←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 4 comments | 04 May 19 01:31 UTC | HN request time: 0.209s | source
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]
pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #
daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]
> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #
1. inferiorhuman ◴[04 May 19 11:07 UTC] No.19825728[source]
app.normandy.enabled

That is not what I meant by a UI knob, and I sure hope you knew that. By UI knob I mean something easily discoverable and self-explanatory. Rooting around a gated (with a mighty strong warning, I should add) config section for something called "normandy" is not intuitive, and it's not self-explanatory.

And I sure hope that by disclosed to users I did not mean some Hitchhiker's Guide-esque disclaimer on a wiki page. Something as (potentially) insidious as a preferences backdoor should absolutely be disclosed to users with the same level of visibility as the stories nonsense.

Perhaps "normandy" is entirely harmless, but you guys lost a metric fuckton of credibility by using your backdoors to spam people[1]. Playing coy does nothing to improve your credibility or reputation.

1: https://www.theregister.co.uk/2017/12/18/mozilla_mr_robot_fi...

replies(1): >>19826411 #
2. dbrgn ◴[04 May 19 13:49 UTC] No.19826411[source]
I'm sorry to break it to you, but a fuckton is not actually part of the metric system...
replies(2): >>19827172 #>>19827604 #
3. CompuHacker ◴[04 May 19 15:48 UTC] No.19827172[source]
Well, it should be, but that's an entirely different discussion.
4. Redoubts ◴[04 May 19 16:49 UTC] No.19827604[source]
This unit modifier was specified under RFC 69420