(bugzilla.mozilla.org)

1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.677s | source

Show context

M0 ◴[04 May 19 03:05 UTC] No.19824127[source]▶

>>19823701 (OP) #

They don't use cryptographic timestamps with their signatures ? The certificate might now be invalid, but the signatures were done at a time when it was valid...

replies(1): >>19824413 #

fluidcruft ◴[04 May 19 04:20 UTC] No.19824413[source]▶

>>19824127 #

The problem is that "time" is fungible and can be forged. The date on a signature doesn't really mean anything.

replies(2): >>19824479 #>>19824706 #

1. altfredd ◴[04 May 19 05:50 UTC] No.19824706[source]▶

>>19824413 #

This is a very bizarre justification for an obvious bug. Code-signing does not work that way anywhere else — neither in Android, nor on iOS, Windows or any other common platform.

There is a possibility that Mozilla implemented their backwards code-signing model on purpose — for example, it allows them to oust unwanted extensions without explicitly recalling their certificates. But personally I think that they just didn't give the matter enough thought.

↑

All extensions disabled due to expiration of intermediate signing cert