Mozilla bug throws Tor Browser users into chaos

Updates. Shortly after publishing this article we were able to fetch Firefox 66.0.4, which claims to fix this issue by repairing a broken certificate chain. [2019-05-05T22:15Z] In the early hours of Tuesday morning, UK time, we received an update notification from Tor and were able to fetch Tor Browser 8.0.9. Don’t forget to switch your “signatures required” setting back to true (see below for how) if you turned off signature checking as a temporary workaround. [2019-05-07T00:15Z] Firefox 66.0.5 followed a few days later to tidy up the installation of the fix for some users where 66.0.4 hadn’t resolved the issue. [2019-05-09T10:50Z] Mozilla has published an explainer that sets out what went wrong, how it was fixed, and what changes are planned to improve signature verification resilience in future. [2019-05-10T12:30Z]

It’s a long weekend here in the UK, so the atmosphere is relaxed…

…except, we suspect, for any British members of the Mozilla Firefox programming squad.

Mozilla is currently stuck in the middle of a cybersecurity blunder involving digital signatures.

The bug reports we’ve seen so far don’t give much more detail than “expired intermediate certificate” problems, but the symptoms are obvious, especially for Tor users.

We didn’t get hit by this bug immediately – we were off the grid yesterday and left our computing kit at home. (Nothing Bear Gryllsy, you understand – we took ourselves off to Bristol on Brunel’s famous Great Western Railway to visit a bicycle show but left our mobile phone behind entirely by mistake.)

But today, not long after firing up the Tor Browser, which is a special version of Firefox with numerous privacy-centric settings turned on and baked into the build, we received a worrying popup warning.

According to the Tor Browser program, one of our browser add-ons could no longer be trusted and had been turned off – the alert didn’t say which one, just that some sort of cybersecurity concern had suddenly arisen.

We were online to look into a couple of untrusted sites, and we’d already started digging around when the warning popped up, which increased our sense of disquiet.

After all, we were already in the middle of various HTTP sessions; we’d been interacting with the sites we wanted to investigate; and we weren’t aware of having allowed those sites to install any new addons.

What had changed?

A trip to the special URL about:addons (ToolsAdd-ons from the menu bar) and a click on the Unsupported tab revealed the following:

NoScript could not be verified for use in Tor Browser and has been disabled.

Ow! Ouch! Owowowowowowowowow!

NoScript is an important security addon that’s officially trusted by Tor, as well as being installed by millions of other regular browser users, including – to judge from comments on this site – a significant number of Naked Security readers.

Had the NoScript repository been hacked? Was a bogus NoScript addon circulating amongst the Tor community? Was there some sort of Firefox vulnerability that allowed rogue sites to sneak bogus addons into your browser without popping up any sort of “Are you sure” or “Do you want to do this” dialog?

We assumed that this was just the sort of cybertreachery that Mozilla’s 2016 “addon signing” feature was meant to catch, and so we took the warning seriously.

Back at Firefox version 44 in early 2016 (we’re currently at 66 – updates come out every 42 days, or 6 weeks), Mozilla decided to stop allowing unsigned addons in the browser, effectively appointing itself as the custodian of addons, in the same sort of way that Google decides who gets into the Play Store.

Two questions immediately came to mind:

  • What had caused this apparently hacked version of NoScript to show up now, and where had it come from?
  • Given the importance of NoScript in the Tor Browser’s default protections, was it still safe to have Tor open at all?

A quick search of NoScript’s own web page, plus a minute or two on the various social media channels, revealed the reason, but not the explanation:

NoScript hadn’t changed and its digital signature was still valid and unexpired…

…but Firefox no longer trusted it, and so Tor Browser wouldn’t (indeed, for most users, couldn’t) load it any more.

The bug is somewhere in Mozilla’s signature verification, not in the addon itself – and the bug seems to affect the validation of every addon in pretty much every version of Firefox.

Indeed, ten or fifteen minutes after Tor scared us, our running copy of Firefox decided that its addons were no longer safe and killed them too. (We only use one third-party addon, a screenshotting tool, but reports suggests that any and all addons that you have will simply get killed off.)

What to do?

Mozilla has pushed out a temporary patch, referred to as a hotfix, but it only works if you have Mozilla’s Studies feature turned on.

Studies is a bit of a euphemism – what it really means is “let Mozilla collect data from your browser, as well as push out test code that’s not yet part of the main release.”

It’s turned on by default, but we – and probably many of our Firefox-using readers, too – have turned it off, on the grounds that the easiest way to ensure that the data that’s collected about you never leaks is simply not to let it get collected in the first place.

And there’s no way to get hotfixes or temporary patches delivered by means of Studies if you have Firefox’s data collection option turned off.

To check if you have Studies activated, and to enable it in order to get the hotfix if you wish, go to PreferencesPrivacy & SecurityFirefox Data Collection and Use:

An interesting – though hardly unexpected – irony for Tor Browser users is that Studies is not just off by default in the Tor build, but actually omitted entirely on the grounds that Tor users never want to be tracked.

So Tor users can’t get the hotfix and need to turn off “addon signing” altogether instead.

Go to the special “don’t try this at home” page about:config, find the option xpinstall.signatures.required and flip it from true to false:

Here’s what the about:addons page will show, if you have the buggy version of Tor, with “addon signing” turned on (the default setting, above) and turned off (below):

Quick fix

In short:

  • If you use Tor Browser, turn off xpinstall.signatures.required temporarily. Remember to turn it back on when the official fix for this bug comes out.
  • If you use regular Firefox, check whether you have Studies enabled if you want the hotfix. If you like to have data collection disabled, remember to turn it back off when the official fix for this bug comes out.