Firefox expired cert force-disables all user add-ons

[chicken2]

Why would you think Pale Moon would be affected?

What? Where in my post did I say that I thought Palemoon would be or is affected? I wrote the exact opposite.

[therube]

Signing doesn't stop it as bad extensions can be signed and listed on AMO too.. May not be there for long but it can still happen.

They'll be there as long as some users won't notify Mozilla. This can take some time. Happened already in the past.

Exactly.
I wonder why (malicious) Mozilla hasn't added itself to its Blocked Add-ons.

[CharmCityCrab]

Update:

https://www.theverge.com/2019/5/4/18529 ... -error-fix

Now Mozilla apparently wants everyone to opt into "Mozilla studies" in order to receive a patch for this bug. That's borderline infuriating. They've got to be kidding. I'm not signing up for your backdoor beta program that installs random things without notice to the user in order to restore basic functionality to a stable version of a browser. Issue a patch through normal channels or no sale.

They have nothing ready for their Android port at all. I have to say that's the thing that bothers me more. While Pale Moon is great on desktop and I am not really missing a beat there, having to drop from Firefox to Edge on my phone is a big drop-off- thus far I haven't even gotten the bookmarks to port over from the one Android browser to the other.

Actually, this kind of exposes that there aren't really a lot of good browsers for Android. Though I at least temporarily switched back to Pale Moon on desktop to work around this problem, there are actually several other browsers where I could have basically done what I do roughly the way I do it if for some reason I didn't want to use PM. On Android, there really aren't many options that work the way I want them to.

[karlchen]

Hi, CharmCitycrab.

Cool down. You have to enable "Mozilla Studies" for a few minutes only, just as long as it takes to re-enable the certificate and the disabled add-ons / themes.
The Mozilla instruction tells so. Once the disabled objects have been re-enabled you can disable "Mozilla Studies" again. It is just a somewhat clumsy workaround in order to get your disabled objects re-enabled quickly.
Although Mozilla mentioned this could take up to 6 hours, it took less than 10 minutes here on each of my systems, very likely because after enabling "Studies" I went to the Firefox add-ons page and re-installed the disabled themes. After less than 10 minutes everything was back to normal operation and "Studies" disabled again.

There is another workaround where you (temporarily) disable add-on verification, till the expired certificates have been renewed, which however opens a security hole.

All in all, from my point of view this is merely an instance of "Murphy struck again". It should not have happened, but it did.

Regards,
Karl

[CharmCityCrab]

Cool down. You have to enable "Mozilla Studies" for a few minutes only, just as long as it takes to re-enable the certificate and the disabled add-ons / themes.
The Mozilla instruction tells so. Once the disabled objects have been re-enabled you can disable "Mozilla Studies" again. It is just a somewhat clumsy workaround in order to get your disabled objects re-enabled quickly.
Although Mozilla mentioned this could take up to 6 hours, it took less than 10 minutes here on each of my systems, very likely because after enabling "Studies" I went to the Firefox add-ons page and re-installed the disabled themes. After less than 10 minutes everything was back to normal operation and "Studies" disabled again.

Maybe I'm overreacting, but it seems like this could have been done through their normal update mechanisms, but that they chose to do it through studies. Now, I can't claim to know why that choice was made, if indeed they did make it, but it looks an awful lot like they are trying to get some of their users who choose to disable studies (Of which I would imagine people who use extensions, notice that they are not working, and look for a fix on mozilla's website are a large portion of) to enable it in the hopes that some will forget to disable it later. The vibe I keep getting from them is that they are kind of annoyed that so many people opt out of their telemetry and experiments and whatever, and they pull things to get people to opt back in, or just plain eliminate or obfuscate the ability to opt out. It's not as bad as Google Chrome is on similar issues, certainly, but that's a low bar.

To be clear, I am not saying this whole thing was engineered intentionally. I am sure that part was an accident or an oversight. What I am saying is that I find the use of studies instead of update a questionable choice. That choice of methodology seems to fit in well with what they want their user-base to choose anyway and it's hard to imagine that the "two birds with one stone" thing wasn't at least in the back of *someone's* head when they decided to do it.

I'll wait for a fix through the update mechanism. That's the way these things are supposed to be done. Mozilla spends 200 million US dollars a year on their browser. The amount of time this has taken and all the steps outside the normal update process they are asking users to take to work around it should be embarrassing to Mozilla at this point given their size and resources. I'm not trying to make this a Pale Moon vs. Firefox thing, but I think the much smaller and much less well funded Pale Moon team would have had a fix through the normal update process by now had they hit a snag of similar difficulty in resolving (Obviously it couldn't be the same thing because Pale Moon doesn't require signed extensions, so we'll just say something of similar difficulty or lack thereof in fixing). What's going on that Mozilla can't do this? We're just a few hours away from the 24 hour mark. This doesn't seem like a hard thing to resolve.

Is there some sort of bureaucratic thing that doesn't allow them to promptly issue out of band updates in situations like this?

[loxodont]

About ESRs the verge article says:

The fix that’s being rolled out won’t apply to Firefox ESR or Firefox for Android, and Mozilla says that it’s working to release a patch there as well.

I don't use my 52.9 ESR that much, but it got hit and it's annoying that some of the add-ons could be disabled remotely. Some people on ghacks gave advice how to turn that off, but for now I'll wait with that until they fixed their mess.

I guess the "Studies" method won't work for FF 52 ESR and legacy add-ons. *) anyway (because no studies)

[Nightbird]

https://blog.mozilla.org/addons/2019/05 ... n-firefox/

i quote Kev Needham :
"the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates"

[Shadoefax]

I'm using Fx 56.0.2 and none of the 'fixes' (enabling studies, setting xpinstall.signatures.required to false, etc.) have worked yet. I'm hoping it's just a matter of time and not that Mozilla decided to abandon those of us that still require legacy extensions.

[therube]

I'm using Fx 56.0.2 and none of the 'fixes' (enabling studies, setting xpinstall.signatures.required to false, etc.) have worked yet.

https://forums.informaction.com/viewtop ... 91#p100091
(With FF 52 *ESR*, xpinstall.signatures.required is sufficient.)

[CharmCityCrab]

As an aside, it occurs to me that Firefox could keep it's goal of essentially requiring signed extensions while avoiding situations like what is occurring now with one simple long-term change. This wouldn't have to be implemented now, when the goal should just be to get things working against ASAP, but it could be put on the long-term blueprint for the future.

Here's the idea:

When an add-on's certificate expires based on timing out, show a dialog box to the end user giving them the option of either disabling it, or extending using it for 30 more days. If the user selects the 30 additional days, the extension could automatically disable itself 31 days afterwards without an option to opt-out, unless the certificate has been fixed prior to that point, in which case it would restore the extension from it's "probationary" status back to regular status where the user would see nothing more unless the certificate expired again, in which case it would offer the disable or 30 day extension option again.

Implementing that would prevent situations like what is going on presently, because developers could just tell everyone to select the additional 30 days while they work out the situation through the update process, and as long as they come up with a fix that propagates within 30 days, it wouldn't impact the end user.

It still fits in with Mozilla's vision for what they feel offers an improved experience from a security perspective, while offering the user a way to temporarily opt-out on an extension by extension basis if they think something has gone horribly wrong with the system.

[Shadoefax]

https://forums.informaction.com/viewtop ... 91#p100091

Per that thread, setting app.normandy.run_interval_seconds to 1 is a proposed fix, but Fx 56.0.2 does not have that preference. I added it, but it made no difference.

[therube]

I guess the hotlink sent you to the wrong post.
You want my post, which leads you to the hack, explained here, https://forums.informaction.com/viewtop ... 662#p98662.

[Night Wing]

Since Firefox is my third browser, after Pale Moon and SeaMonkey and only used in dire circumstances where Pale Moon and SeaMonkey don't render something, I'm not going to jump through hoops with a hack that might be temporary. I'll wait till Mozilla fixes the bug (where the certificate was let to expire by someone at Mozilla who was asleep at the wheel) which hopefully will be in version (66.0.4) on the official download version list which I use.

https://www.mozilla.org/en-US/firefox/all/

[Kingpin]

As an aside, it occurs to me that Firefox could keep it's goal of essentially requiring signed extensions while avoiding situations like what is occurring now with one simple long-term change. This wouldn't have to be implemented now, when the goal should just be to get things working against ASAP, but it could be put on the long-term blueprint for the future.

Here's the idea:

When an add-on's certificate expires based on timing out, show a dialog box to the end user giving them the option of either disabling it, or extending using it for 30 more days. If the user selects the 30 additional days, the extension could automatically disable itself 31 days afterwards without an option to opt-out, unless the certificate has been fixed prior to that point, in which case it would restore the extension from it's "probationary" status back to regular status where the user would see nothing more unless the certificate expired again, in which case it would offer the disable or 30 day extension option again.

Implementing that would prevent situations like what is going on presently, because developers could just tell everyone to select the additional 30 days while they work out the situation through the update process, and as long as they come up with a fix that propagates within 30 days, it wouldn't impact the end user.

It still fits in with Mozilla's vision for what they feel offers an improved experience from a security perspective, while offering the user a way to temporarily opt-out on an extension by extension basis if they think something has gone horribly wrong with the system.

But that would require Mozilla to not treat their users as babies - something they're not too keen on...

[Shadoefax]

But that would require Mozilla to not treat their users as babies - something they're not too keen on...

Yes ... At times it seems that Mozilla's attitude is "Oh, you silly users. Don't worry your pretty heads about it, we know what's best for you. Now run along and let us do what we do."

[New Tobin Paradigm]

As opposed to me saying don't be a fuckin moron and learn something while writing articals pretending to be forum posts?

That really does illistrate the difference doesn't it? You can be a baby or you can grow up, get your shit together, and be better!

I much prefer the latter.

[van p]

(Sort of)

Off-topic:
I'm not a programmer or expert on this stuff so this might be a stupid question, but if Firefox ceased to exist tomorrow, how would the variants get security updated? Could they continue in existence?

[New Tobin Paradigm]

Others would be dead in the water. Us, however, would be fine.

As has been stated for years now, not all sec updates come from Mozilla and we grow more and more secure every cycle as we don't actually create new sec issues from mindless refactoring and shitty code.

More than half of Mozilla's sec fixes don't apply to us and of the less than half that do: most are defense in depth that aren't exploitable unless surrounding code is changed in a specific way to expose it.. Or rather would be exposed if wasn't fixed.

There have been several times we have fixed something sec wise on our own just because it looked wrong then months to years later Mozilla gave it a sec status.

We also have fixed some sec issues found by others again well ahead of Mozilla.

There are some to this day Mozilla hasn't fixed but we have and of those a few Mozilla refuses to fix.

We aren't just some rebuild flapping in the wind here. You should know better by now. After all you been here since 2015.

[s8472]

I'm using Fx 56.0.2 and none of the 'fixes' (enabling studies, setting xpinstall.signatures.required to false, etc.) have worked yet. I'm hoping it's just a matter of time and not that Mozilla decided to abandon those of us that still require legacy extensions.

Same here, v56.0.2.
From what I've found, it seems unlikely there will be a patch for v56 and other earlier versions.
https://old.reddit.com/r/firefox/commen ... h=838550f0
https://twitter.com/mozamo/status/1124692929312780289

[New Tobin Paradigm]

Guys, don't be fuckin morons.. Mozilla will only fix latest release and current ESR which is ESR60.

Extension signing became forced at build time in the late 40s. You CAN'T disable it via the pref unless it was built to not be hard switched on in which releases were.

At this point it is effectively add-on drm and you aren't allowed access anymore. Just the circumstance is rather odd but the result is the same.