Re: [tor-talk] Tor Browser disabled NoScript, but can't update
Roman Mamedov: > On Sat, 4 May 2019 02:21:15 -0500 > Joe wrote: > >> I've used the latest stable TBB 8.0.8 (Linux) since released with the >> latest NoScript (at that time). >> Today is the 1st day I saw that NoScript was disabled by TBB. >> >> I see now that it's not a TBB only issue, but also Firefox. >> A comment on Reddit said, "They [Mozilla] let their add-on signing >> certificate expire and it invalidated a shitload of add-ons." > > It is very surprising to see that TBB relies on Mozilla like this. Turns out I think we should differentiate a bit here. Of course, Tor Browser relies on that as we support installing extensions as long as they are signed by Mozilla. It's a fair point, though, saying the extensions we ship as essential Tor Browser extensions should be resistent to Mozilla PKI failures or we should fall back to safer defaults or... We have some options here which we will discuss in the near future and then we'll implement those we deem worthwhile. > an unrelated 3rd party can suddenly remotely disable Tor anonymity protections > at their whim, and possibly endanger TBB users (or deliberately help in > deanonymizing them). I think that's not adequately describing the situation we were in. Mozilla did not suddenly remotely disable Tor anonymity protections at their whim. What happened was that Tor Browser users on higher security levels got suddenly essentially the same experience as any Tor Browser user that is using Tor Browser as we ship it. This is definitely a serious bug, I agree. However that did not happen by pressing some button remotely as the certificate you had *locally* in your browser expired. You could argue that Mozilla could just sign any exension and ship that one as an "update" to NoScript and Tor Browser would happily install it. Yes, this possibility exists and we will revisit that screnario (see above). However, there are no known ways that Mozilla can induce a Tor bypass be it remotely or by installing an extension into Tor Browser (or by failing to monitor expiration dates of certificates) (if I am wrong here, please let us know). I think that should be kept in mind as well when talking about the scope of the problem at hand. Finally, if you look at the amount of code we inherit from Firefox (way more than 99%) then there is plenty of room where things can go wrong (for a bunch of "wrong"s), so even if we avoid the NoScript problem in the future (which we should), we are pretty dependent on Mozilla. Georg signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser disabled NoScript, but can't update
Thanks to all & for the link. A slight change this morning. - that I didn't see last night (Fri 5/3/2019). Last night I changed the about:config pref, "xpinstall.signatures.required" to false - before I saw the post on Tor Project's blog https://blog.torproject.org/noscript-temporarily-disabled-tor-browser#comment-form. Last night, the pref change & restarting TBB made no difference in NS being disabled or in the addons manager message that the unverified addon was disabled. This morning - on TBB's 1st start, the addons manager allowed *NS to load* normally & the message now says: "NoScript could not be verified for use in Tor Browser. Proceed with caution." Guessing Mozilla made a change so when Firefox contacts their addons server, it doesn't disable addons - just shows a different warning? The newest "Proceed with Caution" warning will likely confuse or concern many. If it's a hard coded message, there may be no alternative. Otherwise, "better" wording could be used. Would it be possible when TBB automatically or manually checks for a newer TBB version, to temporarily show a short explanation & a link to a Tor Project page for some explanation? Is HTTPS Everywhere (in TBB) not signed by Mozilla - rather by Tor Project, thus no warning about it in the addons manager? On 5/4/19 8:30 AM, Georg Koppen wrote: Mirimir: On 05/04/2019 12:21 AM, Joe wrote: I've used the latest stable TBB 8.0.8 (Linux) since released with the latest NoScript (at that time). Today is the 1st day I saw that NoScript was disabled by TBB. I see now that it's not a TBB only issue, but also Firefox. A comment on Reddit said, "They [Mozilla] let their add-on signing certificate expire and it invalidated a shitload of add-ons." I assume it expired today? When TBB & Fx checked for addon versions, it saw the expired signing certificate. There is a script listed on Reddit that supposedly will re-enable the addons, but until Mozilla fixes the signing certificate bug, they said the script would need running every 24 hrs. See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix. In addition to that: We plan to ship an updated Tor Browser as soon as Mozilla has fixed the bug on their side. I expect Mozilla to be ready later today so that we might be able to get a new Tor Browser out tomorrow, or latest, Monday morning EU time. Sorry for the inconvenience. Georg -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser disabled NoScript, but can't update
Mirimir: > On 05/04/2019 12:21 AM, Joe wrote: >> I've used the latest stable TBB 8.0.8 (Linux) since released with the >> latest NoScript (at that time). >> Today is the 1st day I saw that NoScript was disabled by TBB. >> >> I see now that it's not a TBB only issue, but also Firefox. >> A comment on Reddit said, "They [Mozilla] let their add-on signing >> certificate expire and it invalidated a shitload of add-ons." >> >> I assume it expired today? When TBB & Fx checked for addon versions, it >> saw the expired signing certificate. >> There is a script listed on Reddit that supposedly will re-enable the >> addons, but until Mozilla fixes the signing certificate bug, they said >> the script would need running every 24 hrs. > > See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix. In addition to that: We plan to ship an updated Tor Browser as soon as Mozilla has fixed the bug on their side. I expect Mozilla to be ready later today so that we might be able to get a new Tor Browser out tomorrow, or latest, Monday morning EU time. Sorry for the inconvenience. Georg signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser disabled NoScript, but can't update
On 05/04/2019 12:21 AM, Joe wrote: > I've used the latest stable TBB 8.0.8 (Linux) since released with the > latest NoScript (at that time). > Today is the 1st day I saw that NoScript was disabled by TBB. > > I see now that it's not a TBB only issue, but also Firefox. > A comment on Reddit said, "They [Mozilla] let their add-on signing > certificate expire and it invalidated a shitload of add-ons." > > I assume it expired today? When TBB & Fx checked for addon versions, it > saw the expired signing certificate. > There is a script listed on Reddit that supposedly will re-enable the > addons, but until Mozilla fixes the signing certificate bug, they said > the script would need running every 24 hrs. See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix. > There is a new NoScript version 10.6.1, but it wouldn't be tweaked for > TBB - downloading it from AMO or NoScript's site, even if it would install. > > HTTPS Everywhere isn't tagged as a legacy addon for me, but it can't > update to the new version, either. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Browser disabled NoScript, but can't update
I've used the latest stable TBB 8.0.8 (Linux) since released with the latest NoScript (at that time). Today is the 1st day I saw that NoScript was disabled by TBB. I see now that it's not a TBB only issue, but also Firefox. A comment on Reddit said, "They [Mozilla] let their add-on signing certificate expire and it invalidated a shitload of add-ons." I assume it expired today? When TBB & Fx checked for addon versions, it saw the expired signing certificate. There is a script listed on Reddit that supposedly will re-enable the addons, but until Mozilla fixes the signing certificate bug, they said the script would need running every 24 hrs. There is a new NoScript version 10.6.1, but it wouldn't be tweaked for TBB - downloading it from AMO or NoScript's site, even if it would install. HTTPS Everywhere isn't tagged as a legacy addon for me, but it can't update to the new version, either. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk