←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 5 comments | 04 May 19 01:31 UTC | HN request time: 0.636s | source
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]
pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #
daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]
> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #
lawl ◴[04 May 19 11:11 UTC] No.19825745[source]
The UI knob is

    Options -> Privacy & Security > Allow Firefox to install and run studies
They're using the studies system to push this hotfix faster for those that have it enabled.

Edit: Source:

See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...

> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy

replies(5): >>19825762 #>>19825773 #>>19826186 #>>19826841 #>>19828213 #
1. SilasX ◴[04 May 19 13:08 UTC] No.19826186[source]
Why is it supposed to be reassuring that their “studies” can override the cryptographic infrastructure?

Edit: rephrase for clarity

replies(2): >>19826237 #>>19826435 #
2. bilbo0s ◴[04 May 19 13:19 UTC] No.19826237[source]
Thank you.

I happen to be one of the users with Normandy disabled, so I'm foobar'd anyway. That said, the reason I disabled it is because it is a security hole you could drive a semi-truck through. And now they want us to enable it to provide a "fix" for the secure way in?

I thought I was the only one who saw a problem with that. Your post is evidence that I'm not completely off in my thinking.

replies(2): >>19826313 #>>19827304 #
3. SilasX ◴[04 May 19 13:29 UTC] No.19826313[source]
And thank you for assuring me I wasn’t alone in worrying about that!
4. fjsolwmv ◴[04 May 19 13:53 UTC] No.19826435[source]
If you don't trust your software provider, "studies" don't matter. The same but could come through a regular update. If you don't want to be on bleeding edge, that's fine, and if the UI for Normandy is bad, that's an issue, but it's nonsense to accept updates and then say you don't want updates.
5. reubenmorais ◴[04 May 19 16:08 UTC] No.19827304[source]
The studies system is also code-signed, but with a different certificate chain, hence why it wasn't affected. What security hole do you think this opens in Firefox?