Viewing a single comment thread. View all comments

bea wrote (edited )

Doing this is much better: https://news.ycombinator.com/item?id=19827302

TL;DR: copy [this] link into a new tab ( because only clicking on it might be blocked as raddle trying to install the addon )
it installs the official hotfix that Mozilla made but is only pushing out through their terrible studies program.

To clarify why I'm posting this even though fixes are already being rolled out:
In case you're on a GNU/Linux system fixes for that won't be availible for a while:

Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)

and a non-studies fix isn't made yet either:

We are working on a general fix that doesn’t use the Studies system and will keep this blog post updated accordingly.

so this might be your only fix for now
source for the quotes

3

celebratedrecluse wrote (edited )

the certificate expiring (a completely predictable problem, obviously) is only fixed through a "voluntary" program which undermines the verifiability of the browser's integrity.

Totally not suspicious at all!

edit: does this fix require enabling the studies program?

0

bea wrote (edited )

yeah because of this comment I unpacked the addon and examined the code myself. The only thing it's doing is adding a bundled base64 encoded cert and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )

however you'd know all this by reading the thread I linked, here's the relevant comment: https://news.ycombinator.com/item?id=19827415

2

celebratedrecluse wrote

You're right, I did not look at this carefully, and my confirmation bias led me to an erroneous conclusion. should be safe to install, i concur

3