Firefox expired cert force-disables all user add-ons

[Isengrim]

More Firefox drama for anyone who cares:

https://old.reddit.com/r/firefox/commen ... _and_cant/
https://old.reddit.com/r/firefox/commen ... ine_users/
https://old.reddit.com/r/firefox/commen ... t_forcing/
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

Essentially, an expired signing cert force-disabled all user add-ons, with a few exceptions.

I'm glad the Pale Moon add-ons team doesn't enforce any kind of signing requirements like this. It seems like a fantastic single point of failure that would render the browser unusable for many of us, as it no-doubt has for many Firefox users. In my opinion, it sacrifices user freedom for a thin veneer of security, which is only made thinner by the fact that FF extensions are barely even reviewed by humans to begin with.

tl;dr I prefer our much freer extension ecosystem, small as it may be, over the increasingly walled garden approach that AMO has become.

[Kingpin]

Literally just logged in to post this. The bad publicity of this will be off the charts (already thousands of reddit comments). You wanted to control our browsing, Mozilla, and there you have it. Will they still be able to keep up the facade of "respecting the user", "caring about choice and independence", "supporting the open web" and other nonsense? Doubt it. And what about the alleged "great security" FF has that Pale Moon allegedly doesn't (according to its detractors) ? Security goes out the window when you can't even block malvertising due to your blocker going down.

Evil cannot go unpunished for long. RIP Firefox and you won't be missed

[Shadoefax]

After my Firefox imploded upon itself a couple of hours ago, I opened PM and was greatly relieved that all my extensions were still there. I'll bet this Mozilla clusterf**k will result in many more users discovering Pale Moon.

[CharmCityCrab]

It appears as though this started at a time when most Americans are done web browsing from a PC for the day and that it will be resolved by the time they wake up in the morning. So, the timing isn't that bad for Mozilla. The majority of users will never realize this happened (Assuming the western hemisphere represents the majority of its user base).

As an aside, I'm using Firefox for Android to type this and my extensions appear to be operational (Either that or someone stripped the web of all its ads. ). So, it seems this may be limited to versions of Firefox for personal computers, or at least has not instaneously affected their mobile browser.

All that said, this type of browser problem is of course not good. It is, however, a good argument for browser diversity, though, which I'm always for. If this is still going on tomorrow when I next plan to use my PC, I'll export my Firefox bookmarks to HTML and then load them into my already installed and set up Pale Moon installation, which already has my core add-ons already installed as well. That Pale Moon exists and takes a different approach to extensions means that it'll just take me a minute or two to work around this problem if I need to.

I was having an argument in some comment section somewhere with a guy who was adament that all browsers should use Chromium as a base, or at least Blink as their rendering engine. In addition to all the obvious stuff, this type of scenario was one of the ones I pointed out- something goes wrong with Chromium and something goes wrong with everything if the whole world uses Chromium-based browsers and the problem is one of the things that is adopted by all those browsers. Same would apply to Gecko, or to Goanna. You always want more than one approach to things available.

So, regardless of one's feelings on mandatory signing of extensions, that Firefox has it and Pale Moon doesn't helps users right now. I could also see a different hypothetical scenario where a very common unsigned extension has some sort of flaw or security issue that does something undesireable, though, and we'll be glad browsers like Firefox exist that require signing. Having options is nice- not just because people get to choose what they want and competition inspires better end products and all that good stuff, but also because it keeps everything from grinding to a halt based on a single glitch or vulnerability- in theory there should be something out there that is immune to any particular bug.

[New Tobin Paradigm]

Strawman.. We have a blocklist to deal with issue causing extensions.. Signing doesn't stop it as bad extensions can be signed and listed on AMO too.. May not be there for long but it can still happen.

Loss of freedom in the name of security is rarely objectively justified.

[Kingpin]

It appears as though this started at a time when most Americans are done web browsing from a PC for the day and that it will be resolved by the time they wake up in the morning. So, the timing isn't that bad for Mozilla. The majority of users will never realize this happened (Assuming the western hemisphere represents the majority of its user base).

No way haha. This already blew up and Mozilla won't be able to contain the disaster.

So, regardless of one's feelings on mandatory signing of extensions, that Firefox has it and Pale Moon doesn't helps users right now. I could also see a different hypothetical scenario where a very common unsigned extension has some sort of flaw or security issue that does something undesireable, though, and we'll be glad browsers like Firefox exist that require signing.

No, that's not the same, because it would still be the users that have CHOSEN to install the extension. Here, we have had our addons disabled FORCEFULLY, with no possible opt-out.

[JustOff]

Here is a temporary workaround to re-enable all extensions for those who need it urgently.

PS: All this shit is quite expected

[gepus]

The majority of users will never realize this happened (Assuming the western hemisphere represents the majority of its user base).

Speaking of user base, Firefox has over 8% market share in Europe and 4.73% in North America.

[gepus]

Signing doesn't stop it as bad extensions can be signed and listed on AMO too.. May not be there for long but it can still happen.

They'll be there as long as some users won't notify Mozilla. This can take some time. Happened already in the past.

[Kingpin]

About Firefox' market share - it's going to heavily fall after this:

[Moonraker]

I see a lot of attacks against mozilla and i see no reason why.I am not defending mozilla here but i am not going to be an evil juror either.They are late updating their certs so just get over it and stroll on.

[Moonchild]

I see a lot of attacks against mozilla and i see no reason why.I am not defending mozilla here but i am not going to be an evil juror either.They are late updating their certs so just get over it and stroll on.

I'm sorry but running a for-profit business that has half a billion in incoming assets annually, these kinds of mistakes that impact usability for their entire user base are unacceptable. IMHO they don't deserve this kind of leniency at all.

[Kingpin]

I see a lot of attacks against mozilla and i see no reason why.I am not defending mozilla here but i am not going to be an evil juror either.They are late updating their certs so just get over it and stroll on.

If they didn't enforce extension signing this would have never been an issue. Now they've dug their own grave.

[Night Wing]

I just ran into this problem this morning when I was putting new bookmarks in for Pale Moon, SeaMonkey and Firefox.

All of my extensions and lightweight persona themes in Quantum Firefox 66.0.2 vanished in both linux and windows Firefox. Even the web extensions like Zoom Page WE will not install because they aren't signed. The only one I've been able to get to replace Zoom Page WE has been NoSquint Plus.

Since Mozilla blocked/disabled uBlock Origin, I decided to install the web extension for Adblock Plus in Quantum Firefox (66.0.2). To my surprise, the web extension for Adblock Plus won't install either. The download always fails.

Ditto for the web extensions for the Solid color skins I use for Quantum Firefox (66.0.2). The download always fails.

[chicken2]

Smiles, while browsing with unaffected Palemoon...

[New Tobin Paradigm]

Why would you think Pale Moon would be affected?

[CharmCityCrab]

Hard to believe they still haven't pushed out a fix yet. With that big of an organization and as many developers as they must have, it points to at least a mild level of incompetance somewhere. If nothing else, one would think a hot fix update flipping everyone's about:config to allow unsigned extensions would be in order (With the next update after that containing the real fix and changing the preference back when its ready).

Also, I have an update on my previous post: Firefox for Android is now affected. Using Edge for Android in the interim, which has a built in ad-block and dark mode in settings.

[CharmCityCrab]

Pale Moon is working beautifully (as I expected it would based on years of previous use as my #1 browser) as a desktop replacement for Firefox. I wonder how many people will move away from Firefox temporarily because of this situation and never bother to move back.

One issue I was finding with Edge as an Android replacement in the early going was the limitations of the built in Ad-Block Plus versus UBlock Origin. Even with acceptable ads turned off, a lot of things UBlock Origin can be configured to block through a bunch of filter lists or individual uses of the "dropper" to block elements just aren't an option with the mobile version of Ad-Block Plus, at least as integrated into Edge for Android, and one notices browsing the web. However, with Pale Moon and a lot of other browsers unavailable on mobile, options are limited. I didn't even see Waterfox for Android in a quick search of the Google Play Store- I wonder if it's been removed by the developer. I refuse to use Brave for reasons I'd rather not get into- I only mention it because I sense a torrent of suggestions that I use it for mobile while I wait for Firefox to be fixed. Edge is I guess going to be it on Android for the meantime.

One thing I am finding with mobile browsing is that porting bookmarks is a bit less straightforward than with desktop browsers, or so it seems. I only spent about 30 seconds trying to figure that out, though, so I'll bet the option is there somewhere. I'm used to the desktop browser setup (More specifically, I liked the old style "File, Edit, View, Bookmarks, Tools, Help" menus).

[coffeebreak]

at least a mild level of incompetance somewhere

Coupled with indifference.

[CharmCityCrab]

at least a mild level of incompetance somewhere

Coupled with indifference.

Yup.