Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#30396 closed defect (duplicate)

Re-enable NoScript after Mozilla bug #1549078

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

URGENT!
Saturday, May 4, 2019

TBB 8.0.8
NoScript 10.6.1

Summary:
The NoScript add-on was automatically disabled in the background and removed from the toolbar without user intervention. Mozilla is rolling out a fix for Desktop using the Studies system, but Mozilla studies are disabled in Tor Browser. They don't have a fix yet for Android.

Description:
I had one tab open to google.com search results on Safer. A yellow banner showed up across the top of the page inside the tab.
"One or more installed add-ons cannot be verified and have been disabled. [Learn More] X"

The Add-ons tab (about:addons) says:
"Missing something? Some extensions are no longer supported by Tor Browser. [Show legacy extensions]"

Which opens:
"Legacy Extensions
These extensions do not meet current Tor Browser standards so they have been deactivated.
NoScript could not be verified for use in Tor Browser and has been disabled. [More Information]"
https://framapic.org/3VdmyRwMaTTa/ysUgJsZGrTB9.png

"More Information" goes to this Mozilla page implying the add-on is not signed (scary and false):
https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox

A banner on that page says:
We rolled out a hotfix that re-enables affected add-ons. The fix will be automatically applied in the background within the next few hours. For more details, please check out the update at https://support.mozilla.org/en-US/kb/add-ons-failing-install-firefox

That page basically says there was a major fuck-up by a centralized Mozilla signing update and that a patch fix will be applied unless Studies are disabled in the browser. Mozilla studies are disabled in Tor Browser, so we were hit with an unintentional attack and are blocked by default from repair. It's a hole for administrative exploitation.
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
https://bugzilla.mozilla.org/show_bug.cgi?id=1549078

Child Tickets

Attachments (1)

tor-browser about-addons NoScript disabled.png (56.4 KB) - added by cypherpunks 7 months ago.
screenshot

Download all attachments as: .zip

Change History (4)

Changed 7 months ago by cypherpunks

screenshot

comment:1 Changed 7 months ago by cypherpunks

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
[first mitigation completed, working on a second one] All extensions disabled due to expiration of intermediate signing cert

comment:2 Changed 7 months ago by boklm

Resolution: duplicate
Status: newclosed

This is a duplicate of #30388.

comment:3 Changed 7 months ago by Crissy2

Why the cert was not checked that soon will expire? #30402

If there will be a warning month before expiration, TBB Team will be noticed and can prevent this situation.

Note: See TracTickets for help on using tickets.