NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

Please backport this fix ASAP! I m using tbb for daily use so this is a huge problem!

added AffectsTails TorBrowserTeam201905RR component::applications/tor browser owner::tbb-team priority::immediate resolution::fixed severity::blocker status::closed type::task labels

Until this can be fixed properly, here is a temporary workaround for Tor Browser:

1. Open about:config
2. Toggle the value of xpinstall.signatures.required so it becomes false.
3. Restart the browser.

Note that this problem affects one of the bundled add-ons; NoScript is disabled by this bug.

Unfortunately there isn't yet a fix to backport. The issue is apparently that one (or some?) of the intermediate signing certs for many popular extensions has expired, and as such Firefox (and therefore Tor Browser) has 'correctly' disabled them.

Presumably we have to wait for the certs to get updated or extensions to be resigned or something :/

Trac:
Keywords: N/A deleted, AffectsTails added
Cc: N/A to intrigeri
Summary: All user-installed add-ons got deactivated! to NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

#30390 (moved) is a duplicate.

https://www.reddit.com/r/firefox/comments/bkjrst/-/emh6xcf/

Trac:
Username: grahamperrin

I have my browser security set to 'Safest', yet Javascript became enabled when NoScript was removed. I had to go into about:config and turn off Javascript manually.

Trac:
Username: sobercat

#30393 (moved) is a duplicate.

Related to #19907 (moved)

Trac:
Username: cyberpunks

(Please note that I'm not the cyberpunks in the OP.) It's interesting that https-everywhere still works but noscript doesn't. Perhaps something can be done based on this info.

Trac:
Username: cyberpunks

Also reported in #30394 (moved), #30389 (moved).

"NoScript could not be verified for use in Tor Browser and has been disabled" happened around 20 hours ago for me, startled me, it still happens with a fresh install of 8.0.8.

Trac:
Username: boatface

#30396 (moved), #30394 (moved), #30389 (moved) are duplicates.

Prepare your blog inbox...

https://blog.torproject.org/noscript-temporarily-disabled-tor-browser

Closing as a duplicate of #30388 (moved)

Trac:
Status: new to closed
Resolution: N/A to duplicate

Gah, I'm sorry. Confused tabs. Reopening this as the top level tracking issue.

Trac:
Resolution: duplicate to N/A
Status: closed to reopened

Branch with ESR60 fix from Mozilla: https://phabricator.services.mozilla.com/D29947

tor-browser : https://gitweb.torproject.org/user/richard/tor-browser.git/commit/?h=bug_30388

Doing a Windows tor-browser-build and see how things go.

Trac:
Status: reopened to needs_review

#30399 (moved) is a duplicate.

Trac:
Cc: intrigeri to intrigeri, xkit

Replying to mcs:

Until this can be fixed properly, here is a temporary workaround for Tor Browser:

1. Open about:config
2. Toggle the value of xpinstall.signatures.required so it becomes false.

Please don't tell people to do this. The suggested workaround is an unequivocally bad idea.

In the immediate sense, this is a real risk. In the big picture, the Tor Project is training users to defeat "certificate validation" failed errors! This flies in the face of security/usability doctrine.

Today, Mozilla broke its PKI; so you tell users how to disable cryptographic signature checks of addons. Tomorrow, Verislime breaks its PKI; so you tell users to click "Add Exception" for every TLS certificate error?

For the sake not only of security, but also of long-term user education, please change the public blog post to not tell people to disable signature checks.

Good workaround: Open about:config, and set javascript.enabled to false.

This will totally disable JavaScript. Therefore, NoScript is not needed. (Thanks to other cypherpunks in ticket:30394#comment:4 .)

It may mess up the Security Slider, so do this after setting the Slider to High. This way, you will also get settings such as disabling SVG, MathML, Web fonts... Or if you need JavaScript on some sites, set the Slider to Medium first (disables ultra-dangerous script features). Then, leave an about:config tab open so you can toggle JavaScript on and off (as I did in the 90s, before the Tor Browser existed). I do not know if that has any additional risks; NoScript also disables some JavaScript features, and has XSS protection.