←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 2 comments | 04 May 19 01:31 UTC | HN request time: 1.372s | source
Show context
xvector ◴[04 May 19 01:34 UTC] No.19823709[source]
Looks like all extensions have been disabled for all Firefox users.

I think this fail-closed behavior is more of a security issue than the one it is trying to solve. All of my security add-ons - Privacy Badger, NoScript, Decentraleyes, and many more were disabled. Even worse, it happened without notice to the user.

One moment I was browsing the internet (just barely) secured by these add-ons, and the next moment, all of them disappeared (without warning) and I only noticed when I saw my password manager was missing.

replies(6): >>19823819 #>>19823903 #>>19824040 #>>19824202 #>>19824361 #>>19825228 #
stevenwliao ◴[04 May 19 02:15 UTC] No.19823903[source]
If it failed open, anyone unlucky enough to update their extensions could end up having a malicious version installed. It also would have taken longer to notice.
replies(4): >>19824177 #>>19824284 #>>19824335 #>>19825081 #
Causality1 ◴[04 May 19 03:37 UTC] No.19824284[source]
So why not just disable extension updates instead of disabling the extensions themselves?
replies(2): >>19824505 #>>19824666 #
ssadler ◴[04 May 19 05:36 UTC] No.19824666[source]
Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?
replies(4): >>19824690 #>>19824705 #>>19825056 #>>19825962 #
1. Causality1 ◴[04 May 19 05:42 UTC] No.19824690[source]
Personally I despise the idea of the software already on my pc being dependent on signatures stored on a remote server. I installed it and Mozilla can fuck right off. It's my responsibility to police what software is on my computer, not theirs.
replies(1): >>19826256 #
2. cesarb ◴[04 May 19 13:21 UTC] No.19826256[source]
According to https://news.ycombinator.com/item?id=19824520 the signatures are on the extensions themselves, not on a remote server.