Roman Mamedov: > On Sat, 4 May 2019 02:21:15 -0500 > Joe <joebtfs...@gmx.com> wrote: > >> I've used the latest stable TBB 8.0.8 (Linux) since released with the >> latest NoScript (at that time). >> Today is the 1st day I saw that NoScript was disabled by TBB. >> >> I see now that it's not a TBB only issue, but also Firefox. >> A comment on Reddit said, "They [Mozilla] let their add-on signing >> certificate expire and it invalidated a shitload of add-ons." > > It is very surprising to see that TBB relies on Mozilla like this. Turns out
I think we should differentiate a bit here. Of course, Tor Browser relies on that as we support installing extensions as long as they are signed by Mozilla. It's a fair point, though, saying the extensions we ship as essential Tor Browser extensions should be resistent to Mozilla PKI failures or we should fall back to safer defaults or... We have some options here which we will discuss in the near future and then we'll implement those we deem worthwhile. > an unrelated 3rd party can suddenly remotely disable Tor anonymity protections > at their whim, and possibly endanger TBB users (or deliberately help in > deanonymizing them). I think that's not adequately describing the situation we were in. Mozilla did not suddenly remotely disable Tor anonymity protections at their whim. What happened was that Tor Browser users on higher security levels got suddenly essentially the same experience as any Tor Browser user that is using Tor Browser as we ship it. This is definitely a serious bug, I agree. However that did not happen by pressing some button remotely as the certificate you had *locally* in your browser expired. You could argue that Mozilla could just sign any exension and ship that one as an "update" to NoScript and Tor Browser would happily install it. Yes, this possibility exists and we will revisit that screnario (see above). However, there are no known ways that Mozilla can induce a Tor bypass be it remotely or by installing an extension into Tor Browser (or by failing to monitor expiration dates of certificates) (if I am wrong here, please let us know). I think that should be kept in mind as well when talking about the scope of the problem at hand. Finally, if you look at the amount of code we inherit from Firefox (way more than 99%) then there is plenty of room where things can go wrong (for a bunch of "wrong"s), so even if we avoid the NoScript problem in the future (which we should), we are pretty dependent on Mozilla. Georg
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk