←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.251s | source
Show context
Pxtl ◴[04 May 19 14:58 UTC] No.19826820[source]
I don't get why an expiring cert disables the extensions. Shouldn't the browser be checking the cert expiry date against the date the extension was installed, not against current time? As long as there's no way to manipulate the extension installation date that would be fine, wouldn't it?

edit: or even why the browser is checking this at run-time. As long as it checked the cert when the extension was installed, isn't that enough?

replies(1): >>19827133 #
1. Grollicus ◴[04 May 19 15:42 UTC] No.19827133[source]
If Mozilla somehow lost control of one of these signing certs (as in: it got stolen) they would put in on a revocation list. If certificates don't get re-checked, all installations between "cert got stolen" and "noticed that the cert got stolen" would keep installed & running.