[tbb-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 6 15:09:20 UTC 2019


#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Immediate                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  AffectsTails, TorBrowserTeam201905R  |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by Crissy2):

 > "fail safe" is better than "fail dangerous"

 But what mean fail safe and fail dangerous? It is `double epic_fail[]`!

 if certs are disabled, the add-on can't be checked... (security fail!)
 If certs are enabled and add-on becomes invalid, NoScript is disabled and
 additional user data is transmitted. Disabling JS also is not a full
 solution (`javascript.enable`). <MEDIA>, ForeShadow, Spectree and Meltdown
 can be used here (security fail).

 Only one correct long term solution is: **we must have our version of
 NoScript fingerprinted by TorProject!**

 It looks like biggest TorBrowser fail.

 More: #30402

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list