←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 5 comments | 04 May 19 01:31 UTC | HN request time: 0.228s | source
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
neilv ◴[04 May 19 12:24 UTC] No.19825998[source]
I've been through all of Firefox `about:config` a few times in the past, fixing preferences to, e.g., try to disable umpteen different services that leak info or create potential vulnerabilities gratuitously, but this is the first I recall hearing of Normandy.

Apparently I missed `app.normandy.enabled`, because I think I would've remembered a name with connotations of a bloody massive surprise attack.

Incidentally, `app.normandy.enabled` defaults to `true` in the `firefox-esr` Debian Stable package. Which seems wrong for an ESR.

For personal use (not development), I run 3 browsers (for features/configurations and an extra bit of compartmentalization): Tor Browser for most things, Firefox ESR with privacy tweaks for the small number of things that require login, and Chromium without much privacy tweaks for the rare occasion that a crucial site refuses to work with my TB or FF setup.

Today's crucial cert administration oops, plus learning of yet another very questionable remote capability/vector, plus the questionable preferences-changing being enabled even for ESR... is making me even less comfortable with the Web browser standards "big moat" barrier to entry situation.

I know Mozilla has some very forthright people, but I'd really like to see a conspicuous and pervasive focus on privacy&security, throughout the organization, which, at this point, would shake up a lot of things. Then, with the high ground established unambiguously, I'd like to see actively reversing some of the past surveillance&brochure tendencies in some standards. And also see some more creative approaches to what a browser can be, despite a hostile and exploitive environment. Or maybe Brave turns out to be a better vehicle for that, but I still want to believe in Mozilla.

replies(6): >>19826214 #>>19826496 #>>19826548 #>>19827134 #>>19828158 #>>19840411 #
1. taxatu ◴[04 May 19 14:11 UTC] No.19826548[source]
Can we get a clarification:

Unchecking "Allow Firefox to install and run studies" in the UI does not change "app.normandy.enabled" to "false".

Then, does unchecking "Allow Firefox to install and run studies" really disable Normandy, or not?

replies(1): >>19826638 #
2. vesinisa ◴[04 May 19 14:25 UTC] No.19826638[source]
As explained on Normandy's wiki page, they are related but two different things:

> Preference rollout is meant for permanent changes that we are sure of. Shield is meant for testing variations and figuring out what, if anything, is the best thing to do.

https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout#...

replies(3): >>19826763 #>>19826797 #>>19826803 #
3. pynabi ◴[04 May 19 14:46 UTC] No.19826763[source]
That doesn't answer the question: does Normandy get disabled by the UI option or not?

One can guess based on the wiki page that the answer is "no", but that's just a guess.

4. robolange ◴[04 May 19 14:55 UTC] No.19826797[source]
"Explained" is perhaps too generous a word. I'm a software engineer and I found that page to be confusing. It seems to be written for internal Mozilla employees, not for the general public.
5. stefan_ ◴[04 May 19 14:55 UTC] No.19826803[source]
Except as we have learned "preference rollout" is also "installing extensions". So this is much the same as studies, but studies was disgraced, so now this is studies 2.0, no option to disable this time around.

And if you look at the big normandy JSON, hey, it's all the same Pocket and heartbeat shit we've seen from studies.