Security Warning: Tor Browser…


Date: May 05, 2019

An anonymous informer sent me a message regarding the TOR browser. As it’s very early in the morning, and I wasn’t intending on making any posts right now…for brevity, I trust it will not be ill looked upon, if I copy and paste their message here.

I’m also going to pin this post to the top of the blog, for a few days.

“Hi Steve,

I don’t know whether or not you use Tor Browser, but I’m sure many of your readers do and would appreciate getting out the word.

There is currently a bug in Tor Browser version 8.0.8 which causes the NoScript extension to be disabled. This means that even if you have set the browser security level to “Safest”, JavaScript will be permitted, which may allow web sites to track or identify your computer.

This problem began some time late Friday, when an internal certificate expired. If you haven’t launched Tor Browser since then, NoScript will probably still be enabled when you first start the browser, but after a few minutes a yellow warning bar will appear, showing “One or more installed add-ons cannot be verified and have been disabled.”

An updated version of Tor Browser will be available soon, but until then, if you are concerned about anonymity, I would recommend avoiding any web sites that might be targets of surveillance. Otherwise, if you are comfortable adjusting the internal browser settings, a temporary workaround has been posted here:

Just a word to the wise!”

Thank you, good Samaritan!

It looks like they intended on sharing a link…but it didn’t get included…

I’m going off to bed, soon…So, I’m not going to be searching it down right now.

But I wanted to pass this along.

5 thoughts on “Security Warning: Tor Browser…

  1. Yure

    I noticed that. It happened to me yesterday. I’m waiting for the update, but I’m using Tor Browser anyway. I just gotta avoid BC.

    Reply
  2. feinmann0

    As reported, the NoScript extension is not working in TOR Browser at the moment: trac.torproject.org/projects/tor/ticket/30388

    Mozilla verifies and “signs” add-ons that follow a set of security guidelines. Mozilla accidentally broke add-ons signing. They have said they were testing a fix, but it doesn’t seem to be deployed yet: twitter.com/ma1/status/1124586336055431168

    Make sure you have the security slider on “Safest” (at this level, all JavaScript performance optimizations are disabled; some mathematical equations may not display properly; some font rendering features are disabled; some types of image are disabled; Javascript is disabled by default on all sites; most video and audio formats are disabled; and some fonts and icons may not display correctly).

    For anyone wanting to check that Javascript is disabled in Tor:
    1. Type ‘about:config’ in the address bar and hit ‘Enter’.
    2. Click to ‘accept the risk’.
    3. Type ‘javascript.enabled’ into the search field.
    4. Check that ‘value’ is shown as ‘false’. (If it’s not, double-click on ‘true’ to toggle it to ‘false’)

    … or

    go here: whatismybrowser.com/detect/is-javascript-enabled

    Reply
  3. Anonymous

    This is the temporary workaround the Tor Project suggests:

    1. Open the address about:config in the Tor Browser address bar
    2. At the top of the page, search for xpinstall.signatures.required
    3. Set the xpinstall.signatures.required entry to false by double clicking it

    Note: Please remember to set the xpinstall.signatures.required entry back to true again once the Tor Browser security update is applied.

    You can check this message on their Twitter. The problem doesn’t come from the Tor Browser itself, but from Mozilla’s certificates, which means Firefox is affected as well.

    Reply

Leave a Reply to sunchaser04 Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.