Most active commenters
  • inferiorhuman(3)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 33 comments | 04 May 19 01:31 UTC | HN request time: 1.626s | source | bottom
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]
pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #
1. daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]
> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #
2. inferiorhuman ◴[04 May 19 11:07 UTC] No.19825728[source]
app.normandy.enabled

That is not what I meant by a UI knob, and I sure hope you knew that. By UI knob I mean something easily discoverable and self-explanatory. Rooting around a gated (with a mighty strong warning, I should add) config section for something called "normandy" is not intuitive, and it's not self-explanatory.

And I sure hope that by disclosed to users I did not mean some Hitchhiker's Guide-esque disclaimer on a wiki page. Something as (potentially) insidious as a preferences backdoor should absolutely be disclosed to users with the same level of visibility as the stories nonsense.

Perhaps "normandy" is entirely harmless, but you guys lost a metric fuckton of credibility by using your backdoors to spam people[1]. Playing coy does nothing to improve your credibility or reputation.

1: https://www.theregister.co.uk/2017/12/18/mozilla_mr_robot_fi...

replies(1): >>19826411 #
3. oAlbe ◴[04 May 19 11:09 UTC] No.19825732[source]
> app.normandy.enabled

I fail to see both the "UI" and the "knob" part of this. Why is this not a checkbox in the preferences? Why do so many people not know about Normandy?

replies(1): >>19825766 #
4. lawl ◴[04 May 19 11:11 UTC] No.19825745[source]
The UI knob is

    Options -> Privacy & Security > Allow Firefox to install and run studies
They're using the studies system to push this hotfix faster for those that have it enabled.

Edit: Source:

See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...

> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy

replies(5): >>19825762 #>>19825773 #>>19826186 #>>19826841 #>>19828213 #
5. nanis ◴[04 May 19 11:13 UTC] No.19825755[source]
>> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

> It will even be documented for them:

That sounds like you do not think the concern is warranted. I've used Firefox since the first time it was available, and Netscape starting with the first ever betas. At no point was there a dialog that said "Do you want us to be able to change your browser settings remotely?"

>> What about a UI knob to disable it?

> app.normandy.enabled

That is not a "UI knob" by any stretch of the imagination. Looking in about:config revealed:

app.normandy.logging.level

Is there a way to find out what is being logged and why?

So, the question can be rephrased as "is the fact that Firefox has been logging all users' entire browsing history despite the fact that the user has not chosen to set up a Firefox account going to be disclosed?"

replies(1): >>19825792 #
6. inferiorhuman ◴[04 May 19 11:14 UTC] No.19825762[source]
No, it's not. This Normandy nonsense and stories are two separate, yet creepy features. I've already disabled stories but it looks like Mozilla still retains control of my preferences (without disclosing it).
replies(1): >>19825943 #
7. ◴[04 May 19 11:15 UTC] No.19825766[source]
8. Yoric ◴[04 May 19 11:23 UTC] No.19825792[source]
> So, the question can be rephrased as "is the fact that Firefox has been logging all users' entire browsing history despite the fact that the user has not chosen to set up a Firefox account going to be disclosed?"

Chill out, this preference only determines what is logged locally (never sent to the server). It's a debugging tool.

Sources: - https://searchfox.org/mozilla-central/source/toolkit/compone... - https://searchfox.org/mozilla-central/source/services/common...

replies(1): >>19828628 #
9. gpm ◴[04 May 19 11:31 UTC] No.19825820{3}[source]
I'm nearly certain Normandy does not log all of your browsing history for what it's worth.

I agree Mozilla approach to stuff like this is... less than ideal.

replies(1): >>19829184 #
10. tssva ◴[04 May 19 11:39 UTC] No.19825842[source]
From the wiki entry.

> Normandy Pref Rollout is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to Firefox.

Rolling out a new certificate goes beyond changing the default value of a preference which rightly raises questions about what else Normandy allows which is not documented.

11. DangerousPie ◴[04 May 19 12:04 UTC] No.19825922{3}[source]
> now I find out all my browsing history has been logged to Firefox servers.

Where are you getting this from?

replies(1): >>19829703 #
12. vesinisa ◴[04 May 19 12:11 UTC] No.19825943{3}[source]
I sure wonder how people so suspicious of Mozilla dare use their browser.
replies(3): >>19826006 #>>19826206 #>>19826278 #
13. hyeonwho4 ◴[04 May 19 12:27 UTC] No.19826006{4}[source]
Setting preferences really should not be shocking, given that they have the capacity to run automatic updates. I'm more surprised that they can push code without certificates.
replies(2): >>19826649 #>>19827358 #
14. SilasX ◴[04 May 19 13:08 UTC] No.19826186[source]
Why is it supposed to be reassuring that their “studies” can override the cryptographic infrastructure?

Edit: rephrase for clarity

replies(2): >>19826237 #>>19826435 #
15. phyzome ◴[04 May 19 13:11 UTC] No.19826206{4}[source]
Easy: There's a difference between static, shipped code and a capability to modify software at a distance (which could even by hijacked by an attacker who infiltrates Mozilla's infrastructure.)
replies(1): >>19826756 #
16. bilbo0s ◴[04 May 19 13:19 UTC] No.19826237{3}[source]
Thank you.

I happen to be one of the users with Normandy disabled, so I'm foobar'd anyway. That said, the reason I disabled it is because it is a security hole you could drive a semi-truck through. And now they want us to enable it to provide a "fix" for the secure way in?

I thought I was the only one who saw a problem with that. Your post is evidence that I'm not completely off in my thinking.

replies(2): >>19826313 #>>19827304 #
17. bilbo0s ◴[04 May 19 13:24 UTC] No.19826278{4}[source]
Because Mozilla is easier to lock down than Chrome.

I guess "easier" isn't the word really, because Chrome can't really ever be locked down. It's pretty much always, effectively, an open book to Google.

You can lock down everything in Firefox. The drawback being, of course, times like this, when you can't get the fix unless you leave Normandy enabled. (Which I didn't.)

>:-(

Grrrr.

18. SilasX ◴[04 May 19 13:29 UTC] No.19826313{4}[source]
And thank you for assuring me I wasn’t alone in worrying about that!
19. dbrgn ◴[04 May 19 13:49 UTC] No.19826411[source]
I'm sorry to break it to you, but a fuckton is not actually part of the metric system...
replies(2): >>19827172 #>>19827604 #
20. fjsolwmv ◴[04 May 19 13:53 UTC] No.19826435{3}[source]
If you don't trust your software provider, "studies" don't matter. The same but could come through a regular update. If you don't want to be on bleeding edge, that's fine, and if the UI for Normandy is bad, that's an issue, but it's nonsense to accept updates and then say you don't want updates.
21. vesinisa ◴[04 May 19 14:27 UTC] No.19826649{5}[source]
> I'm more surprised that they can push code without certificates.

Where are you getting this from? AFAIK all Mozilla code / prefs they can push should be signed -- this very issue seems to stem from the cert used to sign AMO extensions expired.

22. calcifer ◴[04 May 19 14:45 UTC] No.19826756{5}[source]
If your threat model includes the hijacking of Mozilla's infrastructure, I assume you read and verify the entirety of the Firefox source with every new version before using it, right?
replies(1): >>19836545 #
23. syshum ◴[04 May 19 15:02 UTC] No.19826841[source]
They are using the Studies system in a complete violation of the way they said they would use the studies system for when it was announced. This is not surprising since Mozilla is becoming about as Trust Worthily as Google or Facebook
24. CompuHacker ◴[04 May 19 15:48 UTC] No.19827172{3}[source]
Well, it should be, but that's an entirely different discussion.
25. reubenmorais ◴[04 May 19 16:08 UTC] No.19827304{4}[source]
The studies system is also code-signed, but with a different certificate chain, hence why it wasn't affected. What security hole do you think this opens in Firefox?
26. Piskvorrr ◴[04 May 19 16:17 UTC] No.19827358{5}[source]
The expires certificate seems to be in a chain concerning extensions. Not necessarily the same chain concerning core browser updates...
27. Redoubts ◴[04 May 19 16:49 UTC] No.19827604{3}[source]
This unit modifier was specified under RFC 69420
28. guido_vongraum ◴[04 May 19 18:22 UTC] No.19828213[source]
>The UI knob is > Options -> Privacy & Security > Allow Firefox to install and run studies

Well it's a half-assed knob then, because it was unchecked and still I had app.normandy.enabled = true somehow.

29. rue ◴[04 May 19 19:22 UTC] No.19828628{3}[source]
Look, at this point it’s not the user’s responsibility to “chill out”. It’s very much Firefox’s responsibility to try to repair their reputation by:

1. being completely transparent about all the mechanisms that data or code can be pushed to or pulled by the browser, or pushed from or pulled from the browser; and

2. having a toggle for all of them, yes every single one, in Privacy & Security.

30. ◴[04 May 19 20:31 UTC] No.19829184{4}[source]
31. nanis ◴[04 May 19 22:10 UTC] No.19829703{4}[source]
I am getting it from the simple fact that when I looked at Normandy related settings a unique ID and an API endpoint screamed at me ... Let's assume the explanation given here regarding Normandy's endpoint is legitimate. Why am I assigned a unique ID? How hard is it to make the connection between the fact that for the past N years, despite telemetry and studies being turned off, my browser had been pinging Mozilla with this unique ID. Until proved otherwise, it is safe to assume that this was used to track browsing.
replies(1): >>19853360 #
32. phyzome ◴[06 May 19 03:08 UTC] No.19836545{6}[source]
Obviously not?

But there are trustworthy people working with and integrating that code, there's a good chance they'll notice a hinky commit, and they're very close to having completely reproducible builds—which means that there can be verification that the shipped binary matches the inspected source.

https://gregoryszorc.com/blog/2018/06/20/deterministic-firef...

33. sciurus ◴[07 May 19 20:55 UTC] No.19853360{5}[source]
Disclaimer: I work for Mozilla on the operations team responsible for Firefox's backend services, including Normandy.

TL;DR you are not sending us your browsing history.

If telemetry and studies were turned off, your browser wasn't sending us this unique id.

If you had kept them enabled, for normandy telemetry you would have been sending us the data described at https://firefox-source-docs.mozilla.org/toolkit/components/n...

You can read more broadly about what data Firefox sends by default at https://www.mozilla.org/en-US/privacy/firefox/

And learn more about the review process any data collection has to go through at https://wiki.mozilla.org/Firefox/Data_Collection