (command line prompt), cd to the folder containing the extracted mozilla.rsa, and type this command: openssl pkcs7 -in mozilla.rsa -inform der -print [4]

You can grep just the names, dates, and times by doing:
openssl pkcs7 -in mozilla.rsa -inform der -print | grep -B1 -A3 -i valid

New certificate:

  1. Common Name (CN) = signingca1.addons.mozilla.org<br />
  2. Validity:<br />
  3. Not Before: Apr 4 00:00:00 2015 GMT<br />
  4. Not After : Apr 4 00:00:00 2025 GMT

Good discussions:
https://news.ycombinator.com/item?id=19823701
https://news.ycombinator.com/item?id=19825921

> the "fix" they describe does not apply to Firefox ESR, which will be fixed "soon".

"A Firefox release has been pushed... version 60.6.2 for ESR." (Sun May 5 20:25:00 2019 UTC (2019-05-05)) [5]

> XPI files are ZIP files, so open it in your local unzip program.

unzip had a bug which was recently fixed in Debian.

Don't know how much to worry about that; my point is that we all need to be careful to avoid making things worse with an ill-conceived "fix".

> If this was an unrecognized critical flaw for many months...

When a cert is created, the "before" and "after" dates are displayed or manually entered. Whoever made it was told the date when it would expire. It was very likely recognized. But it was forgotten, neglected, or ignored. The cert was valid from 2017-05-04 to 2019-05-04 which implies that it was created and recognized(!) on 2017-05-04 or sometime between that range of dates for it to have been of any usefulness.

Anonymous

May 05, 2019

Permalink

Please ensure core addons cannot be disabled in the future for whatever reason, I was wondering why javascript was working despite being on the safest security level

Anonymous

May 05, 2019

Permalink

So to be clear, setting "xpinstall.signatures.requiredentry" to "false" only effects installing addons ? Is there any other effects this will have? Is this just for getting noscript to work again? What does no script do that disabling javascript doesn't?

Many websites require at least some scripts to be allowed in order to work properly. With NoScript you can decide which scripts you allow. With disabling javascript it's all or nothing. If you want to make a website to work you need to enable javascript and then you let in ALL scripts. Not just the ones that are needed to make the website work.

Anonymous

May 05, 2019

Permalink

Some alternative browsers have been suggested in this thread and on other sites.
Browsers like Waterfox, Pale Moon, Vivaldi, Brave.
I would prefer the comparatively lesser known Icecat browser.
I like their user centric approach to privacy.

Desktop: www.gnu.org/software/gnuzilla/
Android: f-droid.org/en/packages/org.gnu.icecat

Anonymous

May 05, 2019

Permalink

For those who know, it's safer to disable Javascript from about: config or have noscript give extra protection?

Anonymous

May 05, 2019

Permalink

This problem seems like a simple enough oversight, especially as the advice has always been to not to install add-ons. The real mistake imo is that TBB's Security Level functionality depends on an add-on (NoScript), which in turn is dependent on externalities out of Tor Project's control/purview.

Functionality integral to Tor Browser should be integrated into Tor Browser: In this case that would mean building NoScript functionality into Tor Browser rather than continuing to employ it as an add-on. Please look into making this happen in a future release.

Anonymous

May 05, 2019

Permalink

While Chromium seems more secure to some people, as it probably contains more security features the following also needs to be taken into account:
- The source code is very hard to audit. It is for instance hard to make sure that Chromium is free software, or even to make sure that it's legal to redistribute as this bug report shows: https://bugs.chromium.org/p/chromium/issues/detail?id=28291.
- Security is very dependent on the threat model. For Apple, the people using some of their products (Iphones and Ipads) are a threat. But for many people used by Apple's products, Apple's tight control over the device that they bought and use is a threat. So for the latter, Apple's security (restricted boot which forces people to be used by their operating system, and denying users right to install the applications they want without Apple's consent) is a very serious threat. So having that security broken or having no such security is crucial for people's freedom privacy and security. As I understand Firefox's threat model is way more aligned to the tor-browser's threat model than Chromium's.
- As I understand, more generally speaking, the Firefox political goals are more aligned with the tor-browser's political than Chrome's. As such, the design decisions and the code written carry out that political goals. As the tor-browser relies on upstream codebases for various reasons, it's probably more practical to help improve Firefox's security by working with them, rather than trying to retrofit privacy and freedom into a project like Chromium that might be driven by totally incompatible and antagonist objectives. It might also not be a very good idea to spend an enormous amount of resources just to keep up developing and maintaining that privacy and freedom retrofitting as the new versions of Chromium are released. Spending that amount of resources in a way that is more sustainable and has greater long term impact would be wiser. It would also have greater political impact as it could make the organizations that develop free software browsers better, and more generally try to influence web standards to respect users freedom and privacy and try to empower users as much as possible.

Anonymous

May 05, 2019

Permalink

I agree with previous comments, even if Mozilla stays oblivious TOR really needs to have some means of avoiding things like that in the future

Anonymous

May 05, 2019

Permalink

To put it simply. Tor browser is no longer safe as scripts cant be blocked but the so called work around also causes security problems. Are we supposed to just not use tor until this is fixed? It seems like the most obvious question to me.

The security problem caused by workaround is a problem only if you want to install add-ons because now there's nothing to tell if they are safe or not. So after the workaround you can use Tor just fine. Just don't install any add-ons.

Anonymous

May 05, 2019

Permalink

I am waiting for newest update or smallupdate for this problem.
more thanks for your tries.

Well, to begin with Mozilla took way longer than usual to provide a fix and they needed several trials to get this right as this is more complicated than it looks. Additionally, we need to test a bit more than usual as well as we need to add an additional fix on top of what Mozilla ships as the solution interferes with one of our patches.

We have a candidate build for testing if you want: https://people.torproject.org/~boklm/builds/8.0.9-build1/ and so far everything looks good. We plan to push the update live in a couple of hours.

Anonymous

May 05, 2019

Permalink

Hey hi Tor team, I just L O V E your team and work, I appreciate your work a lot. Tor messenger should have been active as well, at least a software which makes any messenger software a Tor messenger, by making changing changes in network setting of a PC. I never used Tor messenger I just think it should have been there.
I always want to donate, I want to donate every now and then.....but I think the amount under 'donate once' should be lesser than 10$, hmmmm something around 3$ or at the most 5$...for us, we are boomed and banged Chindians. :-)

Lots of love and respect to you guys!

Anonymous

May 05, 2019

Permalink

For normal Firefox Users (not Tor!) Mozilla released a fixed version: Firefox 66.0.4.

Click help in Firefox, then About and it will update to 66.0.4.

Anonymous

May 05, 2019

Permalink

I'd like the next blog post for Tor Browser releases to walk through how to backup and install cleanly. All of these different suggestions to change assorted settings can't be hygienic for the user base. It's probably best to serve a guide about it somewhere on the main website or wiki permanently anyway.

Once the bug patch is released, your team deserves a couple full days off. Your weekend was ruined. But thank you all.

Anonymous

May 05, 2019

Permalink

History doesn't show ip and date of Firefox and the browser communicating over certificates to disable the security feature. Is it in a log somewhere?

Anonymous

May 05, 2019

Permalink

It has mouse gestures, keyboard shortcuts built in (both of which makes it a breeze to move between tabs/windows when you have multiple windows with many tabs open; needed, when doing research).

Also has screen shot/page capture, color invert (DARK mode) and many other functionality that are built into the browser, completely eliminating the need to install additional extensions/add-ons.

> It has mouse gestures, keyboard shortcuts built in (both of which makes it a breeze to move between tabs/windows when you have multiple windows with many tabs open; needed, when doing research).

Convenience is the enemy of security. I actually hate gestures. I often have the problem that an unintentional gesture maximizes TB, a real no-no. And I have no idea what motions the FF developers intend to be gestures.

Anonymous

May 05, 2019

Permalink

Is this Mozilla certificate expiration and NoScript disablement a very tasty vulnerability for adversaries to exploit and deanonymize Tor Browser users by creating one or more fake Mozilla add-on certificates now or at some other times in the near or more distant futures? Can a powerful adversary exploit this vulnerability in Tor Browser thanks to the vulnerability caused by the mismanagement of Mozilla certificates for add-ons in Tor Browser? Hasn't Mozilla already demonstrated a past history on at least one occasion of serious problems in the management of Mozilla certificates for add-ons? Does this indicate Mozilla is wittingly or unwittingly caving on the user security front? Does this mean Tor Browser will be operating with lowered thresholds of user security going into the future? What is the best recourse for worried Tor Browser users operating in countries with dangerous authoritarian governments where communications with the outside world via Tor can bring arrest, torture, imprisonment, or execution at the hands of the state? In light of this exposed compound weakness in Mozilla, NoScript, and Tor Browser, is it risky or dangerous to continue to use Tor Browser if a user faces a powerful and dangerous adversary?

> Does this indicate Mozilla is wittingly or unwittingly caving on the user security front? Does this mean Tor Browser will be operating with lowered thresholds of user security going into the future?

I am not a coder but I think the answer to those two is "no". But we users are not wrong to be horrified. Seems it could have been much worse, but this should be a wake-up call.

This vulnerability was not triggered by the name on the certificate; it was triggered by the time at which the cert was set to expire.

> by creating one or more fake Mozilla add-on certificates [in the future]?

It would be extremely difficult to deliberately insert a fake Mozilla certificate without anyone noticing; much harder than the cause of this bug. Every certificate in the chain from the top root-ca-production-amo is labeled as being issued by Mozilla Corporation. If you trust what the certificates say, then only Mozilla and the add-on submitter are in the chain. The inclusion of the cert to the Mozilla software repositories is reviewed and then cryptographically signed by Mozilla developers. Tor Project later releases reproducible builds of Tor Browser. If any cert for add-ons is faulty, the browser displays a yellow warning bar.

Hypothetically, it may be simpler to coerce or spearphish a Mozilla developer to compromise the private key. I don't know if a council of developers observes how their organizational keys are created. I don't know their methods of holding their organization's private keys. Mozilla could make a new key to replace a faulty key anyway as quickly as they made the one in the fix.

> Can a powerful adversary exploit this vulnerability in Tor Browser... ?

Which vulnerability? The absence of NoScript can be exploited because individual browser fingerprints became more identifiable on Safer and Safest. The cert chain, however, appears to be totally controlled by Mozilla, no third parties.

> Hasn't Mozilla demonstrated a past history of serious problems in the management of Mozilla certificates for add-ons?

The recent event was dubbed "armagadd-on 2.0". It was reported about 39 minutes after it expired. The original "armagadd-on" in 2016 was reported about 7 days before it expired.

> Does this indicate Mozilla is wittingly or unwittingly caving on the user security front?

Yes? Unwitting is more likely. People forget expiration dates for all sorts of things. In the world of computing, another example seen very often is when a website domain name is not renewed.

> Does this mean Tor Browser will be operating with lowered thresholds of user security going into the future?

No, definitely higher. 8.0.9 repaired it and is the first step of many toward preventing the problems from happening again.

> What is the best recourse for worried Tor Browser users

Hopefully, when they saw the yellow warning bar, they stopped browsing to new pages and closed Tor Browser or started a New Identity to close all their tabs. Then, hopefully, in the new session, they came straight to this blog to look for updates and help. The basic difference was that their traffic became similar to browsing on Standard. Not exactly, but similar. The good news for at-risk users is that 1) Tor Browser continued using relays as normal, 2) the user's IP was hidden as normal, 3) the sites they were visiting could only be observed between their exit nodes and destinations as normal. The bad news, mainly, is that those sites and third-parties observing traffic from the exit node could have recorded a browser fingerprint that was more able to relate their traffic to their other traffic despite being from a crowded exit node or a New Identity. If they closed their tabs, their best recourse is to do what they would do similar in manner as if they had been browsing on Standard in that session and until they installed the fix.

> is it risky or dangerous to continue to use Tor Browser

On 8.0.9, it's as risky as if this bug was never there. As if this bug was recognized and fixed before the cert expired. Just remember to roll back any workarounds you did.