←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 6 comments | 04 May 19 01:31 UTC | HN request time: 0.41s | source | bottom
Show context
xvector ◴[04 May 19 01:34 UTC] No.19823709[source]
Looks like all extensions have been disabled for all Firefox users.

I think this fail-closed behavior is more of a security issue than the one it is trying to solve. All of my security add-ons - Privacy Badger, NoScript, Decentraleyes, and many more were disabled. Even worse, it happened without notice to the user.

One moment I was browsing the internet (just barely) secured by these add-ons, and the next moment, all of them disappeared (without warning) and I only noticed when I saw my password manager was missing.

replies(6): >>19823819 #>>19823903 #>>19824040 #>>19824202 #>>19824361 #>>19825228 #
stevenwliao ◴[04 May 19 02:15 UTC] No.19823903[source]
If it failed open, anyone unlucky enough to update their extensions could end up having a malicious version installed. It also would have taken longer to notice.
replies(4): >>19824177 #>>19824284 #>>19824335 #>>19825081 #
Causality1 ◴[04 May 19 03:37 UTC] No.19824284[source]
So why not just disable extension updates instead of disabling the extensions themselves?
replies(2): >>19824505 #>>19824666 #
1. ssadler ◴[04 May 19 05:36 UTC] No.19824666[source]
Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?
replies(4): >>19824690 #>>19824705 #>>19825056 #>>19825962 #
2. Causality1 ◴[04 May 19 05:42 UTC] No.19824690[source]
Personally I despise the idea of the software already on my pc being dependent on signatures stored on a remote server. I installed it and Mozilla can fuck right off. It's my responsibility to police what software is on my computer, not theirs.
replies(1): >>19826256 #
3. Thorrez ◴[04 May 19 05:50 UTC] No.19824705[source]
Browsers can only protect against malicious websites and malicious extensions. They can't protect against malware. Even without any cert problems, malware on your machine can modify the browser executable/process to insert whatever code it wants.

With this reduced threat model, it's easy to simply keep existing pre-installed extensions available, and disable updates. Your only problem is if a pre-installed extension is malicious or has a vulnerability, it will remain.

4. josteink ◴[04 May 19 07:48 UTC] No.19825056[source]
> Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?

This is why a signature can also be accompanied by a trusted time stamp which can confirm that the signature was made while the certificate was valid.

This is the common way to sign all Windows software to avoid this exact kind of problem.

Yes, that implies this is a known and solved problem. It’s embarrassing for Mozilla to not have prepared for this.

5. rst ◴[04 May 19 12:14 UTC] No.19825962[source]
If an extension was already installed, it passed the signature check at the time of installation. I'm not sure what benefits we get from periodically re-running the exact same check -- particularly when balanced against the risks of the re-checks, which are now obvious.
6. cesarb ◴[04 May 19 13:21 UTC] No.19826256[source]
According to https://news.ycombinator.com/item?id=19824520 the signatures are on the extensions themselves, not on a remote server.