←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 9 comments | 04 May 19 01:31 UTC | HN request time: 0.942s | source | bottom
1. Animats ◴[04 May 19 05:18 UTC] No.19824612[source]
It's pathetic to see the attitude demonstrated by Mozilla support on this.

diox commented 4 hours ago

I'm locking this like I did in #851 because no new information is being added. We're aware and we're working on it. This conversation has been locked as spam and limited to collaborators.[1]

Bug 1548973 (armagadd-on-2.0) All extensions disabled due to expiration of intermediate signing cert NEW Unassigned (Needinfo from 3 people)

Kevin Brosnan [:kbrosnan]

We have confirmed this issue. Extra comments about this being broken will not advance this bug to being fixed.[2]

Mozilla just left their entire user base unprotected against ads, trackers, and some hostile code. Then they insult their users.

Undoing the damage is hard. First, they have to update their signing certificate. Then they have to re-sign all the add-ons. Then users have to reload all the addons. Then, something users won't do - remove all the tracking cookies, etc. that slipped in while Firefox was broken.

[1] https://github.com/mozilla/addons/issues/978

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

replies(6): >>19824622 #>>19824627 #>>19824637 #>>19825159 #>>19825238 #>>19825829 #
2. gpm ◴[04 May 19 05:21 UTC] No.19824622[source]
> Then users have to reload all the addons

I'm pretty sure Mozilla will implement a fix in a way that users only have to update their browser, not do anything to all their addons.

replies(1): >>19824797 #
3. bartc ◴[04 May 19 05:23 UTC] No.19824627[source]
They should be able to obtain a new certificate based on the same private/public key, in which case I don’t think any add-ons would need to be updated.
replies(1): >>19824663 #
4. yardstick ◴[04 May 19 05:26 UTC] No.19824637[source]
Forgive my ignorance but how are they being insulting by locking the issue?

They are working on it, and seeing 1000s of “me too” comments in the issue isn’t going to make things better for anyone. Least of all their customers, who, when they do update the issue with more info, won’t have to wade through pages and pages of noise before they get to the actual update from Mozilla.

5. rndgermandude ◴[04 May 19 05:35 UTC] No.19824663[source]
The problem with this approach is that the expired certificate is part of the add-on package files (META-INF/mozilla.rsa; DER encoded PKCS7), not something that you can just swap out on some server. You have to replace the certificate in the add-on packages with the new cert, even if the new one reuses the keys of the old one. At which point you need to ship new add-on package files to users anyway, so key reuse or not makes no difference anymore.
6. hu3 ◴[04 May 19 06:29 UTC] No.19824797[source]
I'm curious about how an update will be able to differentiate tracking cookies from legit ones?
7. NicoJuicy ◴[04 May 19 08:17 UTC] No.19825159[source]
Don't exaggerate. It's a critical bug now and they are working on it.

Let them work on it

8. konart ◴[04 May 19 08:40 UTC] No.19825238[source]
Closing a duplicate issue is an inuslt these days?

Or are you talking about them not putting "Best regards, Tim" at the end of every message?

People these days are offended really by every and any little thing.

9. tinus_hn ◴[04 May 19 11:34 UTC] No.19825829[source]
You know that for every comment someone posts the developers get an email? It’s not useful if you get 500 emails that state a user is deeply inconvenienced by this bug. That only leads to people filtering mail into the trash.