Tor-Browser 8.0.9 released (May 7, 2019)

Sicherheit[German]The Tor project has released the new version 8.0.9 of the Tor bundle on May 7, 2019. This release is a response to the expired certificate for signing Firefox add-ons. And it fixes a bug in an addon.


Advertising

The expired certificate issue

Saturday, 4 May 2019, many Firefox users were shocked because their addons were no longer running in the browser, but were deactivated. I had mentioned this in the blog post Firefox: Expired certificate disables addons (May 4, 2019). The background was that a certificate that had to be used to sign the addons had expired on that day. As soon as the browser started a verification run, the addons were deactivated because of the invalid certificate.

On Monday the Firefox browser was updated to version 66.04 and the ESR version to version 60.6.2 (see Firefox 66.0.4 and 60.6.2 ESR fixes Add-on issue). The problem was that the fixes for importing the interim certificate did not work for the Tor bundle and the Firefox used there. On the Tor project page, there was a note ‘NoScript Temporrily Disabled in Tor Browser‘ that pointed out the problems with the expired certificate:

Tor NoScript-Information

The addon NoScript was temporarily deactivated, so anonymity was no longer given (Javascript was executable). I had outlined a workaround in the blog post Firefox 66.0.4 and 60.6.2 ESR fixes Add-on issue addon problem where the xpinstall.signatures.required setting was set to false.

Tor browser 8.0.9 fixes the issue

I’ve been trying Tor Browser 8.0.8 several times a day to check, if there were an update. An hour ago Firefox reported that an update was pending. I let the browser update the Tor bundle to version 8.0.9.


Advertising

Tor-Browser 8.0.9

The update was installed automatically and the next time you started Tor, the Tor browser reported the above message. The changelog lists the following fixes:

Tor Browser 8.0.9 — May 7 2019
* All platforms
  * Update Torbutton to 2.0.13
    * Bug 30388: Make sure the updated intermediate certificate keeps working
  * Backport fixes for bug 1549010 and bug 1549061
    * Bug 30388: Make sure the updated intermediate certificate keeps working
  * Update NoScript to 10.6.1
     * Bug 29872: XSS popup with DuckDuckGo search on about:tor

In addition to updates to Torbutton and NoScript, also bugs have been fixed. This update also ensures that the intermediate certificate works in the browser. See the Tor project website for more details.

Important: Undo Workaround

If you used the workaround, I proposed within my blog post Firefox 66.0.4 and 60.6.2 ESR fixes Add-on issue, it’s important to undo this workaround.

  • Type about:config in the address line and use the search field to search for xpinstall.signatures.required.
  • Change the entry to True by double clicking on it. Then the add-on certificates are verified for a digital signature.

xpinstall.signatures.required

You should then type about:addons in the Firefox address field to check the addon page. It should then list all addons as shown below.

Tor-Browser Addon-Seite

Tor Browser 8.0.9 is available on Tor drowser download page and via the Distribution Directory.

Similar articles
Firefox: Expired certificate disables addons (May 4, 2019)
Firefox 66.0.4 and 60.6.2 ESR fixes Add-on issue


Advertising
This entry was posted in Security, Software, Update and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *