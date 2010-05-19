from the what-browser-will-you-use-to-read-the-report? dept.
Eric Rescorla has a blog post over at Mozilla about the technical details on the recent Firefox add-on outage. He covers the background of how they use certificates, how they tried to mitigate the damage from the outage, how they worked to solve the problem without breaking more things, deployment of the replacement certificate, and why it took so long to fix.
Recently, Firefox had an incident in which most add-ons stopped working. This was due to an error on our end: we let one of the certificates used to sign add-ons expire which had the effect of disabling the vast majority of add-ons. Now that we've fixed the problem for most users and most people's add-ons are restored, I wanted to walk through the details of what happened, why, and how we repaired it.
There were a lot of work arounds discussed here and elsewhere, some of them quite stupid so, lastly, remember to undo any temporary work-arounds that might have been deployed last weekend.
Earlier on SN: In Firefox All Extensions Disabled Due to Expiration of Intermediate Signing Cert
Related Stories
Armagadd-on 2.0, Mozilla expired certificate disables add-ons
No, the culprit you are losing add-ons isn't your computer, or maybe your old FF, or dropping of Webextensions API. Twitter, Reddit, everyone is wondering what is going on. This Armagadd-on 2.0 has a simple explanation: Mozilla forgot to renew certificates, and so add-ons are failing like if they were not properly signed, because technically they are not. Even signing of new add-ons is down (see comment 9). Great weekend at Mozilla HQ!
Some workarounds, until they clean up the mess, include playing with the computer clock (NTP? forget it) or disabling signature checks (not possible in default releases).
All Firefox extensions disabled due to expiration of intermediate signing cert
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
Wait until it's past midnight on 2019-05-04 UTC.
Actual results:
All addons got disabled due not having valid signature.
Expected results:
If the signature was due to expire, it should have been renewed weeks ago. Not all extensions were disabled. Fakespot and Google Scholar Button were left in their disabled state.
Some reports on reddit says that they had their clocks a day forward, but they may be just early canaries for the actual widespread issue.
Going backwards in time allows installation from AMO (Mozilla Add-ons) but do not remove the unsupported mark from the add-ons already installed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Workaround: Go to about:config and set xpinstall.signatures.required to false
(Score: 0) by Anonymous Coward on Friday May 10, @09:51PM (2 children)
This is just feature bloat with all the well known consequences. What more do you need to know?
(Score: 2) by Snow on Friday May 10, @10:05PM (1 child)
You don't want the best feature of Firefox?
(Score: 0) by Anonymous Coward on Friday May 10, @10:57PM
I've got IBS you insensitive clod!
(Score: 1, Funny) by Anonymous Coward on Friday May 10, @09:58PM
All the security engineers were away for two weeks of mandatory inclusiveness training, since one had violated the CoC by using the pronoun "he" instead of "ze" in a comment, and no one was left to renew the certs.
(Score: 1) by RandomFactor on Friday May 10, @10:01PM
Was Waterfox.
I wasn't particularly planning to undo it.
"My battery is low and it's getting dark." - Opportunity
(Score: 0) by Anonymous Coward on Friday May 10, @10:11PM (2 children)
To me the most important question is: Did Mozilla fix this issue for users who were using older versions of Firefox?
The answer, of course, is: No. The fix is only in version 66 (and later).
There are users of Firefox who have not updated for various reasons, including they are on an ESR version, a particular add-on stopped being updated after their version, or because they're using older operating systems. All of these users have been abandoned by Mozilla.
(Score: 1, Insightful) by Anonymous Coward on Friday May 10, @10:19PM (1 child)
I'm not going to donate my time to support people who figuratively use IE6. If you think the new version is shit, pick up one of the many forks.
If you think old versions should be supported, pay for the maintenance yourself rather than demanding others do so.
You aren't a customer, you are the recipient of a gift.
(Score: 0) by Anonymous Coward on Friday May 10, @10:33PM
I'm pretty sure if 90% of firefox developers went away it would be better off.
(Score: 0) by Anonymous Coward on Friday May 10, @10:44PM (1 child)
Which workarounds were stupid and why?
(Score: 0) by Anonymous Coward on Friday May 10, @10:59PM
The ones that involved anything other than switching to Waterfox or Pale Moon, because it is stupid to continue using Firefox after this amateur-hour shitfesr.
(Score: 0) by Anonymous Coward on Friday May 10, @10:48PM
Any suggestion as to how to create an independent web browser? Like SN spouted out when SD went evil?
Setting up SN was pretty damn good accompishment, but maintaining a modern browser is a gargantuan task, but there are many parties with weight we can recruit: EFF, FSF, perhaps others.