NoScript Temporarily Disabled in Tor Browser

Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users.

Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available.

Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround:

  1. Open the address about:config in the Tor Browser address bar
  2. At the top of the page, search for xpinstall.signatures.required
  3. Set the xpinstall.signatures.requiredentry to false by double clicking it

Note: This workaround should only be used temporarily, as it disables a security feature. Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied.

Sorry for the inconvenience.

Eh... Depends how one looks at it. Technically, yes, going by the default settings, time-checking disabled it locally. On the other hand, expiration time is managed remotely. It's a dead-man's switch, but if the key owner is alive and just ignores it, same result. Certainly, though, it says nothing about intention.

Making sweeping and misleading claims in times of trouble helps no-one.

In assessing a security issue it is vital to accurately understand the technical details. Those of us who don't have the specialized knowledge required should trust the Tor team, because if we can't trust them, who on Earth could we trust?

I'd add that IMO claims that "Tor is broken" or "all is lost" are just as harmful as advice to ignore security issues entirely.

Security is a process, not a state, and while this incident is very troubling (and clearly not TP's fault), the response to the emergency has been excellent.

> if we can't trust them, who on Earth could we trust?

Ourselves, the code, our build machine, crypto algorithms, math, ... The development, knowledge, and many studies are public and open if we rise to meet the challenge. They did.

No, I'm saying options are not hopeless or desolate as you make it sound. There are more ways than having blind trust and subservience for everyone and everything in the production chain. While being thankful that TP people are doing the work, acknowledge that most of us, we users, would be welcome, and many are able to learn and get involved, but we are choosing not to do the work.

> No, I'm saying options are not hopeless or desolate as you make it sound.

I'm confused. Far from urging anyone to abandon all hope, I was urging people to take heart from the fact that while the Tor community is endangered by many enemies, some lavishly funded, our enemies have problems of their own and our situation, while precarious, is by no means hopeless.

> There are more ways than having blind trust and subservience for everyone and everything in the production chain.

I never urged anyone to "have blind trust" (for example, I always urge people I know to verify the cryptographic signatures before installing the latest TBB). I have argued that given our incomplete information about the hazards Tor users face, we need to try to guess an appropriate threat model which attempts to prioritize threats by the potential damage and the likelihood that they will soon be realized in practical attacks on us.

It is possible that you confused me with another commentator? (Easy to do when almost everyone here is anonymous.)

> While being thankful that TP people are doing the work, acknowledge that most of us, we users, would be welcome, and many are able to learn and get involved, but we are choosing not to do the work.

You are choosing not to help TP? Why not?

Mateus

May 06, 2019

Permalink

"Please remember to set the xpinstall.signatures.requiredentry back to true again once the Tor Browser security update is applied. "
Setting it to true makes noscript disappear

Mateus

May 06, 2019

Permalink

Bugfix release is out, hooray! BTW, thanks for the necessary reminder to rollback the workaround!

PS: I see some interesting and important points made regarding my personal distrust toward NoScript and general addon use preferences and its impact on privacy, but going to write replies later if you allow. Have to ensure all my affected foxes got their fix and brought back to security

Mateus

May 07, 2019

Permalink

Stay cool guys, it's only a browser bug(-:.
Compare it with the systemd buglist, a new must have Linux core component.

Actually, I think both browser and systemd bugs are very serious.

There are valid concerns about systemd which are similar to concerns expressed in this thread about Chromium and Firefox. AFAIK there is not yet any evidence of actual collusion with bad guys, however. So it's another of those things where we worry, and probably should worry, but don't yet really know anything concrete which would sound the tocsin.

Mateus

May 08, 2019

Permalink

Having an addon disable itself silently seems like a potential security/privacy risk.
I hope the Tor Browser devs have realized this already, and are working on some remedy.

At the very least, the Browser should always display a warning if something is not quite as it should be. So the user can make a decision about what to do.
Obviously we need to know before we load and use a website.

The add-on didn't disable itself. An intermediary signing certificate owned by Mozilla expired, and the browser is configured to disable add-ons whose certificates are expired.

It wasn't silent. When the browser disables an add-on, it displays a yellow bar across the top of the browser tabs that warns the user by saying, "One or more installed add-ons cannot be verified and have been disabled," followed by a "Learn More" button. Did the yellow bar not display for you? If so, that would be a bug we don't know and you should tell us.

I don't know how the yellow bar could have escaped my attention.
I certainly did not notice it. (and I make a point of reading any popups and warnings, because I know there will always be that 1 critical among thousands)

So I think, and am pretty sure, there was no warning.
If there was, and someone like me actually missed it, that's an important indicator in itself.

I am aware the add-on did not literally disable itself. Poor choice of words. But the point is: a security feature was disabled without the users consent - it was automatic, decided by an outside entity, with the "undo" button explicitly removed. This should not be possible, especially in the TorBrowser.

> At the very least, the Browser should always display a warning if something is not quite as it should be.

Actually I think it would have done (before we all updated to TB 8.0.9) but not in a very helpful manner which most users would immediately understand. So if a warning can be coded safely (health checks can in themselves possibly be exploited by the bad guys), this would be worth doing, because we certainly don't want to be caught out if it happens again.

This incident could have had a much more dire impact in the real world if it had happened just before May Day instead of just after May Day.

Looking ahead to the upcoming Tiananmen Square anniversary we should all try to make sure we know how to spot such problems if they arise again. A popup could help a lot if it can be done safely.

Mateus

May 18, 2019

Permalink

Half the add-ons in my regular Firefox have been disabled. Besides 1 UI add-on, all of those disabled relate to security and privacy (disconnect, privacybadger, .. ), everything else is fine.

Solution? Mozilla wants me to install an add-on they made, which at this point I wonder if I can trust. And some people report it does not even fix the problem.
The alternative? Install the newest Firefox.

So Mozilla doesn't really provide a fix. They just force you to update your browser?
What awaits me in the code of that software? These past years forced updates always had "something bad attached".

I started up an old Firefox version, which somehow was still on my hdd: same add-ons, but no problems there. Interesting, all add-ons working fine, if your version is old enough. So the cause was introduced recently?

Well, I guess TorBrowser is going to see even more use from me. Though incidents like this make me wonder, who we can trust. Or more to the point: can you trust the people you trust, to trust the right people. Not removing this Firefox anti-feature for TorBrowser, was a clear sign of blind "if it's for good reason, it must be ok" trust.