Most active commenters
  • floatingatoll(4)
  • SilasX(4)
  • the8472(3)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 44 comments | 04 May 19 01:31 UTC | HN request time: 1.733s | source | bottom
1. weavejester ◴[04 May 19 02:21 UTC] No.19823928[source]
There's a workaround that involves going to about:config and setting xpinstall.signatures.required to false.

However, if you're running the Stable or Beta version, it will only work under Linux. On Windows and MacOS you'll need to download Nightly or the Developer Edition.

To fix this on MacOS I did the following:

1. Downloaded and installed Firefox Nightly

2. Ran /Applications/Firefox\ Nightly.app/Contents/MacOS/firefox-bin --profilemanager

3. Changed the profile to "default" so my normal Firefox profile would be used

4. Started up Firefox Nightly, opened about:config, then set xpinstall.signatures.required to false

Not sure if it's a good idea to use my default profile in Nightly. It might be a wiser idea to copy it instead.

replies(14): >>19824011 #>>19824101 #>>19824109 #>>19824183 #>>19824225 #>>19824268 #>>19824299 #>>19824700 #>>19824983 #>>19825109 #>>19825195 #>>19825237 #>>19825421 #>>19826226 #
2. mirimir ◴[04 May 19 02:39 UTC] No.19824011[source]
Thank you!

Saved me tons of ultimately pointless thrashing.

3. phyzome ◴[04 May 19 03:00 UTC] No.19824101[source]
This worked for me on Firefox 60.6.1esr on Debian 9 Linux—changing the setting instantly restored my addons.
replies(2): >>19825951 #>>19851784 #
4. ◴[04 May 19 03:02 UTC] No.19824109[source]
5. strainer ◴[04 May 19 03:16 UTC] No.19824183[source]
Gotta love the Linux release team for not disabling this ability.
replies(1): >>19824524 #
6. jacob019 ◴[04 May 19 03:24 UTC] No.19824225[source]
Works on android too.
7. nonbirithm ◴[04 May 19 03:33 UTC] No.19824268[source]
Doesn't work for me. Using Arch Linux. I was already on Nightly when this happened.
replies(1): >>19824664 #
8. classichasclass ◴[04 May 19 03:42 UTC] No.19824299[source]
This also works if you build from source, even if you build off mozilla-release. (Just tried it.)
9. hodgesrm ◴[04 May 19 04:48 UTC] No.19824524[source]
And Linux desktop for being pretty usable. :)
10. c0nducktr ◴[04 May 19 05:36 UTC] No.19824664[source]
What timezone are you in? I'm in UTC-4 (Detroit), and haven't seen any problems so far. (Also running Nightly on Arch Linux - I haven't made any previous changes to the addon signing either)
replies(1): >>19825004 #
11. floatingatoll ◴[04 May 19 05:46 UTC] No.19824700[source]
Upgrading your profile from Release to Nightly, which occurs automatically when you open it with Nightly, is a one-way irreversible step. This could prevent your profile from being used with Release without crashes, or lose profile data such as bookmarks or saved passwords when later used with Release, depending on what work is underway in Nightly and if it happens to be backwards-compatible. Be sure to backup your profile if you choose to switch channels.

Note: I am told that Developer channel uses a separate profile, but there are instructions below showing people how to override that, at which point this warning becomes relevant once again.

replies(3): >>19824910 #>>19825903 #>>19826017 #
12. andreareina ◴[04 May 19 07:00 UTC] No.19824910[source]
Oof. Would you happen to know if it's the same with the developer edition as well?
replies(2): >>19824951 #>>19824963 #
13. pygy_ ◴[04 May 19 07:11 UTC] No.19824951{3}[source]
The developer edition has its own user profile.
replies(2): >>19824979 #>>19825044 #
14. floatingatoll ◴[04 May 19 07:15 UTC] No.19824963{3}[source]
Yes, the risk remains. If I read this right (from my phone), Release is 66, Developer is 67, Nightly is 68. This isn’t guaranteed to be a problem, but it’s not guaranteed okay either. YMMV.

(See reply about Developer, though.)

15. floatingatoll ◴[04 May 19 07:21 UTC] No.19824979{4}[source]
That’s a good point. However, some of the instructions below specifically tell people how to force any channel onto using the existing Release profile. I’ll update my post.
16. PhantomGremlin ◴[04 May 19 07:23 UTC] No.19824983[source]
On Windows and MacOS you'll need to download Nightly or the Developer Edition.

The workaround also works if you're running Firefox Extended Support Release on MacOS. Thankfully.

For me missing extensions aren't just an inconvenience. I simply don't browse with JS on. Firefox is dead to me without NoScript.

replies(1): >>19825201 #
17. nonbirithm ◴[04 May 19 07:30 UTC] No.19825004{3}[source]
To clarify, by 'not working' I meant none of the addons with signing issues are re-enabled after changing xpinstall.signatures.required. I might have wrongly assumed this would happen. However, I tried installing a new addon I had never installed before and that works, but reinstalling one that I had previously installed still doesn't, even after uninstalling it (uBlock Origin).

My timezone is America/Los_Angeles.

EDIT: Sorry, I'm dumb. I actually have two versions of FF installed and I chose the one that wasn't Nightly.

18. andreareina ◴[04 May 19 07:43 UTC] No.19825044{4}[source]
And I told the developer edition to use my regular profile because that's the one that has all my settings and add-ons and I didn't realize the risk was there. Guess at this point all I can really do is hope and cross the bridge when I get there.
replies(1): >>19825514 #
19. hum6ug ◴[04 May 19 08:04 UTC] No.19825109[source]
This does not work with Firefox 66.0.3 in Arch Linux ...
20. ◴[04 May 19 08:26 UTC] No.19825195[source]
21. glindhol ◴[04 May 19 08:29 UTC] No.19825201[source]
Same is true for ESR on Windows.
22. gonhidi ◴[04 May 19 08:39 UTC] No.19825237[source]
It is probably safer to use an unbranded build with the same version as the currently installed Firefox (take note that it will not update). Page with links to the latest release builds: https://wiki.mozilla.org/Add-ons/Extension_Signing
23. captainmuon ◴[04 May 19 09:36 UTC] No.19825421[source]
The following workaround works on regular editions: https://www.reddit.com/r/firefox/comments/bkhzjy/temp_fix_fo...
replies(1): >>19825544 #
24. obituary_latte ◴[04 May 19 10:06 UTC] No.19825514{5}[source]
If you’re on Mac, you should be able to recover the old profile with time machine. Or if you are on windows and have another backup setup.
25. bitcuration ◴[04 May 19 10:17 UTC] No.19825544[source]
Origin here... https://news.ycombinator.com/item?id=19824410
26. abrowne ◴[04 May 19 11:58 UTC] No.19825903[source]
FWIW I started using beta, nightly and the old "UX" channel, first on Mac and then on Linux, and before I knew it could be a problem I switched between them with the same profile all the time. Maybe there were subtle bugs I wasn't aware of, but nothing I ever noticed.
replies(1): >>19827051 #
27. vphantom ◴[04 May 19 12:12 UTC] No.19825951[source]
No go for me on Firefox 59.0 / Debian 64bit. I even restarted Firefox but they're all still "Legacy Extensions". :(
replies(1): >>19826865 #
28. weavejester ◴[04 May 19 12:30 UTC] No.19826017[source]
Looks like it would have been better to copy the profile instead. I managed to get most of my profile back using Firefox Sync, though for some reason it didn't transfer across my preferences and I had to redo those.
29. SilasX ◴[04 May 19 13:16 UTC] No.19826226[source]
Firefox stopped respecting the signature-required setting in the mainline version in 2016. I know because I got burned by it and made a Hitler parody.

https://youtube.com/watch?v=taGARf8K5J8

And frankly, this an extra absurdity on top of that. If you’re going to require signatures for all extensions, regardless of user preference, shouldn’t you be keeping an eye on the signing process?

replies(1): >>19826267 #
30. chappi42 ◴[04 May 19 13:23 UTC] No.19826267[source]
Why does Mozilla do this? Same with removing the option to not update. Why not let users choose (in the case of update maybe with an about config setting)?
replies(2): >>19826306 #>>19826489 #
31. the8472 ◴[04 May 19 13:28 UTC] No.19826306{3}[source]
Because (stable) users are dumb, are easily manipulated and can't be trusted. Thus the mothership has to be in control for the greater good. They also argue that enduser computers are already effectively "compromised" from a mozilla perspective because adware runs installers with admin privs and thus could insert things into the program folders. Thus anything the user can do adware could do too and therefore they can't give them any choice.

They put it in nicer words though.

To their credit, you can opt out but only if you switch to dev edition, nightly or custom builds, which either is a one-way road since downgrades corrupt profiles or tedious because you don't receive auto-updates.

But what they should really have done is allowing additional signing roots. Even secure boot does that.

replies(2): >>19826325 #>>19828291 #
32. SilasX ◴[04 May 19 13:31 UTC] No.19826325{4}[source]
I get the ostensible justification, but attacking this way requires the user to dig into the obscure dev settings and load an xpi from outside the browser[1]. Is there even one case of a user compromised that way?

[1] or at least they could have allowed that as a compromise

replies(1): >>19826389 #
33. the8472 ◴[04 May 19 13:45 UTC] No.19826389{5}[source]
I updated my previous comment. They say there exist crapware installers that use elevated privileges that do inject stuff into the browser and that's why we can't have nice things, yes.

But I disagree with their value tradeoffs. They want to add a little "protection" - which is really flimsy since there is no privilege separation - for users who already compromised their systems with adware at the expense of the freedom of everyone else.

replies(1): >>19826485 #
34. oauea ◴[04 May 19 14:01 UTC] No.19826485{6}[source]
I'm totally fine with software already running on my machine being able to install addons into my browser. It can also already install a keylogger and record the screen, what's the big deal?
replies(1): >>19826719 #
35. TazeTSchnitzel ◴[04 May 19 14:02 UTC] No.19826489{3}[source]
Because they don't want trojans to hijack the browser. If the user can change the signing preference, any application can.
replies(2): >>19826706 #>>19828315 #
36. SilasX ◴[04 May 19 14:37 UTC] No.19826706{4}[source]
Yes, the sibling comment and thread already brought that up.
37. SilasX ◴[04 May 19 14:39 UTC] No.19826719{7}[source]
Are you fine with calling “editing of crypto certs” a study? And do you endorse all Orwellian doublespeak, or just this instance?
38. phyzome ◴[04 May 19 15:06 UTC] No.19826865{3}[source]
Legacy Extensions is different.
39. floatingatoll ◴[04 May 19 15:30 UTC] No.19827051{3}[source]
I haven’t run into any issues in a while, but you only have to get hit by lightning one time to lose your profile data. Best to be consciously careful about it.
replies(1): >>19830169 #
40. lordlimecat ◴[04 May 19 18:33 UTC] No.19828291{4}[source]
This sounds like a threat model and mitigation developed by a college intern.

How, exactly, is a user land application going to protect itself from modification by a computer admin? I think DRM, anti-virus, and os vendors everywhere would love an answer to this.

This threat model completely fails to account for live patching, trusted cert root modification, dll hooking, etc. Either the Mozilla security folks are incompetent / winging it, or this isn't the real reason.

replies(1): >>19828906 #
41. lordlimecat ◴[04 May 19 18:36 UTC] No.19828315{4}[source]
It is not possible for a user land application to prevent root processes from hijacking / modifying it. Such protection requires the protecting mechanism to run at a higher level of trust / security ring than the attacker.
42. the8472 ◴[04 May 19 19:57 UTC] No.19828906{5}[source]
Here's the official reason in case you don't trust my grim representation of it: https://blog.mozilla.org/addons/2015/04/15/the-case-for-exte...
43. abrowne ◴[04 May 19 23:54 UTC] No.19830169{4}[source]
I do agree, and I'm more careful now. Always keep a backup, at the very least. I now symlink ~/bin/firefox to nightly because some apps seem to have it hardcoded to open "firefox" rather than what's set as default.
44. cattitude ◴[07 May 19 17:53 UTC] No.19851784[source]
BINGO... X-ring.

I OWE you, dude.