Opened 7 months ago

Last modified 7 months ago

#30394 reopened enhancement

NoScript should fail closed

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Software: Tor Browser 8.0.8 (based on Mozilla Firefox 60.6.1esr)

This started last night.
Even with Tor Browser security slider set to high, JavaScript is enabled.

This is a double-bug:

  1. Bigger bug: NoScript fails OPEN
  2. Immediate bug: NoScript is failing (why? no idea)

In about:addons, NoScript is listed under "Unsupported" with the following message. (The screenshot is attached.)

Legacy Extensions

These extensions do not meet current Tor Browser standards so they have been deactivated.
Learn more about the changes to add-ons

⚠ NoScript could not be verified for use in Tor Browser and has been disabled.
More Information

Child Tickets

Attachments (1)

noscript-wtf.png (45.5 KB) - added by cypherpunks 7 months ago.
Screenshot: NoScript disabled in about:addons

Download all attachments as: .zip

Change History (11)

Changed 7 months ago by cypherpunks

Attachment: noscript-wtf.png added

Screenshot: NoScript disabled in about:addons

comment:1 Changed 7 months ago by jhibbard

I attempted to down-grade to 8.07. Didn't work.

  1. Delete entire sub-directory for TORBrowser 8.08
  2. Install 8.07
  3. Turn off all updates
  4. NoScript seems to be fine for ~1 hour. At this point, a banner appears saying that some addons are disabled. If you delete NoScript, reboot firefox and attempt to re-install NoScript, you get an error message saying the download is corrupt.

Please note that mozilla.org has delivered a patch via enabling studies. This allows a user to remove all add-ons, reboot firefox and then re-install addons. I'm not seeing how this works with TORBrowser.

comment:2 Changed 7 months ago by cypherpunks

Duplicate of ticket #30338.

comment:3 Changed 7 months ago by cypherpunks

...Sorry, I meant duplicate of ticket #30388.

comment:4 Changed 7 months ago by cypherpunks

To fix the failing-open issue, would it be possible for TBB to set javascript.enabled to false by default, and only set the preference to true if NoScript is successfully loaded?

comment:5 Changed 7 months ago by boklm

Resolution: duplicate
Status: newclosed

Closing as duplicate of #30388.

comment:6 in reply to:  4 ; Changed 7 months ago by cypherpunks

Resolution: duplicate
Status: closedreopened

Reopening as requested enhancement.

The current software is like an OS that opens all the TCP ports into a root shell, if the kernel firewall fails to load. No exaggeration: The browser runs executable code from untrusted network sites.

Tor Browser should start with javascript.enabled set to false by default, and only set it to true upon successful load of NoScript.

Thanks to other cypherpunks, ticket:30394#comment:4

In the rare event of NoScript failure, is better to have some users complain "why did the web break?" than expose all users to risk covered by a false sense of security.

Steps to reproduce:

  1. Have Mozilla break their PKI (not hypothetical: it happened!)
  2. Open Tor Browser
  3. Set the "Security Slider" to "High"
  4. Enjoy false sense of security while your browser runs arbitrary executable code from any sites you surf, their ad servers, etc.

comment:7 Changed 7 months ago by cypherpunks

Sorry, Trac does not let me set summary to "NoScript should fail closed" with appropriate changes to Type, Priority, Severity as suit enhancement request triage.

comment:8 Changed 7 months ago by boklm

Priority: ImmediateMedium
Summary: NoScript disabled, fails open!NoScript should fail closed
Type: defectenhancement

comment:9 Changed 7 months ago by Crissy2

See #30388 but still no solution work for me (I need working NoScript but hotfix still not work for me).

comment:10 in reply to:  6 Changed 7 months ago by gk

Replying to cypherpunks:

Reopening as requested enhancement.

The current software is like an OS that opens all the TCP ports into a root shell, if the kernel firewall fails to load. No exaggeration: The browser runs executable code from untrusted network sites.

Tor Browser should start with javascript.enabled set to false by default, and only set it to true upon successful load of NoScript.

Thanks to other cypherpunks, ticket:30394#comment:4

In the rare event of NoScript failure, is better to have some users complain "why did the web break?" than expose all users to risk covered by a false sense of security.

I doubt it would be just "some". But let's assume that for the sake of argument. If they'd just complain I'd be up for that idea at once. However, what I rather expect to happen is users just ditching Tor Browser as it is broken for them: they can't reach Google, Twitter etc. anymore and therefore can't check mails nor interact on social media. And thus, they will happily turn to a browser without Tor to reach their sites and boom!!! (This is _not_ happening for them with armagadd-on 2.0)

Note: See TracTickets for help on using tickets.