Firefox disabled all add-ons because a certificate expired

Firefox disabled all add-ons because a certificate expired
https://www.engadget.com/2019/05/03/firefox-extension-add-on-cert/

The event occurred as the clock rolled over on UTC (Coordinated Universal
Time, aka GMT or Greenwich Mean Time), and impacted users quickly narrowed
it down to "expiration of intermediate signing cert" -- as it's described
on Mozilla's bug tracker.
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ? Are they expected to mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything Mozilla
wishes to declare "obsolete". :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser

"R.Wieser" wrote

| As someone on slashdot mentioned, why are those add-ons even checked
| each-and-every time you start your browser ? Are they expected to
mutate
| somehow (and no, I do not mean updates) ?
|

It's a bug.

https://techcrunch.com/2019/05/03/a-...ox-extensions/

The lesson here is yet one more example of why you
shouldn't allow software companies onto your system
to do unreliable and intrusive dripfeed updates. If your
extensions were disabled you simply don't have adequate
security.

Woops. The news says it's a cert that's built in.

I have signature requirement disabled, but I still see
a warning with unsigned extensions in the add-ons window.
FF today is not warning me about all extensions. Yet
according to the story it should have as of 4AM today
EST. I've got FF 52.9. Maybe it's only a problem with
particular recent versions.

I'm curious whether xpinstall.signatures.required works
in all versions. I was under the impression that it could
only be used in ESR versions.

Last year they removed access to "legacy" extensions.
Last week they announced they're going to block all
extensions with "obfuscated code". They seem to be trying
to increase their own control of the product in the
interest of consistency and security.

I installed FF66 recently
on my Win7 box to see what it's like. Not great. I can't
get rid of tabs and while many extensions still exist they
seem to have been crippled in order to accommodate
Mozilla's new system.

On 5/4/19 9:21 AM, Mayayana wrote:
Woops. The news says it's a cert that's built in.

I have signature requirement disabled, but I still see
a warning with unsigned extensions in the add-ons window.
FF today is not warning me about all extensions. Yet
according to the story it should have as of 4AM today
EST. I've got FF 52.9. Maybe it's only a problem with
particular recent versions.

I'm curious whether xpinstall.signatures.required works
in all versions. I was under the impression that it could
only be used in ESR versions.

Last year they removed access to "legacy" extensions.
Last week they announced they're going to block all
extensions with "obfuscated code". They seem to be trying
to increase their own control of the product in the
interest of consistency and security.

I installed FF66 recently
on my Win7 box to see what it's like. Not great. I can't
get rid of tabs and while many extensions still exist they
seem to have been crippled in order to accommodate
Mozilla's new system.



You can reload them by doing the following:
about:debugging enable add-on debugging Load Temporary Add-On
Browse to your Firefox profile In the extensions folder choose the
..xpi file of your extension

You can use about:support to find your profile directory

I've reloaded 6 of mine now and they work great.
Linux Mint, FF 66.0.3

Mayayana,


"Mayayana" wrote in message
...
"R.Wieser" wrote

| As someone on slashdot mentioned, why are those add-ons even
| checked each-and-every time you start your browser ? Are they
| expected to mutate somehow (and no, I do not mean updates) ?

It's a bug.

From the page you linked to "and suggests the sudden failure is due to a
code signing certificate built into the browser that expired just after 5
PM". So no, not even they consider it to be a bug.

But, try to come up with rational explanation how such a bug could hit /all/
plugins for /all/ users at /the same time/. Good luck. :-)

The lesson here is yet one more example of why you
shouldn't allow software companies onto your system
to do unreliable and intrusive dripfeed updates.

Agreed.

If your extensions were disabled you simply don't have
adequate security.

Bull****. This is not some hacker that tries to gain entrance and create
havock, or a virus that tries to "do it's thang", this is a program which
does exactly what its designed for. There is /no/ security measure you can
have implemented to ward it off. And no, restoring a backup would not
have helped either - the certificate would still be expired.

Regards,
Rudy Wieser

On Sat, 4 May 2019 17:21:49 +0200, in alt.comp.os.windows-10, R.Wieser
wrote:

Mayayana,


"Mayayana" wrote in message
...
"R.Wieser" wrote

| As someone on slashdot mentioned, why are those add-ons even
| checked each-and-every time you start your browser ? Are they
| expected to mutate somehow (and no, I do not mean updates) ?

It's a bug.

From the page you linked to "and suggests the sudden failure is due to a
code signing certificate built into the browser that expired just after 5
PM". So no, not even they consider it to be a bug.

But, try to come up with rational explanation how such a bug could hit /all/
plugins for /all/ users at /the same time/. Good luck. :-)

The lesson here is yet one more example of why you
shouldn't allow software companies onto your system
to do unreliable and intrusive dripfeed updates.

Agreed.

If your extensions were disabled you simply don't have
adequate security.

Bull****. This is not some hacker that tries to gain entrance and create
havock, or a virus that tries to "do it's thang", this is a program which
does exactly what its designed for. There is /no/ security measure you can
have implemented to ward it off. And no, restoring a backup would not
have helped either - the certificate would still be expired.


Maybe they'll wise up and fix this with a 3-day waiting period where the
browser warns you that extension verification has failed. "Run at your
own risk," but it'll run at least. Gives them time to fix it.

A bad, built-in cert. At the least, they're going to have to start
mandatory clock set tests for nightly and beta to ward this off in the
future.

And surprise, surprise, Persona (light) themes are also signed. There is
no reason for that other than the desire to centrally control themes in
case one is found to be offensive, or in support of civil unions, or
violates copyright. SMH.

More info at:

https://support.mozilla.org/en-US/kb...nstall-firefox

They'd better fix this in less than a day or so or people will be
switching to Chrome in droves.

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On Sat, 04 May 2019 13:14:49 -0500, Zaghadka wrote:

https://support.mozilla.org/en-US/kb...nstall-firefox

They'd better fix this in less than a day or so or people will be
switching to Chrome in droves.

Thanks for that link which says that "studies" is used for the "temporary"
fix, apparently, but not on all platforms (apparently).

Firefox: Options Privacy & Security Firefox Data Collection and Use
[x]Allow Firefox to install and run studies

I do not claim to understand either the problem or the permanent solution,
so, given that, what I wonder, perhaps too innocently, is why don't they
just compile a new Firefox binary that contains a new built-in certificate
that is known to be good?

Then we could all download that new binary, and be done with it.

What's wrong with my assumption (bearing in mind I admit I don't fully
understand the problem set yet).

In message , R.Wieser
writes:
(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ? Are they expected to mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything Mozilla
wishes to declare "obsolete". :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser


Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

The web is a blank slate; you can't design technology that is 'good'. You can't
design paper that you can only write good things on. There are no good or evil
tools. You can put an engine in an ambulance or a tank. - Sir Tim Berners-Lee,
Radio Times 2009-Jan-30 to -Feb-5.

On 5/4/19 9:31 AM, J. P. Gilliver (John) wrote:
In message , R.Wieser
writes:
(This is a repost of the the response I gave to the same post in the
alt.os.linux newsgroup)

As someone on slashdot mentioned, why are those add-ons even checked
each-and-every time you start your browser ?Â*Â*Â*Â* Are they expected to
mutate
somehow (and no, I do not mean updates) ?

All the thats that certificate /should/ be needed for is to make sure
that
you get & install the add-on as the developer has created it.

In its current implementation its simply a kill-switch for anything
Mozilla
wishes to declare "obsolete".Â* :-(

And by the way: the work around is to go into about:config, find
"xpinstall.signatures.required" and set it to false (which is actually
the
first thing I do when installing FF :-) )

Regards,
Rudy Wieser


Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)
Since extensions are .xpi files, I would guess the XP comes from that.
The setting is in all versions of FF.
Al

Big Al,

Since extensions are .xpi files, I would guess the XP comes from that.

Shucks, ofcourse. Thanks.

Regards,
Rudy Wieser

"J. P. Gilliver (John)" wrote

| Does the "xp" in its name mean it's only for Windows XP versions? (If
| not, what _does_ it mean?)

Extension package install. It's just a ZIP with
a different extension, holding javascript files,
images, language options, GUI specs, etc.

Mayayana,

Extension package install.

Nope: https://developer.mozilla.org/en-US/docs/Mozilla/XPI

It's just a ZIP with a different extension, holding javascript
files, images, language options, GUI specs, etc.

That is an answer to a question that has not been asked.

Regards,
Rudy Wieser

"R.Wieser" wrote

Does the "xp" in its name mean it's only for Windows XP versions? (If
not, what _does_ it mean?)

Extension package install.

| That is an answer to a question that has not been asked.

I wonder if you're getting enough sleep, Rudy.
You seem to argue with virtually everything
these days.

John,

Does the "xp" in its name mean it's only for Windows XP versions?

I wondered the same thing. I cannot check it though (am on XP, FF 52).

(If not, what _does_ it mean?)

eXtra Plugin ? eXperience Points ? :-) Sorry, no idea.

Regards,
Rudy Wieser