Most active commenters

    ←back to thread

    All extensions disabled due to expiration of intermediate signing cert

    (bugzilla.mozilla.org)
    1318 points xvector | 13 comments | 04 May 19 01:31 UTC | HN request time: 1.438s | source | bottom
    Show context
    xvector ◴[04 May 19 01:34 UTC] No.19823709[source]
    Looks like all extensions have been disabled for all Firefox users.

    I think this fail-closed behavior is more of a security issue than the one it is trying to solve. All of my security add-ons - Privacy Badger, NoScript, Decentraleyes, and many more were disabled. Even worse, it happened without notice to the user.

    One moment I was browsing the internet (just barely) secured by these add-ons, and the next moment, all of them disappeared (without warning) and I only noticed when I saw my password manager was missing.

    replies(6): >>19823819 #>>19823903 #>>19824040 #>>19824202 #>>19824361 #>>19825228 #
    1. stevenwliao ◴[04 May 19 02:15 UTC] No.19823903[source]
    If it failed open, anyone unlucky enough to update their extensions could end up having a malicious version installed. It also would have taken longer to notice.
    replies(4): >>19824177 #>>19824284 #>>19824335 #>>19825081 #
    2. tedunangst ◴[04 May 19 03:15 UTC] No.19824177[source]
    Updating with an expired cert doesn't automatically result in compromise.
    replies(1): >>19824725 #
    3. Causality1 ◴[04 May 19 03:37 UTC] No.19824284[source]
    So why not just disable extension updates instead of disabling the extensions themselves?
    replies(2): >>19824505 #>>19824666 #
    4. xvector ◴[04 May 19 03:54 UTC] No.19824335[source]
    This disables NoScript on Tor Browser. That's much worse than the slim chance of a malicious extension being installed.
    5. anfilt ◴[04 May 19 04:43 UTC] No.19824505[source]
    because that would make too much sense.
    6. ssadler ◴[04 May 19 05:36 UTC] No.19824666[source]
    Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?
    replies(4): >>19824690 #>>19824705 #>>19825056 #>>19825962 #
    7. Causality1 ◴[04 May 19 05:42 UTC] No.19824690{3}[source]
    Personally I despise the idea of the software already on my pc being dependent on signatures stored on a remote server. I installed it and Mozilla can fuck right off. It's my responsibility to police what software is on my computer, not theirs.
    replies(1): >>19826256 #
    8. Thorrez ◴[04 May 19 05:50 UTC] No.19824705{3}[source]
    Browsers can only protect against malicious websites and malicious extensions. They can't protect against malware. Even without any cert problems, malware on your machine can modify the browser executable/process to insert whatever code it wants.

    With this reduced threat model, it's easy to simply keep existing pre-installed extensions available, and disable updates. Your only problem is if a pre-installed extension is malicious or has a vulnerability, it will remain.

    9. Thorrez ◴[04 May 19 05:58 UTC] No.19824725[source]
    Yes, but what's the point of cert expiration? Is it safe to have certs that never expire? I believe there is a security benefit to expiration. Expiration is useless if it's never enforced.

    Probably the correct behavior is to have some sort of semi-annoying popup when it expires, and then only a week later do the full blocking. You need to strike the right balance of making it annoying enough that it can't be ignored by everyone (otherwise you just have the exact same problem, just delayed a week) and that fear of it happening is a sufficient motivator to stop people lazily relying on the grace period, but also not too annoying that it makes a lot of people quit. You also want to avoid permission fatigue.

    10. josteink ◴[04 May 19 07:48 UTC] No.19825056{3}[source]
    > Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?

    This is why a signature can also be accompanied by a trusted time stamp which can confirm that the signature was made while the certificate was valid.

    This is the common way to sign all Windows software to avoid this exact kind of problem.

    Yes, that implies this is a known and solved problem. It’s embarrassing for Mozilla to not have prepared for this.

    11. swalladge ◴[04 May 19 07:58 UTC] No.19825081[source]
    It should fail 'locked'. continue to allow installed addons to work, notify the user of issue, disable any updates without explicit request by the user.
    12. rst ◴[04 May 19 12:14 UTC] No.19825962{3}[source]
    If an extension was already installed, it passed the signature check at the time of installation. I'm not sure what benefits we get from periodically re-running the exact same check -- particularly when balanced against the risks of the re-checks, which are now obvious.
    13. cesarb ◴[04 May 19 13:21 UTC] No.19826256{4}[source]
    According to https://news.ycombinator.com/item?id=19824520 the signatures are on the extensions themselves, not on a remote server.