←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0s | source
Show context
xvector ◴[04 May 19 01:34 UTC] No.19823709[source]
Looks like all extensions have been disabled for all Firefox users.

I think this fail-closed behavior is more of a security issue than the one it is trying to solve. All of my security add-ons - Privacy Badger, NoScript, Decentraleyes, and many more were disabled. Even worse, it happened without notice to the user.

One moment I was browsing the internet (just barely) secured by these add-ons, and the next moment, all of them disappeared (without warning) and I only noticed when I saw my password manager was missing.

replies(6): >>19823819 #>>19823903 #>>19824040 #>>19824202 #>>19824361 #>>19825228 #
stevenwliao ◴[04 May 19 02:15 UTC] No.19823903[source]
If it failed open, anyone unlucky enough to update their extensions could end up having a malicious version installed. It also would have taken longer to notice.
replies(4): >>19824177 #>>19824284 #>>19824335 #>>19825081 #
Causality1 ◴[04 May 19 03:37 UTC] No.19824284[source]
So why not just disable extension updates instead of disabling the extensions themselves?
replies(2): >>19824505 #>>19824666 #
ssadler ◴[04 May 19 05:36 UTC] No.19824666[source]
Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?
replies(4): >>19824690 #>>19824705 #>>19825056 #>>19825962 #
1. Thorrez ◴[04 May 19 05:50 UTC] No.19824705{3}[source]
Browsers can only protect against malicious websites and malicious extensions. They can't protect against malware. Even without any cert problems, malware on your machine can modify the browser executable/process to insert whatever code it wants.

With this reduced threat model, it's easy to simply keep existing pre-installed extensions available, and disable updates. Your only problem is if a pre-installed extension is malicious or has a vulnerability, it will remain.