Most active commenters
  • robolange(3)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 27 comments | 04 May 19 01:31 UTC | HN request time: 0.469s | source | bottom
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
neilv ◴[04 May 19 12:24 UTC] No.19825998[source]
I've been through all of Firefox `about:config` a few times in the past, fixing preferences to, e.g., try to disable umpteen different services that leak info or create potential vulnerabilities gratuitously, but this is the first I recall hearing of Normandy.

Apparently I missed `app.normandy.enabled`, because I think I would've remembered a name with connotations of a bloody massive surprise attack.

Incidentally, `app.normandy.enabled` defaults to `true` in the `firefox-esr` Debian Stable package. Which seems wrong for an ESR.

For personal use (not development), I run 3 browsers (for features/configurations and an extra bit of compartmentalization): Tor Browser for most things, Firefox ESR with privacy tweaks for the small number of things that require login, and Chromium without much privacy tweaks for the rare occasion that a crucial site refuses to work with my TB or FF setup.

Today's crucial cert administration oops, plus learning of yet another very questionable remote capability/vector, plus the questionable preferences-changing being enabled even for ESR... is making me even less comfortable with the Web browser standards "big moat" barrier to entry situation.

I know Mozilla has some very forthright people, but I'd really like to see a conspicuous and pervasive focus on privacy&security, throughout the organization, which, at this point, would shake up a lot of things. Then, with the high ground established unambiguously, I'd like to see actively reversing some of the past surveillance&brochure tendencies in some standards. And also see some more creative approaches to what a browser can be, despite a hostile and exploitive environment. Or maybe Brave turns out to be a better vehicle for that, but I still want to believe in Mozilla.

replies(6): >>19826214 #>>19826496 #>>19826548 #>>19827134 #>>19828158 #>>19840411 #
1. robolange ◴[04 May 19 13:13 UTC] No.19826214[source]
I too use Debian's Firefox ESR. I noticed the "Allow Firefox to install and run studies" option in Privacy & Security Preferences a long time ago. It was unchecked and greyed out (i.e., unclickable), and a label below it says "Data reporting is disabled for this build configuration", so I gave it no further thought. This morning I woke up and launched Firefox, noticed this headline, and then noticed my extensions were still running. I looked in about:config and lo and behold, app.normandy.enabled=default [true]. I'll be filing a bug with debian to disable this in the build configuration.

Edit: There are some questions about whether Normandy is really enabled in Debian Firefox ESR even if the about:config setting defaults to true. I've filed a bug report, and I'm sure once a Debian maintainer has a chance to look at it we'll find out the answer.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928433

Edit2: It should go without saying, but please do not spam this bug report with "me too" and its ilk.

replies(6): >>19826340 #>>19826689 #>>19827160 #>>19830076 #>>19831023 #>>19831131 #
2. bilbo0s ◴[04 May 19 13:34 UTC] No.19826340[source]
I had mine disabled. So let's think about this for a second. If I disable a security hole that you can drive a semi-truck through, I remain foobar'd. If I run my "secure" firefox configuration, with the security hole enabled, then they un-foobar me first. Before anyone else. So I could effectively get rewarded, for always keeping a security hole open. But I didn't keep it open, so... yeah... they'll get around to me sometime.

?

>:-(

Grrr.

I'm just getting old and curmudgeonly maybe? I've decided though, I'm starting an animated security blog to show people the ludicrousness of all this kind of stuff in plain language. I'll be Statler, and I just need someone to be Waldorf. Because this stuff really is getting Statler and Waldorf level ridiculous.

replies(6): >>19826394 #>>19826427 #>>19826599 #>>19826656 #>>19826695 #>>19826715 #
3. fjsolwmv ◴[04 May 19 13:46 UTC] No.19826394[source]
Yes, that's right, if you install software that had a bug, then if you give someone permission to modify your software, you can get a bug fixes faster.
replies(1): >>19826412 #
4. neilv ◴[04 May 19 13:49 UTC] No.19826412{3}[source]
There are already channels for bug fixes, and some of the friction on those channels is intentional, such as for visibility and oversight/approval.
replies(1): >>19826693 #
5. TeMPOraL ◴[04 May 19 13:52 UTC] No.19826427[source]
> I'm just getting old and curmudgeonly maybe?

You're not. You just have standards.

We need people with standards in this industry, because that's the only source we have of market signals that prevent the market from going full user-hostile.

6. taneq ◴[04 May 19 14:18 UTC] No.19826599[source]
> So I could effectively get rewarded, for always keeping a security hole open.

That's the way it always works, isn't it? Security and convenience are opposing concerns.

replies(1): >>19827053 #
7. ◴[04 May 19 14:28 UTC] No.19826656[source]
8. teddyh ◴[04 May 19 14:34 UTC] No.19826689[source]
> noticed my extensions were still running.

Reportedly, Firefox only checks the date once per day, so if it hasn’t yet checked for you today, this will be the result.

> I looked in about:config and lo and behold, app.normandy.enabled=default [true].

I would assume that the config setting only has any effect if the feature is available in the build. Which it isn’t in Debian.

replies(1): >>19827749 #
9. bilbo0s ◴[04 May 19 14:36 UTC] No.19826693{4}[source]
Exactly.

Why even have an official channel, providing visibility and official oversight, if when it comes down to it, you're just gonna push remote code updates through the same side channel a potential hacker would use?

People are saying it's for convenience. OK, but then they have to understand that doing things in that fashion is a really bad look. And now your users are set up to believe that, at least some of the updates coming from the side channel are "trust"-able.

replies(1): >>19826730 #
10. pedrocr ◴[04 May 19 14:36 UTC] No.19826695[source]
>If I disable a security hole that you can drive a semi-truck through, I remain foobar'd. If I run my "secure" firefox configuration, with the security hole enabled, then they un-foobar me first. Before anyone else. So I could effectively get rewarded, for always keeping a security hole open. But I didn't keep it open, so... yeah... they'll get around to me sometime.

That's needless drama. They will be rolling out the fix in a point release. Whatever way you use to update your browser will install that and get the fix. So the worst case is just going back to the old days where you'd have the issue until your distro issued a new package or you manually updated the browser version on Windows or OSX. What exactly would you expect that's not exactly what's happening?

11. shawnz ◴[04 May 19 14:38 UTC] No.19826715[source]
Automatic updates aren't a security hole. They are a security enhancement
replies(1): >>19827090 #
12. pedrocr ◴[04 May 19 14:40 UTC] No.19826730{5}[source]
This is a piece of code downloaded from Mozilla servers to re-enable extensions, which are other pieces of code you download from Mozilla servers. If your threat model includes not trusting Mozilla servers then you've presumably disabled browser extensions (or sideloaded them) and this issue is irrelevant to you. If you do use extensions and get updated versions from Mozilla I don't see any way in which this increases your attack surface.
13. hedora ◴[04 May 19 15:31 UTC] No.19827053{3}[source]
Good security designs increase convenience (eg ssh, touch id, single sign on).

The three goals of computer security are integrity, confidentiality and availability.

All three of those expand the usefulness of the system to the end user.

replies(1): >>19829014 #
14. neiman ◴[04 May 19 15:35 UTC] No.19827090{3}[source]
Unless the entity that pushes the updates become malicious, then they're a security hole.
replies(2): >>19827140 #>>19827994 #
15. lvh ◴[04 May 19 15:44 UTC] No.19827140{4}[source]
How do you audit Firefox updates? Because if the answer is “I don’t”, Mozilla already controls the most important piece of userspace code on your computer. And if the answer is “I don’t install them”, then everyone with a few grand to spare already controls the most important piece of userspace code on your computer.
replies(2): >>19827228 #>>19828248 #
16. zingmars ◴[04 May 19 15:46 UTC] No.19827160[source]
On Windows I have the "Allow Firefox to install and run studies" option disabled and yet in about:config Normandy was still enabled. I haven't received the fix. Could be that Firefox simply hasn't checked for it, or it could be that there's more than that about:config setting that determine whether Normandy is run.

Weird.

17. robolange ◴[04 May 19 15:58 UTC] No.19827228{5}[source]
I rely on the Debian system to assist with that. Normandy bypasses that system, if it's enabled. (The jury is out whether it's actually enabled in Debian Firefox ESR.)
replies(1): >>19827424 #
18. lvh ◴[04 May 19 16:27 UTC] No.19827424{6}[source]
What do you think the median size of a Firefox release is, what do you think the resources (let’s call it US dollars FMV) are to audit that, and what do you think the resources Debian has to devote to it?

Clearly more eyes are good, but... In between “Wild West WebExtensions” and “Mozilla backdoors my Firefox and it gets used for nefarious purposes” and “delays in browser updates increase exploitation windows”, I know which threat models I’m buying.

replies(1): >>19831081 #
19. DoctorOetker ◴[04 May 19 17:09 UTC] No.19827749[source]
that would be good news, how can I verify that the Normandy feature isn't available in the Debian build?

Has Mozilla provided instructions to manually fix the issue? if so where? (XORcat was helpful to provide a solution, but I refuse to apply it if it doesn't come from Mozilla itself...)

replies(1): >>19829734 #
20. neop1x ◴[04 May 19 17:49 UTC] No.19827994{4}[source]
exactly. Like here https://news.ycombinator.com/item?id=10624087 or here https://news.ycombinator.com/item?id=19482191 for example...
21. neiman ◴[04 May 19 18:27 UTC] No.19828248{5}[source]
I audit software updates by looking at developers announcements and community discussions (in social media, forums etc) before installing updates.

Then, even if developers keys and computers are compromised, I would notice something is wrong.

* No, of course that I don't always do that. I even don't often do that. But I did do that in the past, and I'd like to have the option to do that.

22. afiori ◴[04 May 19 20:10 UTC] No.19829014{4}[source]
But the point here is not about integrity, confidentiality, or availability. It is about whether you trust Mozilla, and how much trustworthy they are.

A configuration where Mozilla cannot push remote updates is neither more secure nor less secure. Mozilla is often under fire for not allowing a privacy conscious, minimal trust use case.

23. teddyh ◴[04 May 19 22:15 UTC] No.19829734{3}[source]
> how can I verify that the Normandy feature isn't available in the Debian build?

In the Debian bug about this issue¹ it says “Firefox from the Debian package has data reporting disabled so using studies is not possible.

1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928415

24. bscphil ◴[04 May 19 23:34 UTC] No.19830076[source]
Thank you for reporting it. Debian's pro-user stance is one of the things I like about it... now tell me they've disabled Pocket too and I might just switch from Arch to Debian Sid.

FYI, I have learned from other user's comments and the Wiki page below that Studies and Normandy are different things. The former depends on the latter, but not vice versa. So it is possible that Debian disabled the studies program but did not disable the underlying Normandy tool. You might also want to look at whether firefox is affected in addition to firefox-esr.

https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout#...

25. ◴[05 May 19 03:47 UTC] No.19831023[source]
26. anfilt ◴[05 May 19 04:01 UTC] No.19831081{7}[source]
I agree an unpatched vuneribility is probably more risky. However this feature can change settings the user explicitly sets. The bigger issue is it does not give me any indication the settings have been changed.
27. robolange ◴[05 May 19 04:19 UTC] No.19831131[source]
Posting an update for posterity. It appears that even with app.normandy.enabled=default [true], as long as app.shield.optoutstudies.enabled=false, Normandy is disabled. app.shield.optoutstudies is the key controlled by the UI element "Allow Firefox to install and run studies".

I've closed the above bug report as it's not really a bug.