Most active commenters
  • megous(4)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 25 comments | 04 May 19 01:31 UTC | HN request time: 1.967s | source | bottom
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
brador ◴[04 May 19 10:31 UTC] No.19825596[source]
What is Normandy?
replies(2): >>19825604 #>>19825613 #
1. megous ◴[04 May 19 10:33 UTC] No.19825604[source]
https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout
replies(1): >>19825619 #
2. chinathrow ◴[04 May 19 10:36 UTC] No.19825619[source]
So is that a backdoor into my prefs? How can I check if Normandy is active on my installation?
replies(2): >>19825625 #>>19825696 #
3. verdandi ◴[04 May 19 10:38 UTC] No.19825625[source]
Type about:config in the address bar and search for 'app.normandy.enabled' flag.
replies(3): >>19825647 #>>19825659 #>>19826386 #
4. DoctorOetker ◴[04 May 19 10:45 UTC] No.19825647{3}[source]
here the flag is true but the extensions are still unsupported
replies(1): >>19825801 #
5. inferiorhuman ◴[04 May 19 10:48 UTC] No.19825659{3}[source]
Well that's interesting. I see Normandy enabled, but if I go to the "Privacy and Security" section of the preferences page I see all the data collection and use stuff disabled. There's no obvious way to disable the Normandy back door.

Oh well, at least we don't have another season of Mr Robot spam to look forward to.

replies(3): >>19825777 #>>19825846 #>>19826202 #
6. megous ◴[04 May 19 10:58 UTC] No.19825696[source]
Something with a public wiki page describing what it does exactly is hardly a backdoor.

Also here's the code for the server: https://github.com/mozilla/normandy

replies(1): >>19825812 #
7. ◴[04 May 19 11:18 UTC] No.19825777{4}[source]
8. Yoric ◴[04 May 19 11:26 UTC] No.19825801{4}[source]
It may take a little time for the partial fix to be distributed.
9. tssva ◴[04 May 19 11:29 UTC] No.19825812{3}[source]
The wiki entry evidently doesn't describe what it does because according to the wiki entry it allows for the enabling and disabling of preferences. The updating of a certificate is beyond what is described in the wiki.

Mozilla should follow up with a post describing exactly how Normandy works and the full capabilities it gives them.

replies(2): >>19825915 #>>19831678 #
10. AsyncAwait ◴[04 May 19 11:41 UTC] No.19825846{4}[source]
> There's no obvious way to disable the Normandy back door.

???

It's a publicly documented feature with a publicly documented way to disable it.

replies(1): >>19825860 #
11. brynjolf ◴[04 May 19 11:46 UTC] No.19825860{5}[source]
With an obscure name and no correlation to all the other spying and backdoor ING Mozilla are doing. Is this really the best option tog etaprivacy focused browser? I think this is all very worrying.
replies(3): >>19826424 #>>19826457 #>>19827328 #
12. tssva ◴[04 May 19 12:10 UTC] No.19825941{5}[source]
Users shouldn't have to search and then be able to understand the code found for such a feature. When a remote capability such as this exists it is Mozilla's responsibility to document how the feature works and the exact capabilities it gives them. Instead of doing so they have produced a wiki entry which appears to falsely describe the capabilities of this remote feature by stating it is used to change default preference values.
replies(2): >>19826026 #>>19826726 #
13. greendestiny_re ◴[04 May 19 13:07 UTC] No.19826178{5}[source]
All code is available – as a tar.xzipped archive of Firefox source code containing over 150k files and measuring over 1GB in size when unpacked.
replies(1): >>19826748 #
14. rectang ◴[04 May 19 13:11 UTC] No.19826202{4}[source]
Presumably the logic is something like:

    if (studies.enabled) {
      if (normandy.enabled) {
        ...
      }
    }
15. yabatopia ◴[04 May 19 13:44 UTC] No.19826386{3}[source]
Not so in Firefox for Android. No normandy to find.
16. awful_waffle ◴[04 May 19 13:51 UTC] No.19826424{6}[source]
Can you elaborate on what 'other spying' Mozilla does? Do you mean their telemetry?
replies(1): >>19827611 #
17. fjsolwmv ◴[04 May 19 13:55 UTC] No.19826457{6}[source]
It's named after a world famous beachhead of an invasion. The name isn't that obscure for a feature that invades the userbase with a takeover.
18. megous ◴[04 May 19 14:40 UTC] No.19826726{6}[source]
Hacker News

I think people here can be expected to read some code if they are interested in how something works.

19. megous ◴[04 May 19 14:43 UTC] No.19826748{6}[source]
grep -iR normandy

I expect code related to normandy to be ~1k LOC in size and probably written in JS. I haven't checked though, because I don't really care today.

replies(1): >>19828332 #
20. AsyncAwait ◴[04 May 19 16:13 UTC] No.19827328{6}[source]
I am not sure what 'spying' Mozilla is doing, but I agree this should be better named and better highlighted.
21. brynjolf ◴[04 May 19 16:50 UTC] No.19827611{7}[source]
Spying was the wrong word. But yes, the telemetry. The google analytics that are hidden on the extensions page, that only listen to the Do not track, but not the turn off telemetry checkbox. Sadly it just doesn't seem to stop.
22. lordlimecat ◴[04 May 19 18:27 UTC] No.19828249{5}[source]
Open source software can't have a backdoor because the code is available to review.

Got it.

23. devcpp ◴[04 May 19 18:38 UTC] No.19828332{7}[source]
And you shouldn't have to care. No one should. The very fact that this exists and that we are expected to trust it is very disappointing.
24. dang ◴[05 May 19 04:16 UTC] No.19831123{8}[source]
Please read and follow the site guidelines when commenting here.

https://news.ycombinator.com/newsguidelines.html

25. ComodoHacker ◴[05 May 19 07:44 UTC] No.19831678{4}[source]
From what I understand, Normandy is an infrastructure for delivery of some changes to some of Firefox users (or all of them). There are two major use cases: preferences rollout and studies. In the first case default values of preferences get changed (if your pref has non-default value, it won't affect you). In case of studies some piece of code gets delivered and executed, which cat do anything. In this hotfix the study installs add-on, which in turn installs certificate.