[ad_1]
Update. After the publication of this article, we were able to recover Firefox 66.0.4, which claims to solve this problem by repairing a broken chain of certificates. We have not yet received a notification regarding an update to the Tor Browser, but we hope to see one soon. [2019-05-05T22:15Z]
It's a long weekend in the UK, so the atmosphere is relaxed …
… With the exception, we suspect, British members of the Mozilla Firefox programming team.
Mozilla is currently stuck in the middle of a cybersecurity blunder involving digital signatures.
The bug reports we've seen so far do not give much more detail than the "Expired Intermediate Certificate" issues, but the symptoms are obvious, especially for Tor users.
We were not affected by this bug immediately: we were out of the grid yesterday and left our computer kit at home. (Nothing Bear Gryllsy, you understand, we went to Bristol aboard Brunel's famous Great Western Railway to visit a bicycle lounge, but we left our mobile phone entirely by mistake.)
But today, shortly after activating the Tor browser, a special version of Firefox with many privacy-enabled settings enabled and built-in, we received a disturbing contextual warning.
According to the Tor Browser program, one of our browser add-ins was no longer reliable and had been disabled – the alert did not indicate which one, but some sort of cybersecurity problem had suddenly appeared.
We were online to review some unreliable sites and we had already started searching when the warning appeared, which reinforced our feeling of concern.
After all, we were already in the middle of different HTTP sessions; we had interacted with the sites we wanted to explore; and we did not know they had allowed these sites to install new addons.
What had changed?
A trip to the special URL about: addons
(Tools → Add-ons in the menu bar) and a click on the Unsupported tab revealed the following:
NoScript could not be verified for use in the Tor Browser and has been disabled.
Ow! Ouch! Owowowowowowowowowow!
NoScript is an important security add-on officially recognized by Tor, which has been installed by millions of regular users of the browser, including – judging by the comments of this site – a significant number of readers of Naked Security.
Has the NoScript repository been hacked? A fake addon NoScript circulated in the community Tor? Is there any kind of Firefox vulnerability that allowed unauthorized sites to sneak into your browser without displaying fake dialogs without showing any kind of "Are you sure" or "Do you want to do" dialog?
We assumed that it was precisely the type of cybertreachery that Mozilla 2016's signature addon feature was supposed to capture. So we took the warning seriously.
Back in Firefox version 44 at the beginning of 2016 (we are currently at 66 – the updates are published every 42 days, ie every 6 weeks), Mozilla has decided to no longer allow unsigned addons in the browser, but to designate itself as a depository the same way that Google decides who enters the Play Store.
Two questions immediately came to my mind:
- What caused the appearance of this apparently hacked version of NoScript, and where did he come from?
- Given the importance of NoScript in the default protections of the Tor browser, was he still sure to have Tor open at all?
A quick search in NoScript's own webpage, plus a minute or two on different social media channels, revealed the reason but not the explanation:
All users who complain about @noscript to be suddenly disabled, here's what happens: @mozilla probably … twitter.com/i/web/status/1…
–
Giorgio Maone (@ ma1) May 04, 2019
NoScript has not changed and his digital signature is still valid and has not expired …
… But Firefox no longer trusted and Tor Browser would not charge (in fact, for most users).
The bug lies somewhere in the Mozilla signature check, not in the addon itself – and it seems to affect the validation of each addon in just about every version of Firefox.
Indeed, ten or fifteen minutes after Tor scared us, our current copy of Firefox decided that its addons were no longer safe and also killed them. (We only use one third-party addon, a screen capture tool, but reports suggest that all the addons you have will simply be killed.)
What to do?
Mozilla has released a temporary fix, called patch, but it only works if you have the Studies feature enabled.
Studies This is a bit of a euphemism – it actually means "let Mozilla collect your browser data, as well as pass the test code that is not yet part of the main version."
It is enabled by default, but we – and probably many of our readers using Firefox too – have disabled it, on the grounds that the easiest way to ensure that the data collected about you never leaks is simply to do not let it be collected in the first place.
And there is no way to get interim fixes or patches delivered by means of Studies if the option to collect data from Firefox is disabled.
To check if you have Studies enabled, and to enable it to get the fix if you want, go to preferences → Privacy and Security → Collecting and using Firefox data:
An interesting irony – although not surprising – for Tor Browser users is that Studies It's not just disabled by default in the Tor version, but in fact, it's entirely omitted on the grounds that Tor users never want to be tracked.
Tor users therefore can not get the fix and instead have to disable the "addon signature".
Go to the special page "Do not try this at home" about: config
, find the option xpinstall.signatures.required
and return it true
at false
:
This is what the about: addons
the page will show, if you have the buggy version of Tor, with the "addon signature" enabled (the default setting, above) and disabled (below):
Quick solution
In short:
- If you use the Tor Browser, switch off
xpinstall.signatures.required
temporarily. Do not forget to reactivate it when the official patch of this bug is released. - If you use Firefox regularly, check if you have Studies activated if you want the fix. If you have generally disabled data collection, do not forget to disable it when the official bug fix is released.
[ad_2]
Source link