All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)

1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.21s | source

Show context

rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]▶

>>19823701 (OP) #

Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.

replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #

inferiorhuman ◴[04 May 19 10:49 UTC] No.19825665[source]▶

>>19825581 #

pushed it out to users via Normandy (this should be most users)

Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users? What about a UI knob to disable it?

replies(6): >>19825685 #>>19825686 #>>19825716 #>>19825995 #>>19826440 #>>19826786 #

daleharvey ◴[04 May 19 10:56 UTC] No.19825686[source]▶

>>19825665 #

> Is the existence of a back door method of updating Firefox preferences something that will be disclosed to users?

It will even be documented for them: https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

> What about a UI knob to disable it?

app.normandy.enabled

replies(5): >>19825728 #>>19825732 #>>19825745 #>>19825755 #>>19825842 #

lawl ◴[04 May 19 11:11 UTC] No.19825745[source]▶

>>19825686 #

The UI knob is

    Options -> Privacy & Security > Allow Firefox to install and run studies

They're using the studies system to push this hotfix faster for those that have it enabled.

Edit: Source:

See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...

> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy

replies(5): >>19825762 #>>19825773 #>>19826186 #>>19826841 #>>19828213 #

inferiorhuman ◴[04 May 19 11:14 UTC] No.19825762[source]▶

>>19825745 #

No, it's not. This Normandy nonsense and stories are two separate, yet creepy features. I've already disabled stories but it looks like Mozilla still retains control of my preferences (without disclosing it).

replies(1): >>19825943 #

vesinisa ◴[04 May 19 12:11 UTC] No.19825943[source]▶

>>19825762 #

I sure wonder how people so suspicious of Mozilla dare use their browser.

replies(3): >>19826006 #>>19826206 #>>19826278 #

phyzome ◴[04 May 19 13:11 UTC] No.19826206[source]▶

>>19825943 #

Easy: There's a difference between static, shipped code and a capability to modify software at a distance (which could even by hijacked by an attacker who infiltrates Mozilla's infrastructure.)

replies(1): >>19826756 #

calcifer ◴[04 May 19 14:45 UTC] No.19826756[source]▶

>>19826206 #

If your threat model includes the hijacking of Mozilla's infrastructure, I assume you read and verify the entirety of the Firefox source with every new version before using it, right?

replies(1): >>19836545 #

1. phyzome ◴[06 May 19 03:08 UTC] No.19836545[source]▶

>>19826756 #

Obviously not?

But there are trustworthy people working with and integrating that code, there's a good chance they'll notice a hinky commit, and they're very close to having completely reproducible builds—which means that there can be verification that the shipped binary matches the inspected source.

https://gregoryszorc.com/blog/2018/06/20/deterministic-firef...

↑