Thanks to Mozilla letting an intermediate signing certificate expire, the Tor community was thrown into disarray over the weekend when the NoScript security add-on was suddenly killed for both Firefox and the Tor browser. A fix is available for Firefox, but the Tor issue continues.
NoScript is a Java-blocker that prevents active content from running if it’s from untrusted sites, and it protects users against cross-site scripting (XSS) and other web security exploits. It’s officially trusted by Mozilla and Tor, but it’s also used in other browsers.
Starting on Friday, Firefox users took to the discussion boards to report and complain about the issue, which prevented not just NoScript, but all other add-ons to load as well.
“Firefox sometimes says, ‘download failed. check your connection,’ even when I have a very good internet and when the extension downloads, it says, ‘addon could not be installed, it seems to be corrupted,'” one user reported.
“It makes me want to die. FIX THIS NOW!” said another.
Mozilla doesn’t allow unsigned add-ons in the Firefox browser, and because Tor is based on Firefox, the same rule applies.
Thus also on Friday, upon launching the privacy-minded Onion Router, Tor users began receiving the message, “One or more installed add-ons cannot be verified and have been disabled,” with no further explanation. Taking a look at the about:addons page (reachable at Tools → Add-ons → Unsupported from the menu bar) yielded nothing further, according to Paul Ducklin, security researcher at Sophos — only the terse message specifically pointing at NoScript: “NoScript could not be verified for use in Tor Browser and has been disabled.”
Mozilla took to Twitter to explain: “We’re investigating an issue with a certificate which may cause your @firefox extensions to stop work working or fail to install. Our team is actively working to fix the issue and we’ll post more information shortly.”
We’re investigating an issue with a certificate which may cause your @firefox extensions to stop work working or fail to install.
Our team is actively working to fix the issue and we’ll post more information shortly.
— Mozilla Add-ons (@mozamo) May 4, 2019
Ducklin investigated the issue and explained in a Sunday post on the problem that “NoScript hadn’t changed and its digital signature was still valid and unexpired…but Firefox no longer trusted it, and so Tor Browser wouldn’t (indeed, for most users, couldn’t) load it anymore.”
He added, “The bug is somewhere in Mozilla’s signature verification, not in the addon itself – and the bug seems to affect the validation of every addon in pretty much every version of Firefox.”
Mozilla quickly addressed the problem and has pushed out a fix in version 66.0.4 of Firefox on Desktop and Android, and version 60.6.2 for ESR.
“This release repairs the certificate chain to re-enable web extensions, themes, search engines and language packs that had been disabled,” it said on Sunday.
However, no fix for Tor has yet been released – Ducklin said that he “expects one soon.” He noted that in the meantime, Tor users can disable the signature requirement by setting the xpinstall.signatures.required setting (on the about:config page) to false.
“Since requiring valid signatures is a security feature, it should only be disabled until Tor releases a new version with a bundled fix,” he said.
Threatpost will update this post once a fix has been rolled out for Tor.