[tbb-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 4 21:34:42 UTC 2019

#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_review
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Blocker                   |     Resolution:
 Keywords:  AffectsTails              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by cypherpunks):

 Replying to [comment:1 mcs]:
 > Until this can be fixed properly, here is a temporary workaround for Tor
 > 1. Open about:config
 > 2. Toggle the value of `xpinstall.signatures.required` so it becomes

 Please don't tell people to do this. The suggested workaround is an
 '''unequivocally bad idea'''.

 In the immediate sense, this is a real risk. In the big picture, the Tor
 Project is training users to defeat "certificate validation" failed
 errors! This flies in the face of security/usability doctrine.

 Today, Mozilla broke its PKI; so you tell users how to disable
 cryptographic signature checks of addons. Tomorrow, Verislime breaks its
 PKI; so you tell users to click "Add Exception" for every TLS certificate

 For the sake not only of security, but also of long-term user education,
 please change the public blog post to not tell people to disable signature

 '''Good workaround: Open `about:config`, and set `javascript.enabled` to

 This will totally disable JavaScript. Therefore, NoScript is not needed.
 (Thanks to other cypherpunks in ticket:30394#comment:4 .)

 It may mess up the Security Slider, so do this ''after'' setting the
 Slider to High. This way, you will also get settings such as disabling
 SVG, MathML, Web fonts... Or if you need JavaScript on some sites, set the
 Slider to Medium first (disables ultra-dangerous script features). Then,
 leave an `about:config` tab open so you can toggle JavaScript on and off
 (as I did in the 90s, before the Tor Browser existed). I do not know if
 that has any additional risks; NoScript also disables some JavaScript
 features, and has XSS protection.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list