←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.213s | source
Show context
xvector ◴[04 May 19 01:34 UTC] No.19823709[source]
Looks like all extensions have been disabled for all Firefox users.

I think this fail-closed behavior is more of a security issue than the one it is trying to solve. All of my security add-ons - Privacy Badger, NoScript, Decentraleyes, and many more were disabled. Even worse, it happened without notice to the user.

One moment I was browsing the internet (just barely) secured by these add-ons, and the next moment, all of them disappeared (without warning) and I only noticed when I saw my password manager was missing.

replies(6): >>19823819 #>>19823903 #>>19824040 #>>19824202 #>>19824361 #>>19825228 #
stevenwliao ◴[04 May 19 02:15 UTC] No.19823903[source]
If it failed open, anyone unlucky enough to update their extensions could end up having a malicious version installed. It also would have taken longer to notice.
replies(4): >>19824177 #>>19824284 #>>19824335 #>>19825081 #
Causality1 ◴[04 May 19 03:37 UTC] No.19824284[source]
So why not just disable extension updates instead of disabling the extensions themselves?
replies(2): >>19824505 #>>19824666 #
ssadler ◴[04 May 19 05:36 UTC] No.19824666[source]
Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified?
replies(4): >>19824690 #>>19824705 #>>19825056 #>>19825962 #
1. rst ◴[04 May 19 12:14 UTC] No.19825962[source]
If an extension was already installed, it passed the signature check at the time of installation. I'm not sure what benefits we get from periodically re-running the exact same check -- particularly when balanced against the risks of the re-checks, which are now obvious.