1. 87

Toggling xpinstall.signatures.required seems to be a temporary workaround. (https://lobste.rs/s/u42xyr/firefox_disables_most_extensions#c_ljgdmh). This requires a build which is either not branded, or not considered “stable” Firefox.

Nix users can get a “beta” Firefox via nix-shell -p firefox-beta-bin, other users could get it from https://www.mozilla.org/en-US/firefox/beta/all/.

They published a Discourse post as well for updates: https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047

  1.  

  2. 20

    Well, this is infuriating. I hate that my browser just became essentially useless to me because someone at Mozilla messed something up. Anyone know if there’s a way to opt out of the extension verification stuff?

    1. 11

      I’m seriously considering just switching to Chromium (ungoogled-chromium maybe?) as a workaround. I don’t feel like Mozilla is doing too well in general with regards to being pro-user and pro-privacy lately;

      • There’s this issue, leaving everyone vulnerable to tracking and disabling protections for tor users.
      • The fact that this feature exists at all, and the only supported way to disable signing requires nightly, takes a lot of control out of users’ hands.
      • Mozilla have bought companies with closed source products (such as pocket), integrated them into Firefox, promised to open-source those products, and just never open-sourced them, leaving Firefox still with built-in integrations with potentially privacy-breaching inauditable closed-source products.
      • They have plans to move away from DNS, where a query first consults my OS (and its hosts file) and then consults my ISP which is a norwegian company following strong privacy laws, to just sending queries directly to a random American company which follows the US’ seemingly non-existant privacy laws.
      • It seems likely that they’ll move from IRC to discord or slack, which will be pretty bad if it happens (though this point is invalid if they end up moving to something free and open source). They should at least have come out and clearly stated that they’re not moving to a closed-source solution.
      • And, well, Chromium just has better performance on machines I’ve tested it on; having a worse experience for a good cause is worth it, but having a worse experience just to support a company which doesn’t really stand for anything might not be.

      I honestly really want to support Mozilla, and to do my small part in avoiding a complete browser monopoly by not using chromium, and I really don’t want to support Google. Mozilla just does so many stupid things which flies in the face of the values they claim to hold.

      1. 27

        I definitely plan to stay with Firefox. They are sometimes failing, but at least they’re trying to fight. There’s a saying, that “if somebody’s not failing, they’re not trying hard enough”. Whereas Chrome has a fundamental conflict of interest against many user protection mechanisms, because paid by Google Ads.

        1. 7

          You’re probably right. I’m on chromium right now, but I will probably honestly end up switching back to Firefox when this whole thing is over. It just sucks that Mozilla has to put themselves in the position of being the least bad of two evils, instead of just being plain good.

          1. 4

            It just sucks that Mozilla has to put themselves in the position of being the least bad of two evils, instead of just being plain good.

            You’ve hit the nail on the head. I just want a browser that’s privacy-respecting and good.

          2. 5

            Mozilla is also paid by Google Ads.

          3. 20

            Can you not be a drama llama? They goofed up. They will probably fix it soon. So you are without addons for a few days.

            As for their decisions, they are clearly straddling a line between purity and a little bit of the dirty stuff to make it more convenient for the non-0.1% of users who are ‘technical’. Meanwhile Google is ACTIVELY TRYING TO FUCK YOUR SHIT UP to maximise their control and profit.

            Perfect is the mortal enemy of the good.

            1. 2

              I think the problem here is that not only do they enforce the signing, but they also make it impossible for the user to turn it off, unless the user downloads non-stable or non-official versions of software, taking control out of the hands of the user.

              Sure, Google is worse, but what excuse does Mozilla have for the workaround (e.g., disabling the feature) not working on stable versions of Firefox? I see that as the very definition of the lesser of the two evils.

              1. 3

                I think I’ve seen some article long ago, basically saying how users will do everything they’re told by a website if this means they get to watch one more funny cat video - including changing settings in about:config, in OS, etc. Unfortunately I can’t seem to find the article with google nor ddg.

                1. 3

                  This rings a bell, I read that too. I think the term you are looking for is “dancing pigs”. The Wikipedia page for dancing pigs cites a few sources for it. The one I think you and I both read is probably one of the Bruce Schneier articles. Wiki suggests the first publicly available written thing using the term was a chapter in a book about the Java security model. Which is kind of funny when one thinks about it because it’s hard to think of a piece of technology that did a worse job of what it was supposed to do than the Java security model.

                  1. 1

                    You’re saying the users are the only one gullible here?! What about the developers? A couple of folks at Mozilla and Google tell devs to trust LetsEncrypt with all your SSL needs, and pretty much every single developer restricts access to their websites now through LetsEncrypt now. Talking about the folks being gullible!

                    1. 1

                      Hm, I see now that the way I wrote it may be seen as more ambiguous than I expected! :) Basically, what I meant, and what the article I mention tried to convey AFAIR, was that as a developer, one sometimes needs to protect users from themselves; in this case, I guess the “[Mozilla] mak[ing] it impossible for the user to turn [addon signing verification] off” decision might have been to protect users from themselves. That is, to protect users from being conned into disabling the verification feature “to see this one funny cat video”, and installing some malware addon.

                      As to LetsEncrypt, I don’t think I want to engage in a discussion completely (in my opinion) unrelated to the original post/article :)

                2. 1

                  this isn’t the only thing they’ve done. it’s part of a longer trend of user-hostility which tells us that the mainstream web will not be compatible with freedom, so long as google controls what standards are implemented.

                3. 5

                  Mozilla just does so many stupid things which flies in the face of the values they claim to hold.

                  Yeah, remember that “auto install” of the LookingGlass/Mr.Robot thing a while back (end of 2017 I think…)?
                  wtf Mozilla. I am going to check out some alternatives.

                  Anyone here tried Brave or Vivaldi? If so, any good?

                  1. 3

                    Been working with Brave and Firefox for quite some time now.

                    Brave is less polished and is missing quite a lot of sync-related-features I tend to use quite often on firefox. But the fact that firefox broke at a critical moment on my smartphone, right this morning, was the turning point.

                    I haven’t tried Vivaldi as extensively though.

                  2. 3

                    The fact that this feature exists at all, and the only supported way to disable signing requires nightly

                    https://twitter.com/SwiftOnSecurity/status/1124545069078536192

                    There’s no solution here that doesn’t involve making normal users more vulnerable to malware. It’s been tried.

                    Chrome has had similar problems in the past.

                    They have plans to move away from DNS …. to just sending queries directly to a random American company

                    Nobody has said that it will be a random American company. Mozilla’s testing this feature out with Cloudflare. I suspect this will be pretty configurable if it becomes an actual thing, and probably more local.

                    It seems likely that they’ll move from IRC to discord or slack

                    Mozilla’s moving away from IRC, but from the requirements here it doesn’t seem like slack or discord are likely solutions.

                    1. 2

                      Nobody has said that it will be a random American company. Mozilla’s testing this feature out with Cloudflare.

                      Cloudflare is the random American company I’m talking about.

                      1. 2

                        Right, operative term being “testing this feature out”. There’s no indication that if this feature becomes a thing it will be only cloudflare that it uses. There’s just a lot of FUD around it.

                        My comment is not correcting “random American company” to cloudflare, it is correcting your statement about Mozilla plans around this. They have not ever stated that this is the plan. It’s just what they’re testing out, because you have to bootstrap an ecosystem somehow.

                    2. 1

                      Mozilla isn’t moving away from DNS, you can disable DoH in the network settings and you can set any other DoH endpoint you want in the same dialog (so for example, you could set your Norwegian ISP or no DoH at all).

                      The Pocket extension is open source to my knowledge, I do recall a github repo floating around. What isn’t open source (yet) is the backend.

                      1. 4

                        Sure, it will probably be possible to disable DoH, but how many non-American Firefox users will know to do that, compared to how many will not even know it’s something they have to worry about and send all their queries to a US corporation?

                        The pocket extension is open source, but it’s the backend which is interesting, and it’s the backend they promised to open-source a long time ago. (Look at this comment from a Mozilla employee 2 years ago: https://www.reddit.com/r/firefox/comments/5wio45/mozilla_acquires_pocket/deadcf7/ - that didn’t say that the Pocket extension would become open source, but Pocket itself.)

                        1. 1

                          To my knowledge the current default and to keep it disabled, the DoH provider setting currently defaults to only using standard DNS as well, I don’t know of any plans to change that, Mozilla is still very early in testing the waters on how to deploy it.

                      2. -2

                        A few days ago, I wrote that Mozilla was losing me fast….

                        Well…. The fact that the workaround does not work on stable releases, was the final push I needed. Why give stable users the option to turn signature verification off if it doesn’t work for them anyway?

                        After considering the fact that not renewing a certificate in time, is a newbie mistake and considering all the points you’ve stated above, I’m not willing to subscribe this “accident” to incompetence anymore. To me, it looks like a deliberate ploy to disable as many adblockers as possible so they can push their own onto us.

                        But let’s suppose for a moment that this accident is caused by incompetence… That would mean that multiple engineers at Mozilla cannot be trusted to use a big red marker to write in their planners “renew the addon signing certificate which expires in 6 months” and act upon that.

                        I’m not sure if I want one of my most important programs (browser) on my machine, to be build and provided by people exhibiting this level of incompetence.

                        1. 11

                          Wtf?? “Mozilla deliberately trying to disable adblockers”?? Ok, now that’s a claim I’m definitely not going to take seriously.

                          1. 2

                            And you are definitely right in doing so, because you should never trust random people on the internet. (so you deserve an upvote)

                            But the fact of the matter is that Mozilla has just rolled out their own adblocker, which allows certain “non-intrusive” advertisements and blocks others, while an adblocker like Ublock Origin just simply blocks everything. This creates an incentive for Mozilla to make using other adblockers as much of a pain as possible. Given the fact that the main use of the addon functionality is blocking ads, this is a perfect way to make it look like an “accident”, while simultaneously disabling most of the adblockers currently installed.

                            Given their track record in the last years (starting from the moment Mozilla stated that Thunderbird development was not a priority anymore in 2012), I simply cannot justify blind trust in them anymore for the programs I use for my main activities. This means that I simply have to face the fact that Mozilla is not what it once was anymore and therefore I start reaching for the alternatives I’ve been testing/using.

                            Besides this: The fact that this demonstrates a dangerous level of incompetence, still stands.

                            1. 4

                              Hm, what I find worth meditation in this argument, is that even in their case, them being (or trying to be) good is not something that is guaranteed to stay true forever. Personally, I still believe they are, and are trying to be, but others may not agree indeed, and even I need to stay vigilant. Also, you’re right they’re treading a fine line there. And finalky, Stallman is sometimes surprisingly right.

                              1. 2

                                You’ve summarized the exact point I was trying to make, in a better way then I could.

                              2. 2

                                Mozilla doesn’t block everything because their adblocker is shipped everywhere. If a user sees a website bugging out or not working due to them overblocking, that’s bad. On the other hand µBlock Origin accepts this risk and will overblock rather than keeping a website working. Mozilla has to consider that they run a browser, not a browser addon you can install.

                                1. 2

                                  Indeed they run a browser, but there are still only 2 differentiating criteria left for the browser they are running. 1) It has an alternative rendering engine and 2) it is extensible and customizable to a ridiculous extent by just installing some extensions.

                                  On just about every other front, their competitors are better. And now they’ve messed up the one differentiating trait their browser has left, because a rendering engine alone is not enough of a dealmaker for just about everyone.

                                  No matter how you look at it, this doesn’t look good and oozes the smell of unprofessionalism and Mozilla not really knowing what their focus and their target audience is.

                                  1. 1

                                    On just about every other front, their competitors are better.

                                    This is very much not the case. Firefox uses less RAM and is considerably less resource hungry on low-end machines.

                                    1. 2

                                      Define low-end machines. My daily driver laptop is an 2-core-HT 2,6 GHz system with 8 GB ram running debian stable. Brave and other Chrome-based browsers outperform Firefox in both speed and memory usage. They also feel “faster”.

                                      On an Atom N450 with 2GB, Firefox is also slower than Chromium and it also allocates more memory.

                                      On the even lower end of the spectrum: On the 2 Raspberry Pi’s I have, Firefox is so slow that I’d almost call it unusable. Those also have better and faster alternatives available.

                                      I don’t experience the benefits you describe on any of those systems.

                        2. 2

                          See the description of this post for a workaround.

                          1. -9

                            Well, this is infuriating. I hate that my browser just became essentially useless to me because someone at Mozilla messed something up. Anyone know if there’s a way to opt out of the extension verification stuff?

                            LOL, says a person who’s website is “protected” by a time-bombed HTTPS and is unavailable via HTTP.

                            You are aware that your website suffers from the same issues that you appear to condemn in this very comment? That it’s up to external third parties on whether or not the user is allowed to see it, because you decided to cave in to their pressure to “secure” your static website, and yourself made a choice to prohibit folks from accessing it via HTTP through your own policy?

                            How are you then act surprised that Mozilla does same?!

                            1. 6

                              Well firstly, my website is not a tool that people depend on to do work. Firefox is. Secondl, I have automated systems in place to renew the SSL certs & get warned when they’re near to expiry. Thirdly, if you had my site open & the certs somehow expired, you could still see the content; Firefox just disabled a bunch of functionality while it was running without giving me any chance to intervene. Finally, if a website’s certificates are expired, you still have the ability to say “show me anyway”; there doesn’t seem to be any ability to do the same with stable Firefox.

                              Glad to see you’re enough of a fan of mine to look into how I configure my site though!

                              1. 2

                                But how’s a website different from a tool? Firefox is still made by people just like you. The fact that one can click “show me anyway” on your website is merely omission on the part of site’s operator to not install HSTS. With proper HSTS, the user is guaranteed to not have any way to access your site even if you decide to cancel your https policy. There is no way to intervene, either, if HSTS is setup correctly. If you click reload and a new connection has to be established, pretty certain things won’t work no more, either.

                                “Automated systems in place to renew SSL certs”? Are they autonomous and self-contained, or do they depend on any third parties? Are the third-parties they depend upon by any chance related to the very same party that caused the incident at stake? Isn’t Mozilla the biggest backer behind LetsEncrypt? This has got to be a joke! The most classic example of #TooBigToFail!

                                1. 2

                                  Firefox is only a tool you depend on because people serve websites which require a modern browser to be usable. HSTS contributes to this monoculture.

                                2. 3

                                  HTTPS is a bit different; with a website, you’re inherently relying on someone else paying the bills for the server and domain name continuously anyways, and if they don’t, you can’t use their website even if it”smnot HTTPS. Relying on the owner to renew their certs too doesn’t really change anything. If you want to have access to a website without relying on anyone else, you need to download it and access it locally, whether it’s HTTP or HTTPS.

                                  There’s no such expectation for addons I have downloaded to my personal machine which don’t inherently need to rely on any third-party.

                                  1. 6

                                    This is a personal attack and not something that contributes to the conversation.

                                    1. 0

                                      How’s something a personal attack if it applies to pretty much every site operator nowadays? The comment purposefully doesn’t even contain any PII, either.

                                      1. 2

                                        There are better ways of discussing the merits and problems involved with the https certificate system than dismissing what someone said with “LOL, says a person who [..]” and doubting the person’s sincerity with “issues that you appear to condemn”.

                                        1. -1

                                          the dismissal or questioning of their sincerity is something you’re adding with your interpretation. it doesn’t follow from the parts you quoted.

                                          maybe his goal was not to discuss the merits and problems of the https certificate system, but to actually lessen the spread of this scourge.

                                      2. -3

                                        Pointing out hypocrisy is a good tool when discussing moral issues.

                                      3. -4

                                        Good post, sad to see it got swarmed by haters.

                                    2. 18

                                      This issue also disables NoScript in Tor Browser.

                                      1. 17

                                        Update: There will be a dot release shortly, but only so we affect less people. If you don’t take or get the dot release, you’ll still be able to see and verify the new certificate (updated through kinto, for remote settings updates).

                                        More updates will happen in https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047

                                        1. 2
                                          429 Too Many Requests
                                          nginx
                                          
                                          1. 1

                                            Yikes. Look at Bugzilla in the meantime then :(

                                        2. 14

                                          The post mortem for this should be a good read. But first, let’s hope there’s a resolution soon, because this is a highly disruptive issue for Firefox users and could lead to users abandoning Firefox over. It’s also a rough situation for the unfortunate Mozilla employees who have to deal with this going into the weekend.

                                          FWIW one of the Firefox security team members who would be on my short list for “person in charge of renewing this certificate” is currently in the middle of a multi-week vacation. This is pure speculation on my part, but I wouldn’t be surprised if a contributing cause to this incident were that the renewal reminder emails for this certificate were going to the inbox of someone not checking their email while on vacation. But I suspect there wasn’t a single point of failure here because the people who manage these certificates at Mozilla are typically very on top of their game and are some of the best security people I’ve interacted with. I’m quite surprised this occurred and suspect there are multiple contributing causes. We’ll just have to wait for the post mortem to see.

                                          1. 7

                                            Also, it takes Mozilla 18-24 hours to push an emergency release (a “chemspill” in Mozilla parlance). So if a new binary needs to be pushed out to users, I wouldn’t expect one until around 00:00 UTC.

                                            1. 1

                                              I don’t think this needs a new release. “just” a new cert, no? Keys aren’t hard-coded afair

                                          2. 12

                                            Should be fixed now.

                                            1. 1

                                              Great! Do I need to update anything, or can I just re-launch Firefox?

                                                1. 1

                                                  So I downloaded the latest Firefox 66.0.4 build, and uBlock Origin is stlll disabled.

                                                  Do you have to enables “studies” for the fix to work? If so, will there be another update that doesn’t require this? I read a comment that said studies will send private data to Mozilla, and that doesn’t seem like something that people should be required to do to update.

                                                  1. 2

                                                    First solution requires studies to be enabled (default). As a follow, there will be up a minor release that everyone will get as an update. Should be out by now.

                                                    1. 1

                                                      Thank you, it seems to be working now! :-D->-<

                                            2. 7

                                              I was able to get them back by disabling xpinstall.signatures.required. It might require a nightly version to actually work? Of course, you’d want to turn it back on once it’s fixed…

                                              1. 6

                                                As you say, it only seems to work on nightly, unfortunately. Most vexing!

                                                1. 3

                                                  i don’t get why on earth these switches aren’t present in the release versions. this feels like the “caution, hot contents!” prints on takeout cups -.-

                                                  edit: it works on 60.6.1esr (64-bit) though..

                                                  1. 4

                                                    because the lambda person is taught to go around this warinings to install bad extension.

                                                    1. 3

                                                      then they are entirely responsible for their misery. i never got the trend of making everything.. more proof than fool proof.

                                                      displaying a warning which can’t be deactivated would be fine.

                                                      1. 3

                                                        No, users are not responsible for products having footguns. It’s unfair to expect non-technical users to understand technical issues, especially when these issues may be misrepresented in a hostile context (e.g. “You have a virus! It’ll murder your googles unless you tick this checkbox and click OK”).

                                                        Most people don’t need to know what a certificate is. They just want to get on with their life, and not have their entire digital life destroyed, because a product had a “harm me” checkbox.

                                                        1. 5

                                                          No, users are not responsible for products having footguns. It’s unfair to expect non-technical users to understand technical issues, especially when these issues may be misrepresented in a hostile context (e.g. “You have a virus! It’ll murder your googles unless you tick this checkbox and click OK”).

                                                          Is it really a footgun when it’s hidden somewhere in about:config where the first thing you see is a warning about not to touch this? Is it a footgun if I staple my toes with a nail gun, or was I too dumb by not wearing the right shoes?

                                                          Most people don’t need to know what a certificate is. They just want to get on with their life, and not have their entire digital life destroyed, because a product had a “harm me” checkbox.

                                                          I seem to be rather alone with this, but I expect some basic knowledge and common sense from people using tools. You need a drivers license, you are supposed to read the manual. These things should be taught in school. Alas, they aren’t, but that doesn’t absolve one from knowing about the technology one is using.

                                                          1. 2

                                                            Is it really a footgun when it’s hidden somewhere in about:config where the first thing you see is a warning about not to touch this?

                                                            Yes. “You have a virus! It’ll murder your googles unless you go to about://config, click OK to all the scary warnings (they’re there because of the virus) and then install this.”

                                                            These things should be taught in school.

                                                            People are culturally trained to not care about school, so even if it was somehow taught it there it wouldn’t have too much of an effect.

                                                            Also, where is the manual? How does one even teach people to recognize scams, and then keep them continually up to date on the latest scams for their entire lives? You can’t. The scam that worked in 1999 is nothing like the scams that exist today. The reason that you or I can tell these things is because we do work related to computers and stay up to date on the latest happenings (as evidenced by the fact that we’re on Lobsters). One can’t reasonably expect any “normal” person to do the same.

                                                            1. 4

                                                              Yes. “You have a virus! It’ll murder your googles unless you go to about://config, click OK to all the scary warnings (they’re there because of the virus) and then install this.”

                                                              There are already a plethora of ways to do this. The people that can be manipulated to disable random settings in about:config can just as easily be manipulated to run random code in the console, or install random .exe files from haxx0r.ru

                                                              1. 1

                                                                So why add one more? The browser is a really lucrative thing to pwn. Lots of accounts can be exploited for profit in easier ways than anything else that could be on the system.

                                                              2. 3

                                                                i just have a problem with dumbed down versions of everything. it teaches people that they are too stupid, and cannot be trusted with anything. things break and you learn from it. the internet isn’t disneyland, every of these measures to “protect” people from themselves can be worked around. just look at the myriad of shady apps for mobile platforms. additionally: maybe people who believe win-xp themed fake popups telling about a virus should just not use the internet, it will never be safe enough.

                                                                tinfoil mode: making the internet feel cozy and safe is to protect business interests, as it is easier to sell things in a walled garden where people aren’t expected to think.

                                                                1. 4

                                                                  Civilization advances by extending the number of important operations which we can perform without thinking about them.

                                                                  It’s not about stupidity, it’s about ignorance. I can use a light switch without knowing how the electricity was generated, the the glass was blown (let alone the LED manufactured), etc. I can make dinner without knowing how the knife was forged, the grain was harvested, the pasta was shipped, etc. The difference between the browser and all the rest of these household objects is that criminals can become millionaires by hijacking them at scale. I earn my paycheck by understanding browsers and how to make things that go in them so, yeah, for myself I want a browser with lots of places I can tinker with them and break things because sometimes I need to break things to make them work. I love that the web is mutable and weird and it’s easy to shift from consumption to production, to peel back the layers and see how everything works. But I also know that very few users come to the web like a developer does, or have any interest in becoming one. They’ve got a lot of other important, private, or sensitive things to do that insecure systems put in jeopardy. If my light flickers, my power is out, my knife breaks, my pasta is spoiled, my dinner is ruined - none of these things happen because I’m immorally ignorant of how they work.

                                                                  1. 1

                                                                    I can make dinner without knowing how the knife was forged, the grain was harvested, the pasta was shipped, etc.

                                                                    still, you’ll have some sensible ideas of how each of these things are done :)

                                                                    The difference between the browser and all the rest of these household objects is that criminals can become millionaires by hijacking them at scale.

                                                                    well.. :P

                                                                    […] But I also know that very few users come to the web like a developer does, or have any interest in becoming one. They’ve got a lot of other important, private, or sensitive things to do that insecure systems put in jeopardy.

                                                                    yes. i still don’t see a problem with allowing users to flip switches in about:config after displaying them a warning sign. if they ignore the warning and get bitten it’s on their account.

                                                                  2. 2

                                                                    i just have a problem with dumbed down versions of everything. it teaches people that they are too stupid, and cannot be trusted with anything.

                                                                    If the observed fact that warnings get routinely ignored means that users are stupid to you, then I guess users are stupid (or that software, not even necessarily Firefox, pops up far too many warnings that are too complicated for them to understand or even flat-out false alarms).

                                                                    1. 1

                                                                      the too many warnings problem is clearly a software problem, but if i “click them away” and something bad happens, i’m still the reason that it happened. nobody else to blame.

                                                                      imho unsafe settings could be displayed in firefox a bit like private mode (maybe a little bit redder or something), so that one knows this is not safe. i have no clue about the psychological effects, but know from myself that modal popups are pissing me off, and in “pissed off mode” the warning itself is brushed off as bs, because the modal making my life unreasonably worse.

                                                              3. 3

                                                                I have very mixed feelings about this. On one hand, I agree with you. On the other hand, I feel like a considerable group of more advanced “power users” is consistently left out in the cold because ever user is always treated like my grandmother.

                                                                I wonder if we can’t come up with something better than a yes/no dialog for these sort of things. Like allowing users to continue only after typing the text “dangerous”, sort-of similar to GitHub’s repo delete feature. Or perhaps something else entirely which satisfies both demands.

                                                                1. 1

                                                                  We (power users) need to remember that compared to literally billions of web users, we’re a tiny tiny minority.

                                                                  In case of Firefox, the Nightly build is the solution for power users (plus, it has much cooler icon).

                                                                  1. 4

                                                                    A nightly build is also less stable. Power users deserve a stable browser too. And normal users deserve the opportunity to become power users.

                                                                    Software should treat adults … like adults.

                                                                    1. 3

                                                                      I don’t know if it’s such a “tiny tiny minority”. I suspect there are a lot of people who aren’t IT professionals for a living, but are certainly more clued up than your grandmother on these matters. I will admit I don’t have any hard data to back this up, just an observation from the people around me.

                                                                      And even for non-technical users there can be good reasons to bypass these sort of warnings, as this current Firefox problem demonstrates.

                                                                2. 1

                                                                  Allowing the average user to kneecap themselves is not productive behaviour for widely installed software. That’s how you get people to install 20 toolbars which slow down everything.

                                                                  If you want to live without the warning, there is the Beta, Developer and Nightly editions of firefox, which come with the switch to disable signature verification.

                                                                  1. 2

                                                                    Allowing the average user to kneecap themselves is not productive behaviour for widely installed software. That’s how you get people to install 20 toolbars which slow down everything.

                                                                    the problem with this approach is that this way people will never learn. about:config says “warranty void”, so i don’t see a problem.

                                                                    If you want to live without the warning, there is the Beta, Developer and Nightly editions of firefox, which come with the switch to disable signature verification.

                                                                    which has more telemetry built in, afaik. this is fine for development and debugging, but i don’t want that for my day-to-day use :)

                                                                    1. 1

                                                                      You can also disable more of the telemetry via about:config, though you’d void your warranty.

                                                              4. 2

                                                                Confirmed working also on 60.6.1esr (64-bit), which is the Debian default version in the apt repos

                                                              5. 1

                                                                While the switch is present in the version Debian has in the repositories, toggling it doesn’t fix the problem. It allows to install AddOns again, but they are dysfunctional, e.g. NoScript and uBlock Origin have buttons in the menu bar that have no icon and do nothing when clicked.

                                                                1. 1

                                                                  I think you’re right it requires nightly. Not working for me on FF 66.0.3 release (installed from the Arch Linux package).

                                                                  In fact, I was a bit embarrassed to find I already had signature verification disabled (I was doing some WebExtension development ~18 months ago…)

                                                                  1. 1

                                                                    After getting a error message and seeing my addons disabled I tried to set it to true on Android phone and there it seemed to have worked. My installed addons are enabled again. Firefox 66.0.2 on Android.

                                                                  2. 10

                                                                    To re-enable all disabled non-system addons you can do the following. I am not responsible if this fucks up your install:

                                                                    Open the browser console by hitting ctrl-shift-j

                                                                    Copy and paste the following code, hit enter. Until mozilla fixes the problem you will need to redo this once every 24 hours:

                                                                    // Re-enable *all* extensions
                                                                    
                                                                    async function set_addons_as_signed() {
                                                                        Components.utils.import("resource://gre/modules/addons/XPIDatabase.jsm");
                                                                        Components.utils.import("resource://gre/modules/AddonManager.jsm");
                                                                        let addons = await XPIDatabase.getAddonList(a => true);
                                                                    
                                                                        for (let addon of addons) {
                                                                            // The add-on might have vanished, we'll catch that on the next startup
                                                                            if (!addon._sourceBundle.exists())
                                                                                continue;
                                                                    
                                                                            if( addon.signedState != AddonManager.SIGNEDSTATE_UNKNOWN )
                                                                                continue;
                                                                    
                                                                            addon.signedState = AddonManager.SIGNEDSTATE_NOT_REQUIRED;
                                                                            AddonManagerPrivate.callAddonListeners("onPropertyChanged",
                                                                                                                    addon.wrapper,
                                                                                                                    ["signedState"]);
                                                                    
                                                                            await XPIDatabase.updateAddonDisabledState(addon);
                                                                    
                                                                        }
                                                                        XPIDatabase.saveChanges();
                                                                    }
                                                                    
                                                                    set_addons_as_signed();
                                                                    

                                                                    Edit: Cleaned up code slightly

                                                                    1. 11

                                                                      Or, just go get the hotfix directly and install it. This also worked for my Firefox Android install.

                                                                      https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi

                                                                      1. 1

                                                                        Absolutely the better solution now that that exists!

                                                                      2. 5

                                                                        To get the command input line in the browser console one might need to set devtools.chrome.enabled in about:config to true.

                                                                        1. 1

                                                                          will this affect the addon signature check once Mozilla will resolve the issue? the folks at Mozilla must be having a hard time, I just woke up to a addon-less browser, and seems the issue is pretty widespread.

                                                                          1. 1

                                                                            It shouldn’t, but I can’t make any guarantees. I certainly wouldn’t complain to Mozilla if something broke after.

                                                                            It’s basically an adapted version of the verifySignatures function, except instead of setting signedState to the result of the signature check it sets it to a ‘doesn’t need a signature’ value if it is currently at a ‘couldn’t verify signature value’.

                                                                        2. 6

                                                                          Here’s the Lobsters story on the introduction of extension signing.

                                                                          1. 6

                                                                            So, as noted on HN this isn’t affecting everyone yet.

                                                                            Actually, I’m surprised it’s affecting so many people. It looks to me like extensions signatures are only checked once every 24 hours (source), and assuming a random distribution of when it checks it should only be broken for 13% of installs so far. But from the comments I’m seeing it sounds like it’s much greater.

                                                                            I’m wondering if people would be willing to post the value of app.update.lastUpdateTime.xpi-signature-verification from their about:configs, which should show when the timer last fired for you. I’m curious if there is some weird distribution. (I’m not involved with fixing the problem or anything though, this is just for my own curiosity).

                                                                            Edit: And if it hasn’t broken yet for you, I think (but I’m not very much not sure) setting that preference to 1556940100 should keep it working until 24 hours from now. And if you keep updating that value every 23 hours to the output of date '+%s' until it is fixed via a firefox update it should keep working forever.

                                                                            Edit2: I think you need to restart the browser as well after updating the preference for the above idea to work.

                                                                            1. 4

                                                                              What do you think the rationale for rechecking signatures every X hours is?

                                                                              I understand checking at install-time, and checking at startup or load time.

                                                                              I guess this does give Mozilla a mechanism to download a CRL and use that to disable malicious addons in the field. Checking expiry may be an artifact of using a single code path for the check. (Just speculating.)

                                                                              1. 4

                                                                                Revocation is used to block malicious extensions, indeed.

                                                                                1. 3

                                                                                  Perhaps the client should distinguish between extensions for which a revocation has been actively posted, and those for whom a certificate expiration deadline has passed.

                                                                                  It’s totally reasonable for a user to prefer to honor the first and ignore the second.

                                                                                  1. 1

                                                                                    Doesn’t that open up a cut-the-browser-off-from-the-revocation-server attack?

                                                                                    1. 3

                                                                                      Yes, but it’s up the user to choose how to proceed in that case.

                                                                                      A communications disruption doesn’t always mean invasion. :-)

                                                                              2. 2

                                                                                It’s 1556904525, 1556955570, 1556961147, 1556957388 on all of my installs (all of them are broken by now). Have fun!

                                                                              3. 3

                                                                                Haha, it’s funny, I build Firefox with export MOZ_REQUIRE_SIGNING=0 so I wasn’t affected.

                                                                                1. 3

                                                                                  I really dislike this. I hate feeling like I’m not in control of my computer. How can this even be possible? It’s completely anti-user.

                                                                                  And Chrom(ium), of course, probably isn’t any better. While the WWW is getting better and better, it’s also getting worse and worse.

                                                                                  1. 2

                                                                                    WWW

                                                                                    Worse Wild Web?

                                                                                    1. 1

                                                                                      yes

                                                                                  2. 3

                                                                                    As a former Firefox extension developer (Firefox 2.0 to 56.0.1), I’m not surprised at any of this. Since Firefox 56, it has been nearly impossible to satisfy all of the requirements for building and deploying add-ons for that browser. I finally gave up in 2016. They brought all of this upon themselves.

                                                                                    1. 2

                                                                                      I was just thinking “This feels like a signing cert just expired or something…”

                                                                                      1. 2

                                                                                        Firefox Mobile too apparently.

                                                                                        1. 2

                                                                                          There is an update published at https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

                                                                                          The TLDR is they are using the “studies” mechanism to auto-push an update, provided you opt in to “studies” until it is done.

                                                                                          1. 0

                                                                                            The add-ons are working for me, so it seems to have been effective.

                                                                                          2. 2

                                                                                            This relates to my opinions about encrypted HTTP, which is that it shouldn’t be mandatory.

                                                                                            If you have a well-designed system that only works with encryption, then sure, but this idea of using the same mistaken systems as the WWW clearly doesn’t work well.

                                                                                            I’ve never seen a Tor Hidden Service fail because of something expiring.

                                                                                            Much of this nonsense about encrypting everything, without reason and excuse, is to protect advertisements from being modified.

                                                                                            That this hit Tor Browser and disabled NoScript is damning, but I already disable JavaScript in about:config and I’m not even using a version of Firefox this new, anyway.

                                                                                            I can’t tell if my opinion of Mozilla is lower or if it can’t get lower.

                                                                                            1. 2

                                                                                              I think it’s pretty obvious that signatures should be checked at installation time, not daily.

                                                                                              Then this never would have happened.

                                                                                              Edit: more importantly, extension-signing is an anti-feature. Mozilla have no business determining what extensions I, the user of their software, choose to install on my machine.

                                                                                              1. 1

                                                                                                Man, I’m running the ESR version from Debian’s repositories for the exact reason I don’t want new software to interfer with my work, and now exactly that happened.

                                                                                                Apart from that, this bug feels like losing control. My first impression before I understood there’s a certificate expired was that Mozilla can remote-disable AddOns as they wish, yielding the obvious question what else they can do remotely to your browser. This is a bug. But what happens if someone hacks his way into Mozilla’s servers?

                                                                                                1. 1

                                                                                                  sounds like they might have to push an update for every firefox install out there (including corporate ones) so this is probably going to take a while to be fully resolved.

                                                                                                    1. 1

                                                                                                      Did this effect people with auto updates? I’m getting whatever ubuntu is pushing in their updates so I haven’t been effected, hopefully won’t be.

                                                                                                      1. 1

                                                                                                        I was hit with the version from Debian stable’s repositories.

                                                                                                        1. 1

                                                                                                          I got hit by this and I’m running stable on ubuntu. :/