[tor-talk] Tor Browser disabled NoScript, but can't update

Georg Koppen gk at torproject.org
Tue May 7 11:46:00 UTC 2019


Roman Mamedov:
> On Sat, 4 May 2019 02:21:15 -0500
> Joe <joebtfsplk at gmx.com> wrote:
> 
>> I've used the latest stable TBB 8.0.8 (Linux) since released with the
>> latest NoScript (at that time).
>> Today is the 1st day I saw that NoScript was disabled by TBB.
>>
>> I see now that it's not a TBB only issue, but also Firefox.
>> A comment on Reddit said, "They [Mozilla] let their add-on signing
>> certificate expire and it invalidated a shitload of add-ons."
> 
> It is very surprising to see that TBB relies on Mozilla like this. Turns out

I think we should differentiate a bit here. Of course, Tor Browser
relies on that as we support installing extensions as long as they are
signed by Mozilla. It's a fair point, though, saying the extensions we
ship as essential Tor Browser extensions should be resistent to Mozilla
PKI failures or we should fall back to safer defaults or... We have some
options here which we will discuss in the near future and then we'll
implement those we deem worthwhile.

> an unrelated 3rd party can suddenly remotely disable Tor anonymity protections
> at their whim, and possibly endanger TBB users (or deliberately help in
> deanonymizing them).

I think that's not adequately describing the situation we were in.
Mozilla did not suddenly remotely disable Tor anonymity protections at
their whim. What happened was that Tor Browser users on higher security
levels got suddenly essentially the same experience as any Tor Browser
user that is using Tor Browser as we ship it. This is definitely a
serious bug, I agree. However that did not happen by pressing some
button remotely as the certificate you had *locally* in your browser
expired.

You could argue that Mozilla could just sign any exension and ship that
one as an "update" to NoScript and Tor Browser would happily install it.
Yes, this possibility exists and we will revisit that screnario (see
above). However, there are no known ways that Mozilla can induce a Tor
bypass be it remotely or by installing an extension into Tor Browser (or
by failing to monitor expiration dates of certificates) (if I am wrong
here, please let us know). I think that should be kept in mind as well
when talking about the scope of the problem at hand.

Finally, if you look at the amount of code we inherit from Firefox (way
more than 99%) then there is plenty of room where things can go wrong
(for a bunch of "wrong"s), so even if we avoid the NoScript problem in
the future (which we should), we are pretty dependent on Mozilla.

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20190507/5ff58567/attachment.sig>


More information about the tor-talk mailing list