Opened 7 months ago

Closed 7 months ago

#30388 closed task (fixed)

NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

Reported by: cypherpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Blocker Keywords: AffectsTails, TorBrowserTeam201905RR
Cc: intrigeri, xkit, bakertaylor28, 1tijax, Sigil, si4kb, Geheim, doomeinow, Geoff2000 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

Please backport this fix ASAP! I m using tbb for daily use so this is a huge problem!

Child Tickets

Attachments (3)

firefox.jpg (366.6 KB) - added by Crissy2 7 months ago.
yahoo screen i should NOT be getting.png (1.1 MB) - added by justmeee 7 months ago.
Yahoo screen I should NOT be getting, but I get this with 8.5a12 with config set to true. I did NOT get this before these NoScript problems.
yahoo login page should go straight here.png (58.9 KB) - added by justmeee 7 months ago.
Yahoo page I SHOULD be getting when going to mail.yahoo.com. This is where I went directly before the NoScript problems, and where I go directly when config is set to false, but NOT when set to true, so this is one example of fix being buggy.

Download all attachments as: .zip

Change History (65)

comment:1 Changed 7 months ago by mcs

Until this can be fixed properly, here is a temporary workaround for Tor Browser:

  1. Open about:config
  2. Toggle the value of xpinstall.signatures.required so it becomes false.
  3. Restart the browser.

Note that this problem affects one of the bundled add-ons; NoScript is disabled by this bug.

comment:2 Changed 7 months ago by pospeselr

Unfortunately there isn't yet a fix to backport. The issue is apparently that one (or some?) of the intermediate signing certs for many popular extensions has expired, and as such Firefox (and therefore Tor Browser) has 'correctly' disabled them.

Presumably we have to wait for the certs to get updated or extensions to be resigned or something :/

comment:3 Changed 7 months ago by intrigeri

Cc: intrigeri added
Keywords: AffectsTails added
Summary: All user-installed add-ons got deactivated!NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

comment:4 Changed 7 months ago by boklm

#30390 is a duplicate.

comment:6 Changed 7 months ago by sobercat

I have my browser security set to 'Safest', yet Javascript became enabled when NoScript was removed. I had to go into about:config and turn off Javascript manually.

comment:7 Changed 7 months ago by boklm

#30393 is a duplicate.

comment:8 Changed 7 months ago by cyberpunks

Related to #19907

comment:9 Changed 7 months ago by cyberpunks

(Please note that I'm not the cyberpunks in the OP.)
It's interesting that https-everywhere still works but noscript doesn't. Perhaps something can be done based on this info.

comment:10 Changed 7 months ago by boatface

Also reported in #30394, #30389.

"NoScript could not be verified for use in Tor Browser and has been disabled" happened around 20 hours ago for me, startled me, it still happens with a fresh install of 8.0.8.

comment:11 Changed 7 months ago by boklm

#30396, #30394, #30389 are duplicates.

comment:12 Changed 7 months ago by cypherpunks

Prepare your blog inbox...

comment:14 Changed 7 months ago by atagar

Resolution: duplicate
Status: newclosed

Closing as a duplicate of #30388

comment:15 Changed 7 months ago by atagar

Resolution: duplicate
Status: closedreopened

Gah, I'm sorry. Confused tabs. Reopening this as the top level tracking issue.

comment:16 Changed 7 months ago by pospeselr

Branch with ESR60 fix from Mozilla: https://phabricator.services.mozilla.com/D29947

tor-browser : https://gitweb.torproject.org/user/richard/tor-browser.git/commit/?h=bug_30388

Doing a Windows tor-browser-build and see how things go.

comment:17 Changed 7 months ago by pospeselr

Status: reopenedneeds_review

comment:18 Changed 7 months ago by boklm

Cc: xkit added

#30399 is a duplicate.

comment:19 in reply to:  1 Changed 7 months ago by cypherpunks

Replying to mcs:

Until this can be fixed properly, here is a temporary workaround for Tor Browser:

  1. Open about:config
  2. Toggle the value of xpinstall.signatures.required so it becomes false.

Please don't tell people to do this. The suggested workaround is an unequivocally bad idea.

In the immediate sense, this is a real risk. In the big picture, the Tor Project is training users to defeat "certificate validation" failed errors! This flies in the face of security/usability doctrine.

Today, Mozilla broke its PKI; so you tell users how to disable cryptographic signature checks of addons. Tomorrow, Verislime breaks its PKI; so you tell users to click "Add Exception" for every TLS certificate error?

For the sake not only of security, but also of long-term user education, please change the public blog post to not tell people to disable signature checks.

Good workaround: Open about:config, and set javascript.enabled to false.

This will totally disable JavaScript. Therefore, NoScript is not needed. (Thanks to other cypherpunks in ticket:30394#comment:4 .)

It may mess up the Security Slider, so do this after setting the Slider to High. This way, you will also get settings such as disabling SVG, MathML, Web fonts... Or if you need JavaScript on some sites, set the Slider to Medium first (disables ultra-dangerous script features). Then, leave an about:config tab open so you can toggle JavaScript on and off (as I did in the 90s, before the Tor Browser existed). I do not know if that has any additional risks; NoScript also disables some JavaScript features, and has XSS protection.

comment:20 Changed 7 months ago by boklm

Cc: bakertaylor28 added

#30400 is a duplicate.

comment:21 Changed 7 months ago by cyberpunks

Also reported in #30397

comment:22 Changed 7 months ago by cyberpunks

As well as #30391 and #30395

comment:23 Changed 7 months ago by Crissy2

I also have this problem now. I reinstalled three times the tor browser. I also tried install 8.0.7. How to do, to force NoScript to activate and stay active?

Why I see "Explore Privately" if NoScript doesn't work???

Is there any workaround to force enable NoScript?

Part of sites require scripts but I want to disable Media on these sites and part of functions that can deanonimize me.

What went wrong and why my NoScript was disabled DURING run TorBrowser? Why also it doesn't work in 8.0.7 after reinstallation?

Where is stored information about disabling NoScript to remove this information?

Changed 7 months ago by Crissy2

Attachment: firefox.jpg added

comment:24 Changed 7 months ago by cypherpunks

comment:25 in reply to:  16 ; Changed 7 months ago by pospeselr

Replying to pospeselr:

Branch with ESR60 fix from Mozilla: https://phabricator.services.mozilla.com/D29947

tor-browser : https://gitweb.torproject.org/user/richard/tor-browser.git/commit/?h=bug_30388

Doing a Windows tor-browser-build and see how things go.

Amended this patch with logic to temporarily disable security.nocertdb and re-enable after the new cert is stored.

comment:26 in reply to:  24 Changed 7 months ago by Crissy2

Replying to cypherpunks:

A fix was posted. Merge it with TBB and update it NOW!!!

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/comment-page-6/#comment-226171

I have installed the hotfix. NoScript still doesn't work also after restarting TBB.

comment:27 Changed 7 months ago by cyberpunks

I agree with cyberphunks in ticket:30388#comment:19

The right workaround seems to be entering about:config in address bar and set javascript.enabled to false instead of setting xpinstall.signatures.required to false as suggested in https://blog.torproject.org/noscript-temporarily-disabled-tor-browser

We should not encourage user to disable security checks when there is a problem, especially not when there is an alternative workaround not requiring disabling security checks.

comment:28 in reply to:  25 Changed 7 months ago by gk

Keywords: TorBrowserTeam201905R added

Replying to pospeselr:

Replying to pospeselr:

Branch with ESR60 fix from Mozilla: https://phabricator.services.mozilla.com/D29947

tor-browser : https://gitweb.torproject.org/user/richard/tor-browser.git/commit/?h=bug_30388

Doing a Windows tor-browser-build and see how things go.

Amended this patch with logic to temporarily disable security.nocertdb and re-enable after the new cert is stored.

So, without disabling that pref the fix is not working, right? At any rate, picked the patches Mozilla actually landed on the esr branch (commits 421a5cdf1349d7fa0dfbbe7f1ee8146e435c1b97 and 428fad69b4b0baa331d0e8be8c4012145ecae726) and added your security.nocertdb workaround on top of it (commit edf18e747ca8949a877f9c41575ce679ce99eb77). All of those commits are on the tor-browser-60.6.1esr-8.0-1 branch. Let me know whether that looks good.

comment:29 Changed 7 months ago by gk

Cc: 1tijax added

comment:30 Changed 7 months ago by gk

Cc: Sigil added

#30391 is a duplicate.

comment:31 Changed 7 months ago by gk

Cc: si4kb added

#30398 is a duplicate.

comment:32 Changed 7 months ago by gk

Cc: Geheim added

#30395 is a duplicate.

comment:33 Changed 7 months ago by gk

Cc: doomeinow added

#30397 is a duplicate.

comment:34 Changed 7 months ago by doomeinow

While toggling JavaScript to false with about:config disables JavaScript, things like HTML5 are still enabled, which means things like processor "speculative execution" vulnerabilities still exist (Meltdown, Foreshadow, Spectre). While these are more discovered than deployed, the receiver in my tinfoil hat says state actors are probably fiddling with them.

comment:35 Changed 7 months ago by gk

I've cherry-picked the above three patches (see comment:28) on a branch for the upcoming alpha release: commit 1ae4a922f47d814ce85a553a63b27278b5714570, 117f83ada443d8c40d8935d4f197212630605f64, and 1ca734a5a94048a925ea455ff3a5ee780f1653cc on tor-browser-60.6.1esr-8.5-2.

comment:36 in reply to:  34 Changed 7 months ago by cypherpunks

With apologies for the bugspam when devs are trying to ship an emergency fix - users really need a better workaround than disabling signature checks on add-ons, but also not to fall for security confusion!

Replying to doomeinow:

While toggling JavaScript to false with about:config disables JavaScript, things like HTML5 are still enabled, which means things like processor "speculative execution" vulnerabilities still exist (Meltdown, Foreshadow, Spectre).

IIUC, all known speculative execution vulnerabilities require JavaScript. Perhaps you may be confused because JavaScript is loosely included in the marketspeak branding-term "HTML5".

Anyway, as its name suggests, what NoScript does is mostly to disable or filter JavaScript. Setting javascript.enabled to false should provide a strict superset of the same functionality, except that (as I noted above) NoScript may also disable some other potentially high-risk features such as web fonts or audio/video media. Disabling JavaScript will indeed disable all the worst attack surfaces; anything else seems comparatively lower risk, in my opinion. In today's browsers, even HTML/CSS are not risk-free.

I think that raising the Security Slider disables some dangerous features by directly changing the config, but I am not sure; on the other hand, I think that it does rely on NoScript to disable fonts and media (again, not sure).

Information from Tor Browser developers would be helpful.

comment:37 Changed 7 months ago by Crissy2

There is new version of firefox: 60.6.2 ESR with corrected bug. Can you please distribute compiled versions for Linux, Windows 32 and OSX as 8.0.9 (based on Mozilla Firefox 60.6.2esr) (32-bit)?

comment:38 Changed 7 months ago by gk

Cc: Geoff2000 added

#30405 is a duplicate.

comment:39 Changed 7 months ago by gk

Okay, we need a slight change in our plans and need a -build2 which costs us additional time. :(

We realized that we need make sure the intermediate certificate database is available when the new cert gets added and therefore set security.nocertdb to false, then imported the cert and then set the security.nocertdb back to false. Now everything is fine if you leave your Tor Browser open and don't do a New Identity. However, if you restart your browser security.nocertdb makes sure the saved intermediate certificates are not loaded. Thus, after some time when the signature is re-checked the new intermediate certificate is not available and the extensions get disabled again.

Thus, the deployed fix from Mozilla is essentially not compatible with security.nocertdb being enabled. I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1549344 for that.

Meanwhile we do a new build with security.nocertdb disabled, stay tuned.

comment:40 Changed 7 months ago by gk

Keywords: TorBrowserTeam201905 added; TorBrowserTeam201905R removed
Status: needs_reviewneeds_revision

comment:41 Changed 7 months ago by gk

Keywords: TorBrowserTeam201905R added; TorBrowserTeam201905 removed
Status: needs_revisionneeds_review

For 8.0 I reverted pospeselr's patch in commit dbf8e349d5813a918b3adc4229b0813a72778138. And disabled the security.nocertdb feature in commit 24a43ea1332c6a2ca2bc7a952ddf04af669d0517 (that's on tor-browser branch tor-browser-60.6.1esr-8.0-1). I updated Torbutton to 2.0.13 as well to make sure users don't toggle the pref by accident (commit 2b7e1bda855b74feb3a1e44d637d14572696e514 on Torbutton's maint-2.0 branch).

comment:42 Changed 7 months ago by flowerpt

Since the blog asked people to "Please remember to" re-enable security, and that's the kind of thing which is the bane of security when it comes to ordinary users, can a subsequent release please force this back to 'false' and alert the user if the flip is made?

It's better to have people need to toggle it again than to leave people unintentionally unguarded. I realize both options are sub-optimal, but "fail safe" is better than "fail dangerous". Without such a change, it's very likely that some users will go on forever set to not validate addons - the typical user pattern is "fix it and forget it".

comment:43 in reply to:  42 ; Changed 7 months ago by gk

Replying to flowerpt:

Since the blog asked people to "Please remember to" re-enable security, and that's the kind of thing which is the bane of security when it comes to ordinary users, can a subsequent release please force this back to 'false' and alert the user if the flip is made?

It's better to have people need to toggle it again than to leave people unintentionally unguarded. I realize both options are sub-optimal, but "fail safe" is better than "fail dangerous". Without such a change, it's very likely that some users will go on forever set to not validate addons - the typical user pattern is "fix it and forget it".

I don't think we can do that as our decisions don't overwrite user prefs. We could think about showing a notification bar, though, reminding the users of that problem and allow them to flip the pref back easily that way.

comment:44 Changed 7 months ago by Crissy2

"fail safe" is better than "fail dangerous"

But what mean fail safe and fail dangerous? It is double epic_fail[]!

if certs are disabled, the add-on can't be checked... (security fail!)
If certs are enabled and add-on becomes invalid, NoScript is disabled and additional user data is transmitted. Disabling JS also is not a full solution (javascript.enable). <MEDIA>, ForeShadow, Spectree and Meltdown can be used here (security fail).

Only one correct long term solution is: we must have our version of NoScript fingerprinted by TorProject!

It looks like the biggest TorBrowser fail.

More: #30402

Last edited 7 months ago by Crissy2 (previous) (diff)

comment:45 Changed 7 months ago by cyberpunks

I'm the commenter on 27. I've changed my mind.

According to 36, setting javascript.enabled to false still enables web fonts and audio/video media, which probably gives a different fingerprint than noscript-enabled users. This is bad for anti-fingerprinting.

I now think that 42 is the best solution, i.e. users should follow the instruction in the blog post, while future tor browser versions should warn about xpinstall.signatures.required being set to false.

comment:46 in reply to:  45 Changed 7 months ago by Crissy2

Replying to cyberpunks:

I now think that 42 is the best solution, i.e. users should follow the instruction in the blog post, while future tor browser versions should warn about xpinstall.signatures.required being set to false.

If it is best solution for this time, there should be disabled update for all plugins (for secure pupose). If plugins / addons are not verified during downloading, changes should be blocked.

comment:47 in reply to:  43 Changed 7 months ago by flowerpt

Replying to gk:

We could think about showing a notification bar, though, reminding the users of that problem and allow them to flip the pref back easily that way.

Good idea. I've filed #30413 to request that, so this ticket can stay focused on the certificate work.

comment:48 in reply to:  39 Changed 7 months ago by boklm

Replying to gk:

Thus, the deployed fix from Mozilla is essentially not compatible with security.nocertdb being enabled. I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1549344 for that.

It looks like this new patch would solve that:
https://bugzilla.mozilla.org/show_bug.cgi?id=1549249#c42

comment:49 Changed 7 months ago by torlove

So glad that I still have old Orfox installed right now. NoScript still works in Orfox, it must've been "baked in", yes?

Cypherpunks, yes. I considered simply disabling JS but the other things NoScript does, including protecting against XSS made me rethink that. Fingerprinting included.

Yes, can somone please do a commit to show a warning about xpinstall.signatures.required set to false on startup?

(SOLUTION THAT WON'T WORK: I did some research at Mozilla, mostly to determine the scale of the problem. Its pretty bad. Especially for users who depend on password management addons. One (bad?) idea someone suggested was to turn the clock back. I'm quite certain that this is not an option for Tor users for good reason, Tor complains about an out of sync clock at startup and will not even connect to the Tor network, let along a website. Also SSL requires clocks to be relatively in-sync, if my understanding/memory is correct.)

Once the commit is made please tell us to allay concerns about future security.

comment:50 Changed 7 months ago by Crissy2

BTW. Each solution is better than doing nothing and leaving a faulty online version. STILL faulty version is available!

comment:51 Changed 7 months ago by gk

Keywords: TorBrowserTeam201905RR added; TorBrowserTeam201905R removed
Resolution: fixed
Status: needs_reviewclosed

The patches used for the alpha release (-build3) are commit 56fe39388f878128dd8061db827a13f170c4546e (on torbutton's 217_release branch (https://gitweb.torproject.org/torbutton.git/commit/?h=217_release&id=56fe39388f878128dd8061db827a13f170c4546e) and on tor-browser I did the same as outlined in comment:41: reverting pospeselr's patch (commit 41d319a845bcd8f6f918e371f70a86e632d3c6e4) and disabling the security.nocertdb pref (e849f24b13ba8fd058c43510eac861db2037ff74). Both commits are on tor-browser-60.6.1esr-8.5-2. We are done here.

comment:52 Changed 7 months ago by justmeee

Resolution: fixed
Status: closedreopened

I'm not as tech saavy as you folks, so please tell me how do i get the fix?

i have win 7 64 bit, torbrowser 8.5a11. I tried to update but it says it's already up to date. However, I still have the same problem with NoScript not showing up or working, as well as AdBlock and HTTPS Everywhere.

You're saying it's fix. My Reg Firefox updated and is now fix.

So if My Torbrowser isn't updating because it says it's up to date, so then HOW do I get the fix please??

Thank you very much!

comment:53 in reply to:  52 ; Changed 7 months ago by catalyst

Replying to justmeee:

I'm not as tech saavy as you folks, so please tell me how do i get the fix?

i have win 7 64 bit, torbrowser 8.5a11. I tried to update but it says it's already up to date. However, I still have the same problem with NoScript not showing up or working, as well as AdBlock and HTTPS Everywhere.

You're saying it's fix. My Reg Firefox updated and is now fix.

So if My Torbrowser isn't updating because it says it's up to date, so then HOW do I get the fix please??

Thank you very much!

I also see this on Ubuntu amd64. NoScript 10.6.1 (disabled because it could not be verified) under Unsupported Extensions. Recently upgraded in-app to 8.5a11; not sure what the prior version was. HTTPS-Everywhere seems to be enabled though.

comment:54 in reply to:  53 Changed 7 months ago by catalyst

Replying to catalyst:

Replying to justmeee:

I'm not as tech saavy as you folks, so please tell me how do i get the fix?

i have win 7 64 bit, torbrowser 8.5a11. I tried to update but it says it's already up to date. However, I still have the same problem with NoScript not showing up or working, as well as AdBlock and HTTPS Everywhere.

You're saying it's fix. My Reg Firefox updated and is now fix.

So if My Torbrowser isn't updating because it says it's up to date, so then HOW do I get the fix please??

Thank you very much!

I also see this on Ubuntu amd64. NoScript 10.6.1 (disabled because it could not be verified) under Unsupported Extensions. Recently upgraded in-app to 8.5a11; not sure what the prior version was. HTTPS-Everywhere seems to be enabled though.

Update: 8.5a11 seems to have been released in April, so probably there will be a new 8.5 release soon with the extension signing fix?

comment:55 Changed 7 months ago by justmeee

Would installing the stable version instead of the alpha fix it?

If so, how long do you need to wait until the fix hits alpha?

btw, i was on stable and my update took me to alpha, how do i get off the alpha update channel if going back to stable has the fix?

Thanks very much!

comment:56 Changed 7 months ago by gk

Resolution: fixed
Status: reopenedclosed

The new release is https://dist.torproject.org/torbrowser/8.5a12/ but it is not official yet. As we did not get finished with getting it out last night. It should be up soon, together with a blog post.

comment:57 Changed 7 months ago by justmeee

Ok. Thank you.

comment:58 Changed 7 months ago by justmeee

Resolution: fixed
Status: closedreopened

Got the update.

This fix is not working correctly. Torbrowser 8.5a12

Pages are being displayed as if NoScript was turned off, so I'm seeing images that NoScript blocked before, they just have a ghost image of noscript on top of the image it's supposed to be blocking.

For a comparison, I went to config and turned off the xpinstall that someone earlier recommended, yes i read the warnings, and reloaded the page, then it displayed as if NoScript was working correctly and I saw ONLY the NoScript image, NOT what it was supposed to be blocking.

So it's not working right.

Changed 7 months ago by justmeee

Yahoo screen I should NOT be getting, but I get this with 8.5a12 with config set to true. I did NOT get this before these NoScript problems.

Changed 7 months ago by justmeee

Yahoo page I SHOULD be getting when going to mail.yahoo.com. This is where I went directly before the NoScript problems, and where I go directly when config is set to false, but NOT when set to true, so this is one example of fix being buggy.

comment:59 Changed 7 months ago by justmeee

Here's another example:

When I go to mail.yahoo.com, when NoScript was working correctly, I would go straight to the login page. When NoScript is NOT working correctly, I get the extra page where you have to click on the link to login.

Again, the config change corrected this, so the fix does not seem to be working right.

Images attached that show screenshots of where I went Before the NoScript problems started and when config is set to false, and the different screen I get when config is set to true with updated 8.5a12. This is just one example, but I'm seeing other examples across several sites.

I hope the images attached?

comment:60 Changed 7 months ago by gk

Do you have a master password set? What is the status of NoScript on about:addons? Does it work for you if you start with a fresh 8.5a12?

comment:61 Changed 7 months ago by justmeee

No master password.

So I restarted it. It was working ok with config set to true, but I didn't make any changes since having the problems from before. So I restarted and opened those same pages several times just to see. It seems to happen sometimes. So sometimes when it starts, I will get the ghost image background (of the image that should NOT be there) with the NoScript on top of it, and mail goes to the wrong page as if NoScript was not working right. 1 out of the last 6 start ups produced this result.

In all instances, config was set to true, and addons showed it was enabled. The icons are in the toolbar and show it working. So I'm also concerned if https anywhere is working right too.

Installed a fresh copy, no change, had the same poor result on the third time opening it.

comment:62 Changed 7 months ago by gk

Resolution: fixed
Status: reopenedclosed

Sounds like a different bug. Could you open a ticket? Does this happen with a fresh 8.0.9 as well? What operating system are you on?

Note: See TracTickets for help on using tickets.