Opened 9 months ago

Closed 9 months ago

#21260 closed defect (duplicate)

Tor browser should be set so add-ons will not automatically update in the background

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If a company that develops a add-on gets compromised, they could released a Malicious update for there extension and all users running tor browser would get the new malicious update that could compermise there
Anonymity, the users would not even know that the Malicious add-on would be installed "ex. HTTPS Everywhere"

Child Tickets

Change History (6)

comment:1 Changed 9 months ago by yawning

Related/dup of #10394

I personally think that all the addons shipped with Tor Browser should only be updated by Tor Browser.

comment:2 in reply to:  1 ; Changed 9 months ago by Dbryrtfbcbhgf

Replying to yawning:

Related/dup of #10394

I personally think that all the addons shipped with Tor Browser should only be updated by Tor Browser.

But the add-ons are set to update automatically from addons.mozilla.org servers when a new version of the add on is released to the public.

Last edited 9 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:3 Changed 9 months ago by Dbryrtfbcbhgf

Summary: Tor browser should be set so add-ons will not automaton update in the backgroundTor browser should be set so add-ons will not automatically update in the background

comment:4 in reply to:  2 ; Changed 9 months ago by yawning

Replying to Dbryrtfbcbhgf:

But the add-ons are set to update automatically from addons.mozilla.org servers when a new version of the add on is released to the public.

I know, and I think that's wrong, and I specified what I think what the behavior should be changed to, at least for HTTPS-E and NoScript. I'm not sure about what behavior for random other things users decide to install should be, in general I think they have other more fundemental problems than the updater when they do that...

Coincidentally, the Linux sandbox disables the addon updater by default.

comment:5 in reply to:  4 ; Changed 9 months ago by Dbryrtfbcbhgf

Replying to yawning:

Replying to Dbryrtfbcbhgf:

But the add-ons are set to update automatically from addons.mozilla.org servers when a new version of the add on is released to the public.

I know, and I think that's wrong, and I specified what I think what the behavior should be changed to, at least for HTTPS-E and NoScript. I'm not sure about what behavior for random other things users decide to install should be, in general I think they have other more fundemental problems than the updater when they do that...

Coincidentally, the Linux sandbox disables the addon updater by default.

Will future versions of tor browser have automatic updates disabled for every add-on including HTTPS-E and NoScript?

comment:6 in reply to:  5 Changed 9 months ago by gk

Resolution: duplicate
Status: newclosed

Replying to Dbryrtfbcbhgf:

Replying to yawning:

Replying to Dbryrtfbcbhgf:

But the add-ons are set to update automatically from addons.mozilla.org servers when a new version of the add on is released to the public.

I know, and I think that's wrong, and I specified what I think what the behavior should be changed to, at least for HTTPS-E and NoScript. I'm not sure about what behavior for random other things users decide to install should be, in general I think they have other more fundemental problems than the updater when they do that...

Coincidentally, the Linux sandbox disables the addon updater by default.

Will future versions of tor browser have automatic updates disabled for every add-on including HTTPS-E and NoScript?

The plan to do this only for the extensions we ship. Marking this as a duplicate of #10394.

Note: See TracTickets for help on using tickets.