Firefox disabled all add-ons because a certificate expired

Firefox disabled all add-ons because a certificate expired
https://www.engadget.com/2019/05/03/firefox-extension-add-on-cert/

The event occurred as the clock rolled over on UTC (Coordinated Universal
Time, aka GMT or Greenwich Mean Time), and impacted users quickly narrowed
it down to "expiration of intermediate signing cert" -- as it's described
on Mozilla's bug tracker.
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ? Are they expected to mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything Mozilla
wishes to declare "obsolete". :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser

"R.Wieser" wrote

| As someone on slashdot mentioned, why are those add-ons even checked
| each-and-every time you start your browser ? Are they expected to
mutate
| somehow (and no, I do not mean updates) ?
|

It's a bug.

https://techcrunch.com/2019/05/03/a-...ox-extensions/

The lesson here is yet one more example of why you
shouldn't allow software companies onto your system
to do unreliable and intrusive dripfeed updates. If your
extensions were disabled you simply don't have adequate
security.

Woops. The news says it's a cert that's built in.

I have signature requirement disabled, but I still see
a warning with unsigned extensions in the add-ons window.
FF today is not warning me about all extensions. Yet
according to the story it should have as of 4AM today
EST. I've got FF 52.9. Maybe it's only a problem with
particular recent versions.

I'm curious whether xpinstall.signatures.required works
in all versions. I was under the impression that it could
only be used in ESR versions.

Last year they removed access to "legacy" extensions.
Last week they announced they're going to block all
extensions with "obfuscated code". They seem to be trying
to increase their own control of the product in the
interest of consistency and security.

I installed FF66 recently
on my Win7 box to see what it's like. Not great. I can't
get rid of tabs and while many extensions still exist they
seem to have been crippled in order to accommodate
Mozilla's new system.

On 5/4/19 9:21 AM, Mayayana wrote:
Woops. The news says it's a cert that's built in.

I have signature requirement disabled, but I still see
a warning with unsigned extensions in the add-ons window.
FF today is not warning me about all extensions. Yet
according to the story it should have as of 4AM today
EST. I've got FF 52.9. Maybe it's only a problem with
particular recent versions.

I'm curious whether xpinstall.signatures.required works
in all versions. I was under the impression that it could
only be used in ESR versions.

Last year they removed access to "legacy" extensions.
Last week they announced they're going to block all
extensions with "obfuscated code". They seem to be trying
to increase their own control of the product in the
interest of consistency and security.

I installed FF66 recently
on my Win7 box to see what it's like. Not great. I can't
get rid of tabs and while many extensions still exist they
seem to have been crippled in order to accommodate
Mozilla's new system.



You can reload them by doing the following:
about:debugging enable add-on debugging Load Temporary Add-On
Browse to your Firefox profile In the extensions folder choose the
..xpi file of your extension

You can use about:support to find your profile directory

I've reloaded 6 of mine now and they work great.
Linux Mint, FF 66.0.3

In message , R.Wieser
writes:
(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ? Are they expected to mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything Mozilla
wishes to declare "obsolete". :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser


Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

The web is a blank slate; you can't design technology that is 'good'. You can't
design paper that you can only write good things on. There are no good or evil
tools. You can put an engine in an ambulance or a tank. - Sir Tim Berners-Lee,
Radio Times 2009-Jan-30 to -Feb-5.

On 5/4/19 9:31 AM, J. P. Gilliver (John) wrote:
In message , R.Wieser
writes:
(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ?Â*Â*Â*Â* Are they expected to
mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure
that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything
Mozilla
wishes to declare "obsolete".Â* :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually
the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser


Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)
Since extensions are .xpi files, I would guess the XP comes from that.
The setting is in all versions of FF.
Al

"J. P. Gilliver (John)" wrote

| Does the "xp" in its name mean it's only for Windows XP versions? (If
| not, what _does_ it mean?)

Extension package install. It's just a ZIP with
a different extension, holding javascript files,
images, language options, GUI specs, etc.

Mayayana,


"Mayayana" wrote in message
...
"R.Wieser" wrote

| As someone on slashdot mentioned, why are those add-ons even
| checked each-and-every time you start your browser ? Are they
| expected to mutate somehow (and no, I do not mean updates) ?

It's a bug.

From the page you linked to "and suggests the sudden failure is due to a
code signing certificate built into the browser that expired just after 5
PM". So no, not even they consider it to be a bug.

But, try to come up with rational explanation how such a bug could hit /all/
plugins for /all/ users at /the same time/. Good luck. :-)

The lesson here is yet one more example of why you
shouldn't allow software companies onto your system
to do unreliable and intrusive dripfeed updates.

Agreed.

If your extensions were disabled you simply don't have
adequate security.

Bull****. This is not some hacker that tries to gain entrance and create
havock, or a virus that tries to "do it's thang", this is a program which
does exactly what its designed for. There is /no/ security measure you can
have implemented to ward it off. And no, restoring a backup would not
have helped either - the certificate would still be expired.

Regards,
Rudy Wieser

John,

Does the "xp" in its name mean it's only for Windows XP versions?

I wondered the same thing. I cannot check it though (am on XP, FF 52).

(If not, what _does_ it mean?)

eXtra Plugin ? eXperience Points ? :-) Sorry, no idea.

Regards,
Rudy Wieser

Big Al,

Since extensions are .xpi files, I would guess the XP comes from that.

Shucks, ofcourse. Thanks.

Regards,
Rudy Wieser

Mayayana,

Extension package install.

Nope: https://developer.mozilla.org/en-US/docs/Mozilla/XPI

It's just a ZIP with a different extension, holding javascript
files, images, language options, GUI specs, etc.

That is an answer to a question that has not been asked.

Regards,
Rudy Wieser

"R.Wieser" wrote

Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)

Extension package install.

| That is an answer to a question that has not been asked.

I wonder if you're getting enough sleep, Rudy.
You seem to argue with virtually everything
these days.

Mayayana,

I wonder if you're getting enough sleep, Rudy.

I wonder if you get enough yourself.

Pointing to websites that supposedly classifies this whole debacle as a
"bug", only to need to be told that if you actually read-and-absorbed the
(rather small bit of) info there it says quite a different thing. Whoops!

Regards,
Rudy Wieser

Mayayana,

And I ofcourse forgot to to mention the obvious: that you focus on something
you find "wrong" with the other, in the hope they won't notice that you drop
everything else what has been said but do not like to talk about (it almost
worked).

Like your bull**** about your "don't have adequate security". Even if you
would try - which you have no intention of - to come up with a/any kind of
"security" /by the user/ that could have prevented this than I'm pretty sure
that anyone can poke a few holes in it. Like I already did (backups don't
work).

Kiddo, you think that you are /much/ smarter than that you are, or simply do
not think long enough about the implications of what you suggest. Which,
too bad for you, results in getting called out for it. Which you than
forcefully ignore in the hope it will go away.

.... which it doesn't.

"The biggest mistake you can make is thinking that you cannot make any. An
even bigger one is to, when you made one, deny you made it." (and yes,
there is a joke in there).

Regards,
Rudy Wieser