←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.212s | source
Show context
Animats ◴[04 May 19 05:18 UTC] No.19824612[source]
It's pathetic to see the attitude demonstrated by Mozilla support on this.

diox commented 4 hours ago

I'm locking this like I did in #851 because no new information is being added. We're aware and we're working on it. This conversation has been locked as spam and limited to collaborators.[1]

Bug 1548973 (armagadd-on-2.0) All extensions disabled due to expiration of intermediate signing cert NEW Unassigned (Needinfo from 3 people)

Kevin Brosnan [:kbrosnan]

We have confirmed this issue. Extra comments about this being broken will not advance this bug to being fixed.[2]

Mozilla just left their entire user base unprotected against ads, trackers, and some hostile code. Then they insult their users.

Undoing the damage is hard. First, they have to update their signing certificate. Then they have to re-sign all the add-ons. Then users have to reload all the addons. Then, something users won't do - remove all the tracking cookies, etc. that slipped in while Firefox was broken.

[1] https://github.com/mozilla/addons/issues/978

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

replies(6): >>19824622 #>>19824627 #>>19824637 #>>19825159 #>>19825238 #>>19825829 #
bartc ◴[04 May 19 05:23 UTC] No.19824627[source]
They should be able to obtain a new certificate based on the same private/public key, in which case I don’t think any add-ons would need to be updated.
replies(1): >>19824663 #
1. rndgermandude ◴[04 May 19 05:35 UTC] No.19824663[source]
The problem with this approach is that the expired certificate is part of the add-on package files (META-INF/mozilla.rsa; DER encoded PKCS7), not something that you can just swap out on some server. You have to replace the certificate in the add-on packages with the new cert, even if the new one reuses the keys of the old one. At which point you need to ship new add-on package files to users anyway, so key reuse or not makes no difference anymore.