Submitted by boom in Tech

What's going on?

A few hours ago a security certificate that Mozilla used to sign Firefox add-ons expired. What this means is that every add-on signed by that certificate, which seems to be nearly all of them, will now be automatically disabled by Firefox as security measure.

In simpler terms, Firefox doesn't trust any add-ons right now.

Here's the official acknowledgement from Mozilla on their Discourse:

Certificate issue causing add-ons to be disabled or fail to install

At about 6:10 PST we received a report that a certificate issue for Firefox is causing add-ons to stop working and add-on installs to fail.

Our team is actively working on a fix. We will update as soon as we have more information.

Update:

11:12 p.m. PST: The team is currently testing a fix for this issue. In the meantime, signing of new extensions is disabled until the fix is in place.

What can I do about it?

You can either 1: Temporarily load extensions, or, in some editions of Firefox, 2: Disable signature enforcement, telling your browser to trust all extensions.

These editions are Firefox Developer Edition, Firefox Nightly, Extended Support Release, and the Unbranded builds. There are some reports that you can disable signature enforcement on Linux or OSX regardless of Firefox ediiton. You can migrate to one of these editions using Firefox Sync or by telling it to use your original profile.

If you aren't sure which edition of Firefox you're on, it's probably Release, but you can see for yourself by heading to ☰ > Help > About Firefox.

1: Temporarily loading extensions

Extensions installed via Firefox's debugging tools are installed "temporarily", meaning they will be automatically disabled again on browser restart.

All of your extensions currently reside in the "extensions" folder inside your profile folder. Go to ☰ > Help > Troubleshooting Information, then copy or make note of your "Profile folder" in the table.

Next got to about:debugging and click Load Temporary Add-on.... Navigate the file dialog to your profile, then to the "extensions" folder inside. You should see a list of .xpi files - these are your add-ons. Load one, then repeat for all of them.

Note: This method can also be used to install add-ons from addons.mozilla.org. Simply navigate to the extension page (such as uBlock Origin) and right click on the "Add to Firefox" button, then select "Save Link As..." and load it as described above.

2: Disabling signature enforcement

In a supported build, enter about:config into the location bar and push enter. Heed the warning and proceed to search for xpinstall.signatures.required and set it to false.

This tells the browser to no longer care if installed extensions are what they say they are. This is a light security risk, and you should re-enable this once the certificate issue is solved.

All your add-ons should automatically re-enable.

16

Comments

You must log in or register to comment.

celebratedrecluse wrote (edited )

I highly encourage everyone who disables signature enforcement NOT to install any additional add-ons, and to disable automatic updates of the add ons, until TBB is patched. Same goes for other flavors of firefox, just keep the extensions you already have installed and wait to install any others until the underlying issue is resolved.

edit: to disabled auto updating of addons, please click the settings wheel on the Add-Ons menu, and uncheck "Update AddOns Automatically"

5

[deleted] wrote (edited )

2

celebratedrecluse wrote

Perhaps if you're on mobile, but if you are on mobile you should expect 0 anonymity

2

[deleted] wrote (edited )

6

celebratedrecluse wrote

Fair enough. ISPs and the first party websites will still see your IP address linked to the content you access unless you use some kind of proxy or tunneling service. I'm sure you know this, but this is just for the information of anyone reading our thread

2

[deleted] wrote (edited )

4

celebratedrecluse wrote

For sure. I will say though, I never got Orbot VPN mode to work properly on my device. I think it's still experimental last time i checked? idk, i dont use cell phones really

2

snake wrote

I don't think this effects everyone? My addons are all working fine on Tor.

4

ziq wrote (edited )

Mine wasn't affected when this was posted, but then I got a notice saying my add-ons were being disabled about an hour ago.

3

bea wrote (edited )

Doing this is much better: https://news.ycombinator.com/item?id=19827302

TL;DR: copy [this] link into a new tab ( because only clicking on it might be blocked as raddle trying to install the addon )
it installs the official hotfix that Mozilla made but is only pushing out through their terrible studies program.

To clarify why I'm posting this even though fixes are already being rolled out:
In case you're on a GNU/Linux system fixes for that won't be availible for a while:

Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)

and a non-studies fix isn't made yet either:

We are working on a general fix that doesn’t use the Studies system and will keep this blog post updated accordingly.

so this might be your only fix for now
source for the quotes

3

celebratedrecluse wrote (edited )

the certificate expiring (a completely predictable problem, obviously) is only fixed through a "voluntary" program which undermines the verifiability of the browser's integrity.

Totally not suspicious at all!

edit: does this fix require enabling the studies program?

0

bea wrote (edited )

yeah because of this comment I unpacked the addon and examined the code myself. The only thing it's doing is adding a bundled base64 encoded cert and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )

however you'd know all this by reading the thread I linked, here's the relevant comment: https://news.ycombinator.com/item?id=19827415

2

celebratedrecluse wrote

You're right, I did not look at this carefully, and my confirmation bias led me to an erroneous conclusion. should be safe to install, i concur

3

celebratedrecluse wrote

Alternatively, since https everywhere still works, the only major problem is that javascript is enabled. Noscript usually handles this, but is broken due to the problems described above.

To block javascript globally, type "about:config" into the URL bar, and set "javascript.enabled" to FALSE. There, you've done it.

If you want to reenable javascript, close out of any windows where you don't want javascript enabled, and then set that variable to TRUE. A bit clunky, but it works.

This won't enable other functionalities of Noscript, so there might be security concerns w/r/t Tor Browser's threat modeling relying on those functionalities of noscript. But I'm not directly aware of ways in which TBB relies on noscript, besides blocking the running of javascript. Perhaps someone else can enlighten me.

1

rot wrote

so that's why that happened

1