←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 8 comments | 04 May 19 01:31 UTC | HN request time: 0.205s | source | bottom
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]
pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #
daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]
> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #
lawl ◴[04 May 19 11:11 UTC] No.19825745[source]
The UI knob is

    Options -> Privacy & Security > Allow Firefox to install and run studies
They're using the studies system to push this hotfix faster for those that have it enabled.

Edit: Source:

See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...

> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy

replies(5): >>19825762 #>>19825773 #>>19826186 #>>19826841 #>>19828213 #
inferiorhuman ◴[04 May 19 11:14 UTC] No.19825762[source]
No, it's not. This Normandy nonsense and stories are two separate, yet creepy features. I've already disabled stories but it looks like Mozilla still retains control of my preferences (without disclosing it).
replies(1): >>19825943 #
1. vesinisa ◴[04 May 19 12:11 UTC] No.19825943[source]
I sure wonder how people so suspicious of Mozilla dare use their browser.
replies(3): >>19826006 #>>19826206 #>>19826278 #
2. hyeonwho4 ◴[04 May 19 12:27 UTC] No.19826006[source]
Setting preferences really should not be shocking, given that they have the capacity to run automatic updates. I'm more surprised that they can push code without certificates.
replies(2): >>19826649 #>>19827358 #
3. phyzome ◴[04 May 19 13:11 UTC] No.19826206[source]
Easy: There's a difference between static, shipped code and a capability to modify software at a distance (which could even by hijacked by an attacker who infiltrates Mozilla's infrastructure.)
replies(1): >>19826756 #
4. bilbo0s ◴[04 May 19 13:24 UTC] No.19826278[source]
Because Mozilla is easier to lock down than Chrome.

I guess "easier" isn't the word really, because Chrome can't really ever be locked down. It's pretty much always, effectively, an open book to Google.

You can lock down everything in Firefox. The drawback being, of course, times like this, when you can't get the fix unless you leave Normandy enabled. (Which I didn't.)

>:-(

Grrrr.

5. vesinisa ◴[04 May 19 14:27 UTC] No.19826649[source]
> I'm more surprised that they can push code without certificates.

Where are you getting this from? AFAIK all Mozilla code / prefs they can push should be signed -- this very issue seems to stem from the cert used to sign AMO extensions expired.

6. calcifer ◴[04 May 19 14:45 UTC] No.19826756[source]
If your threat model includes the hijacking of Mozilla's infrastructure, I assume you read and verify the entirety of the Firefox source with every new version before using it, right?
replies(1): >>19836545 #
7. Piskvorrr ◴[04 May 19 16:17 UTC] No.19827358[source]
The expires certificate seems to be in a chain concerning extensions. Not necessarily the same chain concerning core browser updates...
8. phyzome ◴[06 May 19 03:08 UTC] No.19836545{3}[source]
Obviously not?

But there are trustworthy people working with and integrating that code, there's a good chance they'll notice a hinky commit, and they're very close to having completely reproducible builds—which means that there can be verification that the shipped binary matches the inspected source.

https://gregoryszorc.com/blog/2018/06/20/deterministic-firef...