[tor-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 6 15:09:20 UTC 2019
#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status:
| needs_review
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: AffectsTails, TorBrowserTeam201905R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by Crissy2):
> "fail safe" is better than "fail dangerous"
But what mean fail safe and fail dangerous? It is `double epic_fail[]`!
if certs are disabled, the add-on can't be checked... (security fail!)
If certs are enabled and add-on becomes invalid, NoScript is disabled and
additional user data is transmitted. Disabling JS also is not a full
solution (`javascript.enable`). <MEDIA>, ForeShadow, Spectree and Meltdown
can be used here (security fail).
Only one correct long term solution is: **we must have our version of
NoScript fingerprinted by TorProject!**
It looks like biggest TorBrowser fail.
More: #30402
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list